Knowledge Base

One minor problem I have come across a few times is, "How do I confirm that a Remote Desktop server is actually using the correct TLS certificate?" I deal with end results, and not policies or settings, so how I check tls servers is make a connection with openssl s_client. Well, RDP doesn't start with the certificate, so s_client cannot extract the certificate information directly. A solution I devised is to capture the packets of an initial RDP connection, and then extract the certificate from the TLSv1 Certificates protocol. My project can read a packet capture, really any pcap that contains the TLSv1 Certificate protocol, and save from the TLSv1 Certificates packets any pem-format certificates to disk. Of course this project is open-source, so you can adapt it to do whatever you want. You need to generate a packet capture file, which can be done with wireshark or tcpdump. I used filters:

sudo tcpdump -w ~/packets.in -n -v -A "port 3389 and (tcp[((tcp[12] & 0xf0) >> 2)] = 0x16)"

In wireshark, you can even use a display of tls.handshake.type == 11 as well. So with this pcap file, run read_rdp_cert.py.

./read_rdp_cert.py --pcapfile ~/packets.in

The utility will extract all certificates that it can find from the tls handshake packets, into the current directory. I was unable to find any other projects on the World Wide Web that solve the problem I am solving here. I depended heavily on an example from cuckoolinux -> network.py to narrow down inside a network packet. Unfortunately the dpkt library has very weak documentation so I had to implement my own partial protocol analyzer to get to the good parts inside the TLS handshake. Maybe a future version of this tool will even make the RDP requests, so it can be a self-contained utility.