Duplicated
The later versions of the client software based on RDP v5.2 improved the earlier version slightly: the server now identified itself to the client with a certificate. This meant that the original MITM attack was no longer possible. Unfortunately though, as Massimiliano Montoro demonstrated, Microsoft had not done its homework thoroughly enough [1].
The server produces the certificate by signing its public key with a private key. This private key is, however, hard-coded into the file mstlsapi.dll. This DLL can be found in every Windows XP, Windows 2000 Server and Windows 2003, and the key is always the same.
This makes it possible to use the "old" method of attack with a few minor modifications. The computer in the MITM position only has to sign its own certificate with the key from its own DLL and send it on to the client. This is accepted without any further reply on either the client or server side.
![image 2 [368 x 265 Pixel @ 22,8 KB]](/security/imgs/46/3/7/1/0/2/7/97b77a8673fd524e.jpg)
With just a few mouse clicks, Cain & Abel reroutes the RDP traffic through
The security auditing tool "Cain & Abel" supports this MITM attack since version 2.7 [2]. The computer to be eavesdropped upon can be easily selected with just a few mouse clicks; the traffic is automatically intercepted by the tool, and also decrypted. In our tests, the log file included the keystrokes of the administrators who were logging on. With this information, the passwords would have been very easy to reconstruct.
![image 3 [500 x 505 Pixel @ 99,6 KB]](/security/imgs/46/3/7/1/0/2/7/fc6d946c13a5e8ce.jpg)
In the log file, all keystrokes are recorded, including the password.
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/6/7/2/comingin310_4_kicker-4977194bfb0de0d7.png)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/3/2/3/comingin310_3_kicker-151cd7b9e9660f05.png)
