Fixing decoding of RDP traffic

[Hardening <rdp.effort () gmail com>]

Hi,

I'm trying to fix the decoding of RDP traffic. My scenario is a typical 
RDP connection TLS encrypted (well with ciphers lowered so that no PFS 
is negotiated).

So here's the list of my botherings:

* I'm setting the TLS key associated with port 3389 and the host, but 
with RDP, there's 2 negotiation packets at the beginning of the 
connection before switching to TLS, so these 2 packets gets aggressively 
decoded as TLS (and it fails of course). That's much a detail but well, 
still bothering, what's the strategy to adjust this ?

* I have configured the next protocol in the SSL records as TPKT, so 
that works for most of the first packets, but unfortunately quickly RDP 
goes to fastpath, that is not implemented yet. How can I implement that, 
I mean do I have to code a new protocol that does TPKT or fastpath, 
depending on what it can find in the packet, and configure that new 
TPKTorFastPath protocol in the SSL keys configuration ?

* I wrote a decoder in LUA that decodes the RDPUDP protocol on port 3389 
on UDP, but my problem is that if I configure SSL decoding on that host 
and port, everything gets decoded as RDPUDP even the traffic on the TCP 
port. Is there a way to express "TCP port 3389 decode as TPKT, and UDP 
port 3389 decode as RDPUDP" ?

My question is very general: do I need to write a new RDP dissector that 
will have a global view, will call the appropriate dissectors on sub 
part of the packets ?

Thoughts welcome :)

--
David FORT
website: https://www.hardening-consulting.com/


___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
            mailto:wireshark-dev-request () wireshark org?subject=unsubscribe