Cyber Security Awareness Month - Day 9 - Port 3389/tcp (RDP)

Published: 2009-10-09
Last Updated: 2009-10-10 13:26:48 UTC
by Rob VandenBrink (Version: 3)
4 comment(s)

Feel free to comment on this diary entry - we’re interested in issues or resolutions you may have had involving the RDP protocol, Terminal Services client and server applications, as well as any questions you may have regarding this diary entry.  You can use the comment button at the bottom of this article.

Microsoft's RDP (Remote Desktop Protocol) and it's associated "terminal service" client and server apps have been widely used since Windows 2000 days for Windows server administration.  RDP gives delivers the server's complete remote desktop to a client.  RDP has been improved over time, and is now pretty much the de facto standard for remote administration in most datacenters.  

In more recent times, VDI (Virtual Desktop Interface) implementations often use RDP to deliver the desktop from a VM to thin clients or PC's, in an effort to centralize control and minimize administration requirements for client desktops.  This has resulted in more widespread use, as well as improvements to the protocol especially around the delivery of graphics and performance in high-latency situations.

The perception has always been that RDP offers a secure delivery of information, as Microsoft publishes detailed information of it’s encryption settings.  The default setting is now “high”, which means 128bit encryption (using RC4)

However, there’s a problem with RDP – by default the certificate used for encryption is signed by an RSA private key, which is then stored statically in the file mstlsapi.dll, which every Windows client and server has in it’s base install!  This was originally discovered by Erik Forsberg in 2003 ( ), and documented further at (amongst other places).

This means that in a default installation, a Man-in-the-Middle (MITM) attack can intercept the exchange of RDP encryption information, substitute it’s own (correctly signed) SSL information to both the client and the server, and decrypt the entire session, all without the “encryption alert” message showing up at the client!

Even if that were not the case, the default installation for Terminal Services client on XP does not notify you if the server certificate does not "match".  Check for yourself  - open the terminal services client, choose the "Advanced" tab, then check the "verification policy" value - youi'll see that it's set to "Connect and don't warn me"

What does this mean to me?

What this means is that if the default Windows installation is taken, and no further protections around encryption are implemented, that RDP is easily compromised.  This is normally done by capturing an RDP login exchange, usually using a Man-in-the-Middle attack, then decrypting the captured packets to arrive at the password.  CAIN ( does a great job at this task.  Describing an attack in theory is great, but I find that people don’t often take it seriously until the SEE it work in their environment.  For this reason, we’ve attached a short video of such an attack, with a brief description of how MITM attacks.  This attack works even if you change the “Server Authentication Verification” discussed above.

When I discuss this with people, they often don’t realize just how large a security risk this is – until they see it for real that is.  This video shows just how easy it is==> .

There's a brief explanation of how Man in the Middle via ARP cache poisoning works, but the emphasis is on the RDP stuff, and on how to use CAIN to get the goods – in an internal security assessment for instance.  Just be sure that if you try this at home, that your laptop has enough horsepower to “keep up”.  If your laptop chokes during the attack, remember that you’ve poisoned the ARP cache of 2 or more hosts (your DC is one of them maybe), and the default ARP cache timer is 4 hours!

In a larger sense, what this should mean to us is that the default installation of most things (including Windows) is almost never the right choice for security.   Products ship so that people can install them with limited training and be still successful.  This is true of Windows, most Linux distributions, OSX, pretty much everything.  After installing an operating system for business (or personal) use, it’s always a good thing to reference that vendor’s security best practices.  Googling the vendor name plus “hardening guide” is often a good start.  Other references that may be helpful are sites like the “SANS Top 20” ( ) or the benchmarks at the Center for Internet Security ( ).

How can I fix RDP in my Datacenter?  Do i need to stop using RDP?

The good news is that the RDP protocol, as well as Microsoft’s Terminal Services client and server applications are very well constructed, and can be secured using industry-standard methods, methods that you are probably already using for your corporate website or wireless infrastructures.  Microsoft has really good documentation on using a PKI (Public Key Infrastructure) to use trusted authorities to secure RDP using TLS (Transport Layer Security).  You can find one such document (which references other docs) here ==>

In Windows Server 2008, a new feature called NLA (Network Level Authentication) offers much stronger protections against key spoofing by providing real authentication of the session.  It does not protect against layer 2 MITM (arp poisoning) - but with the added authentication and encryption protections, the traffic secured.  NLA requires client versions of 6 or higher on the client desktops to work. Browse here for more NLA details ==>

Can I prevent Man in the Middle Attacks?

You can certainly make them more difficult by configuring you switches correctly – look for an isc diary on Layer 2 protections coming soon.


4 comment(s)

AT&T Cell Phone Phish

Published: 2009-10-09
Last Updated: 2009-10-09 19:55:48 UTC
by Rob VandenBrink (Version: 5)
5 comment(s)

Alan tells us that several AT&T cell subscribers have just received a text message, which instructs them to call a toll-free number XXX-XXX-7649 to resolve a problem with their account.  When called, a voice menu harvests their credit card information. 

An interesting delivery mechanism for an old-hat phish, which we're all used to seeing in our email inboxes - now bright-shiny-new as a text message - nice find Allan!

Johannes tested this with the 4111 1111 1111 test card number, which the phish menu verified correctly.  Subsequent tests indicate that a random 16 digit number is initially accepted by the voice menu, but fails verification at the end of the input process.  This indicates that the menu is actually verifying and processing the CC numbers correctly, and is most likely processing (evil) transactions in close to real-time.

A recording of a successful transaction is here ==>

Since first posting this story, we've had reports of similar attacks on Nextel (Sprint) and T-Mobile, and I'm sure the list will grow as more folks report in.

Also since posting this story, the process of taking down the original number has been initiated, but this is still a valuable discussion to have, as it's becoming a more common occurance.

Don Smith (another ISC handler) has some other interesting interesting diary entries on this here ==>

and here ==>

Always interesting to keep tabs on what evil lurks out there !

5 comment(s)

THAWTE to discontinue free Email Certificate Services and Web of Trust Service

Published: 2009-10-09
Last Updated: 2009-10-09 15:27:10 UTC
by Rob VandenBrink (Version: 1)
4 comment(s)

Arno writes in to tell us that Thawte will be discontinuing their free E-mail Certificates and email cert "web of trust" service, as of Nov 16, 2009.  They are offering a free one-time migration to a  1 year Versign certificate services subscription (which is is a chargeable thing after your first year runs out).

Information on the discontinuation and the migration can be found here ==>
and here ==>


4 comment(s)


What's this all about ..?
password reveal .
<a hreaf="">the social network</a> is described as follows because they respect your privacy and keep your data secure:

<a hreaf="">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.

<a hreaf="">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
<a hreaf=""> public bathroom near me</a>
<a hreaf=""> nearest public toilet to me</a>
<a hreaf=""> public bathroom near me</a>
<a hreaf=""> public bathroom near me</a>
<a hreaf=""> nearest public toilet to me</a>
<a hreaf=""> public bathroom near me</a>
Enter comment here... a fake TeamViewer page, and that page led to a different type of malware. This week's infection involved a downloaded JavaScript (.js) file that led to Microsoft Installer packages (.msi files) containing other script that used free or open source programs.
distribute malware. Even if the URL listed on the ad shows a legitimate website, subsequent ad traffic can easily lead to a fake page. Different types of malware are distributed in this manner. I've seen IcedID (Bokbot), Gozi/ISFB, and various information stealers distributed through fake software websites that were provided through Google ad traffic. I submitted malicious files from this example to VirusTotal and found a low rate of detection, with some files not showing as malware at all. Additionally, domains associated with this infection frequently change. That might make it hard to detect.
Enter corthrthmment here...

Diary Archives