| Remote desktop is a standard component of Windows operating system. It allows the users to access the computers running on the Windows OS, by using any Windows client, from anywhere, through any kinds of connections. The user may use any applications, files and network resources on remote computer as using them locally. Besides, all the applications running on the local machine will work normally after connect to the remote desktop.The functions of remote desktop access are provided by Microsoft Remote Desktop Protocol (RDP). The RDP specifies the communication protocols between a Windows terminal and a Windows server to achieve the remote display and input on a Windows-based PC. The RDP uses TCP/IP connection, and listens on 3389 port by default.As providing a useful application, the RDP protocol becomes a popular communication protocol. However, considering its remote access natural, the vulnerability analysis of this protocol is necessary. The RDP is a private protocol of Microsoft and has not been opened in details. But, by capturing the data packets and researching the related protocols, we could analyze the protocol procedures, such as connection establishment, private key negotiation and data communicate between client and server. With above effort, we did find some security holes of the RDP. Attackers may conduct the man-in-the-middle attack "through" one of them by listening and penetrating into the communication between the client and server, and getting plain text of communication data at last.Based on above research, we designed and implemented the man-in-the-middle attack to the RDP protocol. This paper presents the theory and two methods of the attack, and the way to deployment the attack by ARP spoofing. The basic idea behind the man-in-the-middle attack on RDP is to make use of one-way authentication vulnerability of the RDP session. Because RDP client does not authenticate the server who provide RSA public key, attackers can pretend to be the server using ARP spoofing, and send a fake public key to the client. By doing that, attacker can get client random sequences, which is used for generating session key. With this information, session key can be calculated.In order to show the results of the man-in-the-middle attack, we designed and implemented the replay system of RDP. After the man-in-the-middle attack, the raw data between client and server is stored in the attacker computer. The data includes mouse and keyboard operations that client sends to server and display information that server returns to client. With them, we rebuilt the user interface of the RDP client in a RDP session on attacker's computer to replay RDP protocol.As a conclusion of our works, we propose some methods to improve the security of RDP, including using SSL to identify the server. This method improves the authentication strategy where the identity of the server is verified to prevent possible man-in-the-middle attacks. |
PDF Full Text Request