Today I was doing some research on the RDP protocol on my Network, I used 2 Windows XP machines. During the authentication process when MACHINE1 connects to MACHINE2, I found 3 interesting packets. Packet #1 <----SNIP----> G.O.0.N................ <----SNIP----> Above was sent via the system we connect to, go0n is the name of that computer, So the computer name is sent unencrypted. <----SNIP----> .......5.5.2.7.4.-.6.4. 0.-.0.0.0.0.4.5.1.-.4.3 .0.3.9................. <----SNIP----> In this tidbit, the remote system also sent the product ID of the remote operating system, In clear text. Packet #2 <----SNIP----> .P"@.2.. .4G..E..J..@.€..‰.¨.d.¨ .e.ë.=¨¬.]P?R&P.ú...... ..".à..... Cookie: mstshash=go0n. <---SNIP----> Cookie? not sure what that is for. This also sent the computer name in clear text. mstshash? Im not sure what this is either, I'm guessing it stands for "Microsoft Terminal Services Hash" Does it base its hash off of the remote users username? Packet #3 <----SNIP----> .........\.RSA1H <----SNIP----> This is sent also, MS uses RSA's rc4 encryption. Not that it seems it would pose a threat, just thought it was interesting. The first two packets are the ones I'm most concerned about. Instead of getting remote usernames via Netbios protocol, people can now get the remote computer name via the RDP protocol. The first packet contains the Product ID number, what this means is remote attacker can find out exactly what the remote system is running, the most accurate way of remote OS detection for the latest Windows versions that deploy the RDP protocol. -- _______________________________________________ Get your free email from http://sunos.com Powered by Instant Portal
This archive was generated by hypermail 2b30 : Mon Jan 14 2002 - 21:01:16 PST