Dirk Knop
Eavesdropping against Windows remote maintenance
Design flaws in remote desktop protocol
A design flaw in the Remote Desktop Protocol allows users logged into a network to intercept access data from remotely administered Windows servers. The tool "Cain & Abel" makes it possible with just a few mouse clicks to discover the administrator password even without any expertise.
Behind Microsoft Windows Terminal Server and Remote Desktop Connect in Windows XP are services that enable login and access to a remote computer. Originally developed by Citrix to enable access to a single server for a large number of users with a limited number of software licenses, Microsoft licensed the software and developed from it its terminal services to enable a broader set of applications. The end result is that Windows servers could be fully administered remotely, and remote maintenance and end-user support no longer required administrators to make marathon journeys to attend to systems in-house.
Remote Desktop, a sort of little brother to Terminal Services, was developed for private use. This enables a talented grandchild to help the distant grandfather with his computer problems, thanks to the built-in Remote Desktop support.
Terminal services and remote desktop are based on the Remote Desktop Protocol (RDP). For Unix and Linux, there is with rdesktop an RDP client that enables to access a Windows system from a KDE or Gnome desktop.
Design flaws
RDP, however, has a serious design flaw: the client and server are not required mutually to authenticate each other. All encryption efforts are pointless if an unauthorised system is able to intercept traffic between communication partners, thereby having them unkowingly exchange messages with the attacker instead of their intended counterpart. As early as April 2003, Erik Forsberg demonstrated in an advisory that a "Man-In-The-Middle" (MITM) attack was possible against RDP sessions.
Through ARP spoofing, traffic between the client and server can be rerouted unnoticed through a third station and a log of the traffic taken. For example, the RC4 key used to secure a RDP connection could be used to sniff out and decrypt traffic on the connection. With this MITM attack, the passwords for connection to the server become visible in clear text.
![image 1 [400 x 254 Pixel @ 55,3 KB]](/security/imgs/46/3/7/0/9/4/6/97d44edb733eb8f4.jpg)
By manipulating the ARP cache, workstation B can reroute the connection between
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/6/7/2/comingin310_4_kicker-4977194bfb0de0d7.png)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/3/2/3/comingin310_3_kicker-151cd7b9e9660f05.png)
