Skip to content

README.md

Latest commit

 

History

History
251 lines (161 loc) · 8.6 KB

README.md

File metadata and controls

251 lines (161 loc) · 8.6 KB

Sample RDP Wireshark capture files

Here is a collection of RDP decrypted capture files, showing various scenarios.

RDP with NLA, Kerberos password authentication #1

rdp-nla-kerberos-auth1.pcapng

  • Username: [email protected]
  • Server: IT-HELP-TEST.ad.it-help.ninja
  • Authentication: RDP NLA with Kerberos

RDP with NLA, Kerberos password authentication #2

rdp-nla-kerberos-auth2.pcapng

  • Username: IT-HELP\Administrator
  • Server: IT-HELP-TEST.ad.it-help.ninja
  • Authentication: RDP NLA with Kerberos

RDP with NLA, NTLM rejected by server #1

rdp-nla-ntlm-rejected1.pcapng

  • Username: IT-HELP\Administrator
  • Server: 10.10.0.10
  • Authentication: RDP NLA with NTLM

The client connected using the IP address instead of the FQDN, causing an NTLM downgrade on a server configured to reject inbound NTLM.

RDP with NLA, NTLM rejected by server #2

rdp-nla-ntlm-rejected2.pcapng

  • Username: [email protected]
  • Server: IT-HELP-TEST.ad.it-help.ninja
  • Authentication: RDP NLA with Kerberos (password), followed by an NTLM downgrade

The client connected using the FQDN of the server and attempted Kerberos password-based authentication, but after entering the wrong password, the RDP client downgraded to NTLM which is then rejected by the server due to the user being a member of the Protected Users group in Active Directory.

RDP with NLA, Kerberos smartcard authentication #1

rdp-nla-smartcard-auth1.pcapng

  • Username: [email protected]
  • Server: IT-HELP-TEST.ad.it-help.ninja
  • Authentication: RDP NLA with Kerberos (smartcard)

RDP with NLA, Kerberos smartcard authentication #2

rdp-nla-smartcard-auth2.pcapng

  • Username: [email protected]
  • Server: IT-HELP-TEST.ad.it-help.ninja
  • Authentication: RDP NLA with Kerberos (smartcard)

RDP without NLA, smartcard authentication #1

rdp-no-nla-smartcard-auth1.pcapng

  • Username: [email protected]
  • Server: IT-HELP-TEST.ad.it-help.ninja
  • Authentication: RDP without NLA (smartcard)

RDP without NLA, accepted by server #1

rdp-no-nla-accepted1.pcapng

  • Username: [email protected]
  • Server: IT-HELP-TEST.ad.it-help.ninja
  • Authentication: RDP without NLA (password)

RDP without NLA, rejected by server #1

rdp-no-nla-rejected1.pcapng

  • Username: [email protected]
  • Server: IT-HELP-TEST.ad.it-help.ninja
  • Authentication: RDP without NLA (password)

RDP without TLS, accepted by server #1

rdp-no-tls-accepted1.pcapng

  • Username: [email protected]
  • Server: IT-HELP-TEST.ad.it-help.ninja
  • Authentication: RDP without NLA, without TLS (password)

RDP Restricted Admin Mode, accepted by server #1

rdp-restricted-admin-accepted1.pcapng

  • Username: [email protected]
  • Server: IT-HELP-TEST.ad.it-help.ninja
  • Authentication: RDP with NLA + Restricted Admin Mode

RDP Restricted Admin Mode, rejected by server #1

rdp-restricted-admin-rejected1.pcapng

  • Username: [email protected]
  • Server: IT-HELP-TEST.ad.it-help.ninja
  • Authentication: RDP with NLA + Restricted Admin Mode

RDP Remote Credential Guard, accepted by server #1

rdp-credential-guard-accepted1.pcapng

  • Username: [email protected]
  • Server: IT-HELP-TEST.ad.it-help.ninja
  • Authentication: RDP with NLA + Remote Credential Guard

RDP Remote Credential Guard, rejected by server #1

rdp-credential-guard-rejected1.pcapng

  • Username: [email protected]
  • Server: IT-HELP-TEST.ad.it-help.ninja
  • Authentication: RDP with NLA + Remote Credential Guard

RD Gateway with different credentials, Kerberos password authentication

rdp-rdg-diff-creds-kerberos-password.pcapng

RD Gateway:

  • Username: [email protected]
  • Server: IT-HELP-GW.ad.it-help.ninja
  • Authentication: Kerberos, password-based

RDP server:

  • Username: [email protected]
  • Server: IT-HELP-TEST.ad.it-help.ninja
  • Authentication: Kerberos, password-based

RD Gateway with different credentials, Kerberos smartcard authentication

rdp-rdg-diff-creds-kerberos-smartcard.pcapng

RD Gateway:

  • Username: [email protected]
  • Server: IT-HELP-GW.ad.it-help.ninja
  • Authentication: Kerberos, smartcard-based

RDP server:

  • Username: [email protected]
  • Server: IT-HELP-TEST.ad.it-help.ninja
  • Authentication: Kerberos, smartcard-based

RD Gateway with no KDC proxy, NTLM downgrade failure

rdp-rdg-no-kdc-proxy-ntlm-downgrade-failure.pcapng

RD Gateway:

  • Username: [email protected]
  • Server: IT-HELP-GW.ad.it-help.ninja
  • Authentication: Kerberos, password-based

RD Gateway with no KDC proxy, NTLM downgrade success

rdp-rdg-no-kdc-proxy-ntlm-downgrade-success.pcapng

RD Gateway:

  • Username: [email protected]
  • Server: IT-HELP-GW.ad.it-help.ninja
  • Authentication: Kerberos, password-based

RD Gateway with KDC proxy, same credentials, Kerberos password authentication

rdp-rdg-same-creds-kerberos-password-success1.pcapng

RD Gateway:

  • Username: [email protected]
  • Server: IT-HELP-GW.ad.it-help.ninja
  • Authentication: Kerberos, password-based

RDP server:

  • Username: [email protected]
  • Server: IT-HELP-TEST.ad.it-help.ninja
  • Authentication: Kerberos, password-based

RD Gateway with KDC line-of-sight, same credentials, Kerberos password authentication

rdp-rdg-same-creds-kerberos-password-success2.pcapng

RD Gateway:

  • Username: [email protected]
  • Server: IT-HELP-GW.ad.it-help.ninja
  • Authentication: Kerberos, password-based

RDP server:

  • Username: [email protected]
  • Server: IT-HELP-TEST.ad.it-help.ninja
  • Authentication: Kerberos, password-based

RD Gateway with KDC proxy, same credentials, Kerberos smartcard authentication

rdp-rdg-same-creds-kerberos-smartcard-success1.pcapng

RD Gateway:

  • Username: [email protected]
  • Server: IT-HELP-GW.ad.it-help.ninja
  • Authentication: Kerberos, smartcard-based

RDP server:

  • Username: [email protected]
  • Server: IT-HELP-TEST.ad.it-help.ninja
  • Authentication: Kerberos, smartcard-based

RD Gateway with KDC line-of-sight, same credentials, Kerberos smartcard authentication

rdp-rdg-same-creds-kerberos-smartcard-success2.pcapng

RD Gateway:

  • Username: [email protected]
  • Server: IT-HELP-GW.ad.it-help.ninja
  • Authentication: Kerberos, smartcard-based

RDP server:

  • Username: [email protected]
  • Server: IT-HELP-TEST.ad.it-help.ninja
  • Authentication: Kerberos, smartcard-based

RDP clipboard redirection with various formats

rdp-clipboard-various-formats1.pcapng

Sample capture showing clipboard redirection with various formats (text, images, rich text, file copy, etc).

RDP vmconnect, local, basic session mode

rdp-vmconnect-local-basic-session-mode1.pcapng

Local RDP vmconnect connection to Hyper-V using implicit credentials, in basic session mode, with an Alpine Linux VM guest.

RDP vmconnect, local, enhanced session mode

rdp-vmconnect-local-enhanced-session-mode1.pcapng

Local RDP vmconnect connection to Hyper-V using implicit credentials, in enhanced session mode, with a Windows Server VM guest.

RDP vmconnect, remote, basic session mode

rdp-vmconnect-remote-basic-session-mode1.pcapng

Remote RDP vmconnect connection to Hyper-V using explicit credentials, in basic session mode, with an Alpine Linux VM guest.

RDP vmconnect, remote, enhanced session mode

rdp-vmconnect-remote-enhanced-session-mode1.pcapng

Remote RDP vmconnect connection to Hyper-V using explicit credentials, in enhanced session mode, with a Windows Server VM guest.