Security Basics mailing list archives
Re: RDP sniffing
From: MaddHatter <maddhatt+securitybasics () cat pdx edu>
Date: Thu, 27 Dec 2007 12:05:17 -0800
That's not exactly true. The switch's ability to map a mac address to a switchport is finite. The mechanism by which arp poisoning attacks work is to publish so many mac addresses that the switch does not have enough memory to remember the real mac addresses and is forced to flood (broadcast to all switchports) traffic that should rightly go to only a single switchport. There are countermeasures to prevent arp poisoning, but they are buggy, or may impose impractical limitations in your environment. That's a topic for a different post. You can cause the same problem through careless configuration of routers. I think the default arp timeout on most Cisco switches is 20 minutes. The default timeout on their routers is 4 hours (again, if I remember correctly). That means for 3 hours and 40 minutes the router is sending packets/frames to the switch, that the switch cannot direct to a single switchport (i.e. must flood to all attached machines). In either case, the result is the same. You have access to Ethernet frames not intended for you. You can sniff someone else's RDP (or other) traffic. Windows RDP is encrypted. Older versions use a weaker encryption than newer versions, but none of them are trivial to crack. I personally have less trust in RDP than I do ssh, which is why I tunnel my RDP sessions through ssh. You'll have to judge for yourself how concerned you are about a malicious user capturing passwords or TS activity. (Given the ability to sniff traffic,) It might be possible, but it's not trivial. If you could crack RDP encryption, then you would indeed have access to passwords*, the theoretical ability to make a video of user activities, or even the ability to inject actions in the terminal services session that the legitimate user never performed. Of course in a wireless environment, everything's broadcast. * I'm not sure if this still holds true in the case where one is using certificate authentication, as is available in the latest RDP client. I haven't looked into that at all. Stewart Gray <security () frozenpea net> said (on 2007/12/26):
Short of using a spanned (or mirrored) switchport, no it's not possible. A lot of cisco switches support the technology. You can also buy ethernet taps but the expense can not usually be justified if your intention is just to play around with this stuff. Stewart On Dec 27, 2007 1:06 AM, Fran Lopez <recompilando () gmail com> wrote:Is possible sniffing RDP in a switched LAN? Is possible capturing passwords? Is possible "saving a video" about the user tasks? Thanks in advance. Fran Lopez.
Current thread:
- RDP sniffing Fran Lopez (Dec 26)
- Re: RDP sniffing Stewart Gray (Dec 27)
- Re: RDP sniffing Nobody Special (Dec 27)
- Re: RDP sniffing MaddHatter (Dec 28)
- Re: RDP sniffing MaddHatter (Dec 31)
- RDP Encryption Level (was RE: RDP sniffing) Rui Pereira (WCG) (Dec 31)
- RE: RDP Encryption Level (was RE: RDP sniffing) Anich, Ryan L. (Dec 31)
- Re: RDP sniffing Stewart Gray (Dec 27)
- Re: RDP sniffing Fran Lopez (Dec 27)
- RE: RDP sniffing Lenny Hansson (Dec 31)
- <Possible follow-ups>
- Re: Re: RDP sniffing kurt . kessler (Dec 28)
- Re: RDP sniffing krymson (Dec 28)
- RE: RDP sniffing Timmothy Lester (Dec 28)