Sniffing RDP Auth with Cain and Able.

No replies
EverestX
EverestX's picture
Offline
SX Crew
Joined: 2009/05/15

I looked around the net, and didn't find much info on looking though the RDP files, that said, I didn't bother to read the help either.
This method relies on ARP poisoning to force a man in the middle condition. Cain then decrypts the traffic, however, the passwords are not as easy to view as other passwords with this product.

If anyone else knows of an ap on linux that will decrypt the RDP traffic let me know!!

You can download Cain & Able from http://www.oxid.it/cain.html

This was tested in my lab with 2 xp machines. 1 of which has the latest version of RDP installed, both directions the traffic is readable once decrypted.

==========================================================================

Once the app is installed, open up Cain and click the sniffer Button

Photobucket

Right Click, select Scan Mac's, you'll be prompted for scanning a range or subnet, select what you need.

Photobucket

Photobucket

Once the scan completes you should see a list of hosts

Photobucket

Select the APR Tab (Radioactive symbol) at the bottom of the window,
Next select the Blue + and select the 2 machines you would like to ARP Poison (The order you select them in makes no difference)
***Note: Be very careful on what devices you are spoofing in relation to the hardware you are using, you can lock up a network in no time.

Photobucket

At this point you will show a status of idle. Enable Arp Spoofing by clicking the Radioactive Icon at the TOP of the window (right next to the sniffer button) You should see the status change to Poisoning.

Now Generate your RDP traffic.

You should the the APR-RDP value populate. Disconnect your RDP session.

Photobucket

You should see the status change from Decrypting to "Closed" You're now ready to dig through the file

Right Click and view the file. You should see a file similar to my example.

Photobucket

Ctrl F for "- Symmetric encryption phase reached..." Look at the second column down from there.

Photobucket

I've Highlighted the Information in question, You can see the IP address you are accessing followed by username and password. In my case, radmin is the username and random is the password.

EvX