Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Basics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: RDP sniffing

from [MaddHatter] Network Security [Permanent Link]
Subject: Re: RDP sniffing
Date: Thu, 27 Dec 2007 12:05:17 -0800 

That's not exactly true. The switch's ability to map a mac address to
a switchport is finite. The mechanism by which arp poisoning attacks
work is to publish so many mac addresses that the switch does not have
enough memory to remember the real mac addresses and is forced to flood
(broadcast to all switchports) traffic that should rightly go to only a
single switchport. There are countermeasures to prevent arp poisoning,
but they are buggy, or may impose impractical limitations in your 
environment. That's a topic for a different post.

You can cause the same problem through careless configuration of
routers. I think the default arp timeout on most Cisco switches is 20
minutes. The default timeout on their routers is 4 hours (again, if I
remember correctly). That means for 3 hours and 40 minutes the router is
sending packets/frames to the switch, that the switch cannot direct to
a single switchport (i.e. must flood to all attached machines).

In either case, the result is the same. You have access to Ethernet frames
not intended for you. You can sniff someone else's RDP (or other) traffic.

Windows RDP is encrypted. Older versions use a weaker encryption than newer
versions, but none of them are trivial to crack. I personally have less
trust in RDP than I do ssh, which is why I tunnel my RDP sessions through
ssh. You'll have to judge for yourself how concerned you are about a
malicious user capturing passwords or TS activity. (Given the ability to
sniff traffic,) It might be possible, but it's not trivial.

If you could crack RDP encryption, then you would indeed have access to
passwords*, the theoretical ability to make a video of user activities,
or even the ability to inject actions in the terminal services session
that the legitimate user never performed.

Of course in a wireless environment, everything's broadcast.

* I'm not sure if this still holds true in the case where one is using
certificate authentication, as is available in the latest RDP client. I
haven't looked into that at all.

Stewart Gray <security@frozenpea.net> said (on 2007/12/26):

Short of using a spanned (or mirrored) switchport, no it's not
possible. A lot of cisco switches support the technology.

You can also buy ethernet taps but the expense can not usually be
justified if your intention is just to play around with this stuff.

Stewart

On Dec 27, 2007 1:06 AM, Fran Lopez <recompilando@gmail.com> wrote:

Is possible sniffing RDP in a switched LAN?

Is possible capturing passwords?
Is possible "saving a video" about the user tasks?

Thanks in advance.
Fran Lopez.
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Reflexive firewalls?, Jason M. Beauford
Next by Date:  Re: Re: RDP sniffing, kurt . kessler
Previous by Thread:  Re: RDP sniffing, Nobody Special
Next by Thread:  Re: RDP sniffing, MaddHatter
Indexes:  [Date] [Thread] [Top] [All Lists]