This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Wireshark not displaying “Client Hello”, only shows SYN and SYN,ACK on info field for RDP Connection

0

I am trying to decrypt RDP packets using Wireshark, so far I've read and tried a bunch of articles but none has worked for me. Any help would be much appreciated!

Using the sample packet capture file in here https://wiki.wireshark.org/RDP (rdp-ssl.pcap.gz), I can see "Client Hello" on the first line.

But opening any other pcap with RDP traffic only shows the TCP Handshake in terms of SYN and SYN,ACK. The capture was done using a Macbook Pro 2012 RDP-ing into a Windows XP machine. I want to see what ciphersuites are available and selected so that hopefully I'll be able to tell if the capture can be decrypted or not if I have access to the server private key, but without the Client Hello and Server Hello lines I do not know how to get those. Also all I am seeing in the protocol field are TCP and SSL, no TLSv1 like what is shown in Wireshark's capture file. I am using Wireshark 2.2.7, is it possible that this version is not able to dissect SSL packets from WinXP properly?

rdp pcap

Thanks in advance.

asked 18 Jul '17, 15:05

piville4's gravatar image

piville4
6113
accept rate: 0%

edited 19 Jul '17, 09:45

grahamb's gravatar image

grahamb ♦
19.8k330206

I don't have access to the trace - doing this on my phone. What port number is the ROP service running on? Is it 3389?

(18 Jul '17, 15:15) PaulOfford

@PaulOfford I have the trace in Cloudshark https://www.cloudshark.org/captures/e0656b062d0d. Though it's better to view in Wireshark to be able to see the Client Hello and Server Hello packets.

As for the trace that I am currently trying to decrypt, unfortunately I am only able to provide a screenshot and not the actual pcap file because of the IPs. Will this work? And yes, it's RDP protocol on port 3389.

(18 Jul '17, 23:01) piville4

Are you sure that the RDP session is configured to use SSL. There is an RDP native encryption model that uses a different encryption mechanism. See https://technet.microsoft.com/en-us/library/ff458357.aspx

(19 Jul '17, 01:33) PaulOfford

I had no idea SSL is not default... thanks for pointing this out! I will take a look.

(19 Jul '17, 09:18) piville4

update: From the RDP encryption link above it says "You can enable SSL for Remote Desktop connections using the RDP-Tcp Properties dialog box, which is accessed from the Remote Desktop Session Host Configuration snap-in.". However I couldn't find this on my Windows XP box so I started looking for more resources on the topic. I came across this page (http://www.mobydisk.com/techres/securing_remote_desktop.html) where at the bottom part it says "On Windows XP, there is no built-in support for secure certificates in remote desktop." Does this mean using SSL is not an option on Windows XP?

(19 Jul '17, 17:48) piville4