远程桌面协议 (RDP)摘抄

Remote Desktop Protocol

The Microsoft Remote Desktop Protocol (RDP) provides remote display and input capabilities over network connections for Windows-based applications running on a server. RDP is designed to support different types of network topologies and multiple LAN protocols.

Basic Architecture

RDP is based on, and an extension of, the ITU T.120 family of protocols. RDP is a multiple-channel capable protocol that allows for separate virtual channels for carrying device communication and presentation data from the server, as well as encrypted client mouse and keyboard data. RDP provides an extensible base and supports up to 64,000 separate channels for data transmission and provisions for multipoint transmission.

On the server, RDP uses its own video driver to render display output by constructing the rendering information into network packets by using RDP protocol and sending them over the network to the client. On the client, RDP receives rendering data and interprets the packets into corresponding Microsoft Windows graphics device interface (GDI) API calls. For the input path, client mouse and keyboard events are redirected from the client to the server. On the server, RDP uses its own keyboard and mouse driver to receive these keyboard and mouse events.

In a Remote Desktop session, all environment variables—for example, variables determining color depth and wallpaper enabling and disabling—are determined by the RCP-Tcp connection settings. This applies to all functions and methods that set environment variables in the Remote Desktop Web Connection Reference and the Remote Desktop Services WMI Provider interface.

Features

Microsoft RDP includes the following features and capabilities:

Encryption

RDP uses RSA Security's RC4 cipher, a stream cipher designed to efficiently encrypt small amounts of data. RC4 is designed for secure communications over networks. Administrators can choose to encrypt data by using a 56- or 128-bit key.

Bandwidth reduction features

RDP supports various mechanisms to reduce the amount of data transmitted over a network connection. Mechanisms include data compression, persistent caching of bitmaps, and caching of glyphs and fragments in RAM. The persistent bitmap cache can provide a substantial improvement in performance over low-bandwidth connections, especially when running applications that make extensive use of large bitmaps.

Roaming disconnect

A user can manually disconnect from a remote desktop session without logging off. The user is automatically reconnected to their disconnected session when he or she logs back onto the system, either from the same device or a different device. When a user's session is unexpectedly terminated by a network or client failure, the user is disconnected but not logged off.

Clipboard mapping

Users can delete, copy, and paste text and graphics between applications running on the local computer and those running in a remote desktop session, and between sessions.

Print redirection

Applications running within a remote desktop session can print to a printer attached to the client device.

Virtual channels

By using RDP virtual channel architecture, existing applications can be augmented and new applications can be developed to add features that require communications between the client device and an application running in a remote desktop session.

Remote control

Computer support staff can view and control a remote desktop session. Sharing input and display graphics between two remote desktop sessions gives a support person the ability to diagnose and resolve problems remotely.

Network load balancing

RDP takes advantage of network load balancing (NLB), where available.

In addition, RDP contains the following features:

• Support for 24-bit color.
• Improved performance over low-speed dial-up connections through reduced bandwidth.
• Smart Card authentication through Remote Desktop Services.
• Keyboard hooking. The ability to direct special Windows key combinations, in full-screen mode, to the local computer or to a remote computer.
• Sound, drive, port, and network printer redirection. Sounds that occur on the remote computer can be heard on the client computer running the RDC client, and local client drives will be visible to the remote desktop session.

Remote Desktop Protocol (RDP)

RDP is a proprietary protocol developed by Microsoft for their Terminal Server services.

History

See Wikipedia entry

Protocol dependencies

• TPKT: Typically, RDP uses TPKT as its transport protocol. TPKT runs atop TCP; when used to transport RDP, the well known TCP port is 3389, rather than the normal TPKT port 102.

• COTP: This is the same as X.224.

• T.125: Multipoint Communication Service

• T.124: Generic Conference Control

• SSL: SSL may be used with Enhanced RDP security, and is used on the same port as standard RDP. The SSL dissector may be used to handle the SSL and then hand off the encapsulated data to the RDP dissector. The encapsulated RDP will never negotiate any Standard RDP Security, so all of these SSL protected PDUS should be able to be dissected (subject to be able to do applicable decompression).

Example traffic

Example capture files are detailed below.

Wireshark

A basic RDP dissector exists that can decode most of the PDUs that are exchanged during the connection sequence. If Standard RDP Security is being negotiated, all the PDUs after the SecurityExchangePDU will be encrypted. There is no handling of virtual channel PDUs (beyond the security header) at the moment.

Preference Settings

Port: default 3389

SSL Configuration

In order to dissect Enhanced RDP Security SSL, you should configure the SSL dissector with the following: 

<server-ip>,3389,tpkt,<path to key>

CredSSP

RDP can also use the Credential Security Support Provider (CredSSP) protocol to provide authentication information. This is always run under aSSL encrypted session. The CredSSP documentation states that SPNEGO is used to select between NTLM and Kerberos - but the RDP captures seen to date carry NTLM without any SPNEGO. The FreeRDP project provides a number of capture files, associated private keys and a detailed analysis of the protocol exchanges on their wiki. As yet, it has not proved possible to recover the NTLM keys in order to decrypt the CredSSP encrypted PDUs.

Example capture file

• SampleCaptures/RDP-002.pcap.gz

  • Capture on 10.226.41.226 as client to 10.226.24.52 as server with a capture filter of ip host 10.226.24.52

  • Client system is Windows XP Professional with Service Pack 2 running Microsoft Remote Desktop Connection 5.1.2600.2180 with 128-bit encryption.

  • Server system is Windows Server 2003 with Service Pack 1 running Microsoft Terminal Services 5.2.3790.1830. Here some possibly relevant settings.

    • Type is Microsoft RDP 5.2

    • Transport is TCP

    • Security layer is RDP Security Layer

    • Encryption level is High

    • Certificate is <none>

  • The capture includes
    • the client initiating a connection to the server,
    • the client authenticating to the server,
    • the client obtaining a remote desktop,

    • the client using the Log Out feature,

    • the session being torn down.

• SampleCaptures/RDP-003.pcap.gz

  • Capture on 10.226.41.226 as client to 10.226.29.74 as server with a capture filter of ip host 10.226.29.74

  • Client system is Windows XP Professional with Service Pack 2 running Microsoft Remote Desktop Connection 5.1.2600.2180 with 128-bit encryption.

  • Server system is Windows 2000 Server with Service Pack 4 running Microsoft Terminal Services 5.0.2195.6696. Here some possibly relevant settings.

    • Type is Microsoft RDP 5.0

    • Transport is TCP

    • Encryption level is Medium

    • Use standard Windows authentication is enabled

  • The capture includes
    • the client initiating a connection to the server,
    • the client authenticating to the server,
    • the client obtaining a remote desktop,

    • the client using the Log Out feature,

    • the session being torn down.

• SampleCaptures/RDP-004.pcap.gz

  • Capture on 192.168.235.3 through IPSec VPN tunnel with IP 172.21.128.16 as client to 10.226.24.52 as server with a capture filter of ip host 10.226.24.52

  • Client system is Windows XP Professional with Service Pack 2 running Microsoft Remote Desktop Connection 6.0.6000 with 128-bit encryption.

  • Server system is Windows Server 2003 with Service Pack 1 running Microsoft Terminal Services 5.2.3790.1830. Here some possibly relevant settings.

    • Type is Microsoft RDP 5.2

    • Transport is TCP

    • Security layer is RDP Security Layer

    • Encryption level is High

    • Certificate is <none>

  • The capture includes
    • the client initiating a connection to the server,
    • the client authenticating to the server,
    • the client obtaining a remote desktop,

    • the client using the Log Out feature,

    • the session being torn down.

• SampleCaptures/rdp-ssl.pcap.gz (cert.pem)

  • Transport is TCP

  • Security Layer is SSL

  • RDP Encryption method is None

  • RDP Encryption level is None

  • Certificate is <none>

  • The capture includes:
    • the client initiating a connection to the server,
    • the client authenticating to the server,
    • the client obtaining a remote desktop,

Display Filter

There are no built-in display filters specifically for RDP. However, RDP protocols use TCP port 3389.

• Display only the RDP based traffic:

  rdp

You may also use display filters based on the protocols on top of which RDP is built.

• The following filter will include the conference set up and establishment of virtual channels, as well as the RDP conversation.

  t125

The following display references may also prove useful:

• T.125

• COTP (X.224)

• X.224

• TPKT

Capture Filter

You can filter RDP protocols while capturing, as it's always using TCP port 3389.

• Capture only the RDP based traffic:

  tcp port 3389

Notes about Terminal Server Services Encryption Settings

RDP 5.0

• All levels use RSA RC4 encryption

• Low - protects data sent from client to server

  • 56-bit if Windows 2000 server to Windows 2000 or higher client

  • 40-bit if Windows 2000 server to pre-Windows 2000 client

• Medium - protects data sent from client to server and data sent from server to client

  • 56-bit if Windows 2000 server to Windows 2000 or higher client

  • 40-bit if Windows 2000 server to pre-Windows 2000 client

• High - protects data sent from client to server and data sent from server to client

  • 128-bit if Windows 2000 server to Windows 2000 or higher client

  • not sure what happens to earlier clients; ie whether it falls back or fails

RDP 5.1

• to be investigated

RDP 5.2

• All levels use RSA RC4 encryption

• Client Compatible - protects data sent from client to server

  • dynamically determines maximum supported key strength

• High - protects data sent from client to server and data sent from server to client

  • 128-bit

  • clients that do not support 128-bit will not be able to connect

RDP 6.0

• to be investigated

External links

• ITU-T T Series Recommendation T.128 - Multipoint application sharing - ostensibly, RDP is based on this ITU-T Recommendation for telecommunications.

• Microsoft Network Monitor 3 provides some clues as to what other standards RDP is based on.

  • ITU-T X Series Recommendation X.224 - Open Systems Interconnection - Protocol for providing the connection-mode transport service

  • ITU-T T Series Recommendation T.125 - Multipoint communication service protocol specification

• rdesktop is an open source application for connecting to Microsoft Terminal Server services using RDP. The documentation for rdesktop also includes references to additional RFCs.

  • RFC 905 - ISO Transport Protocol specification ISO DP 8073

  • RFC 2126 - ISO Transport Service on top of TCP (ITOT)

• 'Reverse-Engineering and Implementation of the RDP 5 Protocol'

Discussion

• From Tomas Kukosa via the Wireshark-dev mailing list 2007/10/26 06:59:23 GMT:

The X.224 is equal with the ISO International Standard 8073 which is implemented in the Wireshark. If you use Decode as TPKT on the RDP stream, it makes partially valid output.

• ISO/IEC 8073:1997 - costs 216 Swiss francs

• ISO/IEC 8073:1997/Amd 1:1998 - costs 16 Swiss francs

• From Guy Harris:

  • ITU-T X.224 - costs 0 Swiss francs 

• From Brendan Dolan-Gavitt:

  • MS-RDPBCGR describes the full RDP protocol now!

• From Graeme Lunt (22/09/2011):

  • T.125 is dissected from COTP through the heuristic dissector. This initially caused some conflicts with SES but the SES was algorithm was tightened up. However, there may still be some conflicts.

  • T.124 is dissected from T.125 using a heuristic dissector - but as the payload contains a OID which identifies it as T.124 this is quite straight-forward. Also, no other dissectors currently register with T.125!

  • RDP is dissected from T.124 through the registration of H.221 non standard keys "Duca" (supposedly short for "Ducati") and "McDn".SendData traffic is registered on channelId. (Note that the channelId registration is currently global rather than per conversation - though this does not appear to cause any issues as standard channelIds seem to be used.)

  • RDP compression uses RFC 2118 which is subject to a US Patent. The RFC specifically states: MPPC can only be used in products that implement the Point to Point Protocol AND for the sole purpose of interoperating with other MPPC and Point to Point Protocol implementations.. This is might make it difficult to implement decompression in US versions of Wireshark.

  • As noted by Thomas (above) and Steven (msg00127), X.224 is equivalent to COTP (ISO 8073) and so the X.224 dissector is probably no longer required in Wireshark.

  • RDP is, in part, based on T.128 - but a specific, separate T.128 dissector has not been implemented.

概要

本文介绍远程桌面协议 (RDP) 用于终端服务器和终端服务器客户端之间的通信。封装和加密 TCP 在 RDP 之。

远程桌面协议为基础，并且是 T-120 系列的协议标准的扩展。多渠道的支持协议允许单独的虚拟通道携带演示文稿数据、 串行设备通信、 授权信息、 高度加密的数据 （键盘和鼠标活动），等等。由于 RDP 是核心 T.Share 协议的扩展，一些其他的功能保留为 RDP，如体系结构的功能支持多点 (多方会话) 所必需的一部分。多点数据传送允许将数据从应用程序中"实时"向传递多个方而无需将相同的数据发送给每个会话分别 (例如，虚拟白板)。
    但是，在 Windows 终端服务器这第一个版本中，我们都集中在提供可靠、 快速点对点 (单个会话) 通信。将使用一种数据通道在终端服务器 4.0 的初始版本中，RDP 的灵活性在给未来的产品的功能上提供足够的空间。
    Microsoft 决定实施 RDP 连接用于 Windows NT 终端服务器中的一个原因是，它提供了非常可扩展基础从其生成更多的功能。这是因为 RDP 为数据传输提供 64000 单独的通道。但是，当前传输活动仅使用单通道 （对于键盘、 鼠标和演示文稿数据）。
    此外，RDP 旨在支持许多不同类型的网络拓扑 （例如，ISDN、 POTS 和许多 LAN 协议 （例如 IPX、 NetBIOS，TCP/IP，等等）。当前版本的 RDP 将只通过 TCP/IP 运行，但客户反馈意见，与其他协议支持可能会添加在将来版本。
    发送和接收数据通过 RDP 堆栈中所涉及的活动本质上是与公共 LAN 网络今天的七层 OSI 模型标准相同。从应用程序或服务以进行传输的数据通过剖切、 定向到一个通道 （通过 MCS)、 加密、 包装、 加图文框、 打包到网络协议，并最后解决和通过网络发送到客户端的协议堆栈向下传递。返回的数据工作的相同方式只适用于相反，使用数据包被去除它的地址，然后打开，解密，依此类推直到数据显示给使用应用程序。第四和第七层之间，其中数据是加密、 包装和加图文框、 定向到一个通道，优先出现的协议堆栈修改的关键部分。
    为应用程序开发人员提供的关键点之一就是在使用 RDP，Microsoft 具有抽象出来处理协议栈的复杂性。
    在终端服务器上的应用程序的交互方式和内容时应注意的开发 Windows 终端服务器基础结构的应用程序的详细信息，查看"Windows NT4.0 服务器优化应用程序，终端服务器版"白皮书。多点通信服务 (MCSMUX)，一般会议控制 (GCC)、 Wdtshare.sys 和 Tdtcp.sys，是值得讨论的 RDP 堆栈实例中的四个组件。MCSmux 和 GCC 是国际电信联盟 (ITU) T.120 系列的一部分。MCS 由组成两种标准: T.122，定义了多点服务和 T.125，指定的数据传输协议。MCSMux 控制信道 (通过在协议内的预定义虚拟信道多路复用数据) 的分配、 优先级别和发送的数据的分段。它实质上是将多个 RDP 堆栈抽象成单一实体，从 GCC 的角度来看。GCC 是负责管理这些多个频道。GCC 允许创建和删除会话连接和控制资源由 MCS 提供。每个终端服务器协议 (当前，支持唯一的 RDP 和 Citrix 的 ICA) 将具有一个协议堆栈实例加载 (等待连接请求侦听程序堆栈)。终端服务器设备驱动程序的坐标和管理 RDP 协议活动，是由更小的组件，用于 UI 转让、 压缩、 加密、 框架和等等，RDP 驱动程序 (Wdtshare.sys) 和运输 (Tdtcp.sys) 将打包到底层协议驱动程序的网络协议，TCP/IP。
    RDP 的开发将完全独立于其基础传输堆栈，此案例 TCP/IP 中。RDP，完全独立于其传输堆栈，意味着我们可以根据客户的需要，为其扩展，有很少或没有重大协议的基础部分更改添加其他网络协议的其他传输驱动程序。它们的性能和扩展性 RDP 的网络上的关键要素。

另外，这个论文也具体论述了RDP的协议交互以及如何进行中间人攻击的方法

http://www.doc88.com/p-478332300292.html