Home page logo

basics logo Security Basics mailing list archives

Re: RDP sniffing
From: MaddHatter <maddhatt+securitybasics () cat pdx edu>
Date: Thu, 27 Dec 2007 12:05:17 -0800

That's not exactly true. The switch's ability to map a mac address to
a switchport is finite. The mechanism by which arp poisoning attacks
work is to publish so many mac addresses that the switch does not have
enough memory to remember the real mac addresses and is forced to flood
(broadcast to all switchports) traffic that should rightly go to only a
single switchport. There are countermeasures to prevent arp poisoning,
but they are buggy, or may impose impractical limitations in your 
environment. That's a topic for a different post.

You can cause the same problem through careless configuration of
routers. I think the default arp timeout on most Cisco switches is 20
minutes. The default timeout on their routers is 4 hours (again, if I
remember correctly). That means for 3 hours and 40 minutes the router is
sending packets/frames to the switch, that the switch cannot direct to
a single switchport (i.e. must flood to all attached machines).

In either case, the result is the same. You have access to Ethernet frames
not intended for you. You can sniff someone else's RDP (or other) traffic.

Windows RDP is encrypted. Older versions use a weaker encryption than newer
versions, but none of them are trivial to crack. I personally have less
trust in RDP than I do ssh, which is why I tunnel my RDP sessions through
ssh. You'll have to judge for yourself how concerned you are about a
malicious user capturing passwords or TS activity. (Given the ability to
sniff traffic,) It might be possible, but it's not trivial.

If you could crack RDP encryption, then you would indeed have access to
passwords*, the theoretical ability to make a video of user activities,
or even the ability to inject actions in the terminal services session
that the legitimate user never performed.

Of course in a wireless environment, everything's broadcast.

* I'm not sure if this still holds true in the case where one is using
certificate authentication, as is available in the latest RDP client. I
haven't looked into that at all.

Stewart Gray <security () frozenpea net> said (on 2007/12/26):
Short of using a spanned (or mirrored) switchport, no it's not
possible. A lot of cisco switches support the technology.

You can also buy ethernet taps but the expense can not usually be
justified if your intention is just to play around with this stuff.


On Dec 27, 2007 1:06 AM, Fran Lopez <recompilando () gmail com> wrote:
Is possible sniffing RDP in a switched LAN?

Is possible capturing passwords?
Is possible "saving a video" about the user tasks?

Thanks in advance.
Fran Lopez.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]