In one of our previous blog posts, we wrote about how during routine monitoring on a client network, Context analysts noticed some unexpected RDP traffic and on further investigation it was found to be an intrusion. We took a more in depth look to see what information could be extracted from a PCAP of this activity, and this led to a tool being created to replay the RDP session as the attacker would have seen it. Read the original blog post in full here.
We have made this tool available after being asked by a number of our blog readers. This tool requires the private key for decrypting, which can usually be recovered with cooperation from the client.
It is a Linux tool, and was developed for Ubuntu 14.04. The instructions below are for installing on this operating system.
This is released under Apache License version 2.0. By downloading this tool you are agreeing to the following license agreement. No support is available for helping with installation and/or trouble shooting.
Quick Start Guide
Run the following 5 commands. They will build rdp_replay, and start a test replay.
tar xzf rdp_build.tgz
sudo apt-get install -y build-essential git-core cmake libssl-dev libx11-dev libxext-dev libxinerama-dev libxcursor-dev libxdamage-dev libxv-dev libxkbfile-dev libasound2-dev libcups2-dev libxml2 libxml2-dev libxrandr-dev libgstreamer0.10-dev libgstreamer-plugins-base0.10-dev libavutil-dev libavcodec-dev libavformat-dev libpcap-dev libreadline-dev
cd rdp_build
make
replay/rdp_replay -r test/demo1.pcap -p test/demo1.pem --no_cksum