├── README.md ├── captures ├── README.md ├── rdp-clipboard-various-formats1.pcapng ├── rdp-credential-guard-accepted1.pcapng ├── rdp-credential-guard-rejected1.pcapng ├── rdp-nla-kerberos-auth1.pcapng ├── rdp-nla-kerberos-auth2.pcapng ├── rdp-nla-ntlm-rejected1.pcapng ├── rdp-nla-ntlm-rejected2.pcapng ├── rdp-nla-smartcard-auth1.pcapng ├── rdp-nla-smartcard-auth2.pcapng ├── rdp-no-nla-accepted1.pcapng ├── rdp-no-nla-rejected1.pcapng ├── rdp-no-nla-smartcard-auth1.pcapng ├── rdp-no-tls-accepted1.pcapng ├── rdp-rdg-diff-creds-kerberos-password.pcapng ├── rdp-rdg-diff-creds-kerberos-smartcard.pcapng ├── rdp-rdg-no-kdc-proxy-ntlm-downgrade-failure.pcapng ├── rdp-rdg-no-kdc-proxy-ntlm-downgrade-success.pcapng ├── rdp-rdg-same-creds-kerberos-password-success1.pcapng ├── rdp-rdg-same-creds-kerberos-password-success2.pcapng ├── rdp-rdg-same-creds-kerberos-smartcard-success1.pcapng ├── rdp-rdg-same-creds-kerberos-smartcard-success2.pcapng ├── rdp-restricted-admin-accepted1.pcapng ├── rdp-restricted-admin-rejected1.pcapng ├── rdp-vmconnect-local-basic-session-mode1.pcapng ├── rdp-vmconnect-local-enhanced-session-mode1.pcapng ├── rdp-vmconnect-remote-basic-session-mode1.pcapng └── rdp-vmconnect-remote-enhanced-session-mode1.pcapng ├── documents ├── Devolutions_2025_Decrypting_RDP_Traffic_in_Wireshark.pdf ├── Devolutions_2025_Decrypting_RDP_Traffic_in_Wireshark.pptx ├── ITSec 2024 - Démystifier l'authentification RDP.pdf ├── ITSec 2024 - Démystifier l'authentification RDP.pptx ├── ITSec 2025 - Déchiffrement et analyse du trafic RDP dans Wireshark.pdf └── ITSec 2025 - Déchiffrement et analyse du trafic RDP dans Wireshark.pptx └── images ├── wireshark_decode_as_tls.png ├── wireshark_follow_tcp_stream.png ├── wireshark_inject_tls_secrets.png ├── wireshark_rdp_dissector_filter.png ├── wireshark_tls_dissector_rdp.png ├── wireshark_tls_key_log_file.png └── wireshark_tpkt_decode_as.png /README.md: -------------------------------------------------------------------------------- 1 | # Wireshark RDP resources 2 | 3 | Looking for a way to capture and inspect RDP traffic in Wireshark? You've come to the right place! 4 | 5 | ## SSLKEYLOGFILE 6 | 7 | Many applications, including browsers, support the SSLKEYLOGFILE environment variable with a path to a text file where TLS pre-master secrets are dumped. This format [is supported by Wireshark](https://wiki.wireshark.org/TLS#using-the-pre-master-secret) and does not require exporting server private keys. 8 | 9 | To configure Wireshark to use a specific TLS key log file, open the **Preferences** dialog (Edit -> Preferences), navigate to the **TLS** section under **Protocols**, and then change the **(Pre)-Master-Secret log filename** field: 10 | 11 | ![Wireshark TLS key log file](./images/wireshark_tls_key_log_file.png) 12 | 13 | ### SChannel 14 | 15 | This technique involves attaching to lsass.exe in order to dump TLS pre-master secrets from SChannel into the SSLKEYLOGFILE format supported by Wireshark. This is by far the simplest approach so it's absolutely worth the trouble, but it should only be used in test environments where security features can be disabled. 16 | 17 | Follow these instructions using an *elevated* [PowerShell 7](https://learn.microsoft.com/en-us/powershell/scripting/install/installing-powershell-on-windows) terminal (Windows PowerShell is *not* compatible). 18 | 19 | Disable [LSA extended protection](https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection#how-to-disable-lsa-protection), and then reboot the machine: 20 | 21 | ```PowerShell 22 | Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Lsa' -Name 'RunAsPPL' -Value 0 23 | ``` 24 | 25 | Launch PowerShell 7 elevated, then install [PSDetour](https://github.com/jborean93/PSDetour): 26 | 27 | ```PowerShell 28 | Install-Module -Name PSDetour -Scope AllUsers –Force 29 | ``` 30 | 31 | Install the [AwakeCoding.DebugTools PowerShell module](https://github.com/awakecoding/AwakeCoding.DebugTools): 32 | 33 | ```PowerShell 34 | Install-Module –Name AwakeCoding.DebugTools –Scope AllUsers –Force 35 | ``` 36 | 37 | Start logging TLS pre-master secrets, and leave terminal open: 38 | 39 | ```PowerShell 40 | Start-LsaTlsKeyLog 41 | ``` 42 | 43 | By default, the script will use `C:\Windows\Temp\tls-lsa.log` as the SSLKEYLOGFILE. Make sure that Wireshark is properly configured to use it, then capture a first RDP connection to see if it works! 44 | 45 | ## Wireshark Issues 46 | 47 | You thought this was the end of it? Not so fast! 48 | 49 | ### RDP traffic shows up as 'TPKT Continuation' 50 | 51 | Wireshark associates TCP/3389 with the TPKT dissector by default, which works for the [X.224 connection request](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/902b090b-9cb3-4efc-92bf-ee13373371e3)/[confirm](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/13757f8f-66db-4273-9d2c-385c33b1e483) packets that happen before the TLS handshake. 52 | 53 | For some reason, the TPKT dissector often won't handoff the TLS packets to the TLS dissector, causing the 'TPKT Continuation' issue. When this happens, right-click on one of the RDP packets, then select **Decode As...": 54 | 55 | ![Wireshark TPKT Decode As...](./images/wireshark_tpkt_decode_as.png) 56 | 57 | In the Wireshark **Decode As..** dialog, change the default or current dissector to **TLS** then click OK: 58 | 59 | ![Wireshark Decode As TLS](./images/wireshark_decode_as_tls.png) 60 | 61 | With the TLS dissector forced on the entire TCP connection, the X.224 packets will show up as 'Ignored Unknown Record', but you should now be able to see the TLS handshake, and hopefully some RDP decrypted packets! 62 | 63 | ![Wireshark RDP with TLS dissector](./images/wireshark_tls_dissector_rdp.png) 64 | 65 | To get a cleaner view of the RDP traffic without TCP and TLS packets, add "rdp" to the current Wireshark filter. 66 | 67 | ![Wireshark RDP dissector filter](./images/wireshark_rdp_dissector_filter.png) 68 | 69 | ## Noise Reduction 70 | 71 | Some RDP features can make packet captures messy and harder to analyze, some Windows features can create unwanted background noise, requiring more advanced filtering to keep only the relevant traffic. 72 | 73 | ### RDP UDP Transport 74 | 75 | Unless you intend to work on the RDP UDP protocol itself, I highly recommend disabling RDP UDP to get a single, clean RDP TCP connection: 76 | 77 | ```PowerShell 78 | Set-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\Client' -Name 'fClientDisableUDP' -Value 1 79 | ``` 80 | 81 | Even if you block RDP UDP traffic in the firewall, you will still get some noise from the [RDP multitransport extension](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpemt/4d98f550-6b0d-4d5f-89f5-2ac8616246a2) over the primary RDP TCP connection. 82 | 83 | ## Bandwidth Auto-Detection 84 | 85 | Bandwidth auto-detection is *VERY* noisy at the beginning of an RDP connection - disable it at all costs in your [.RDP file](https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/clients/rdp-files): 86 | 87 | ``` 88 | connection type:i:6 89 | networkautodetect:i:0 90 | bandwidthautodetect:i:0 91 | ``` 92 | 93 | Network auto-detection is connection type 7 (auto-detect), which is when bandwidth auto-detection would kick in. This is why disabling the feature completely is best done by setting an explicit network type (6 for LAN), and then disabling both network and bandwidth auto-detection. If you're confused, you're not alone. 94 | 95 | ## Bulk Data Compression 96 | 97 | RDP bulk data compression is great everywhere except when you want to inspect the packets. Disable compression by adding `compression:i:0` to your [.RDP file](https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/clients/rdp-files): 98 | 99 | ``` 100 | compression:i:0 101 | ``` 102 | 103 | ### Windows SmartScreen 104 | 105 | If you're inspecting HTTP traffic alongside the RDP connection (think Azure AD, Azure Virtual Desktop, RD Gateway, etc) then you'll want to remove some of the background noise by disabling SmartScreen: 106 | 107 | ```PowerShell 108 | Set-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\System' -Name 'EnableSmartScreen' -Type DWORD -Value 0 109 | ``` 110 | 111 | Don't forget to close unused browsers, and Windows *should* be quiet enough! 112 | 113 | ## FreeRDP 114 | 115 | The latest version of [FreeRDP](https://github.com/FreeRDP/FreeRDP) accepts SSKEYLOGFILE as a command-line parameter: 116 | 117 | ``` 118 | /tls:secrets-file: 119 | ``` 120 | 121 | It is recommended to build FreeRDP from source, as prebuilt versions of FreeRDP in Linux distributions are unlikely to have this option. 122 | 123 | ## IronRDP 124 | 125 | The [IronRDP](https://github.com/Devolutions/IronRDP) desktop client accepts the SSKEYLOGFILE environment variable: 126 | 127 | ```PowerShell 128 | $Env:SSLKEYLOGFILE="C:\path\to\ironrdp-tls.keys" 129 | ``` 130 | 131 | IronRDP is still in active development, so check for updates frequently! 132 | 133 | ## Capture Exporting 134 | 135 | Make sure you have correctly set up Wireshark with a TLS pre-master secret file used by the RDP client you wan to capture traffic from. Start the capture, launch a connection, then stop the capture. Apply a simple filter like `tcp.port == 3389`, then right-click on any of the RDP packets and use **Follow** -> **TCP Stream**: 136 | 137 | ![Wireshark Follow TCP Stream](./images/wireshark_follow_tcp_stream.png) 138 | 139 | Wireshark should now show only a single RDP TCP connection with TLS traffic decrypted, and all unrelated traffic removed. 140 | 141 | Next, use **Edit** -> **Inject TLS Secrets** to inject the TLS secrets from the currently loaded TLS pre-master secret file into the capture file: 142 | 143 | ![Wireshark Inject TLS secrets](./images/wireshark_inject_tls_secrets.png) 144 | 145 | Export the filtered, decrypted capture using **File** -> **Export Specified Packets..**. In the export dialog, select **Displayed** instead of **Captured**, and save the capture in the newer pcapng format, not the older pcap format (very important!). 146 | 147 | Alternatively, you can inject TLS secrets into an existing .pcapng file using the [editcap command-line tool](https://www.wireshark.org/docs/man-pages/editcap.html): 148 | 149 | ```PowerShell 150 | $CaptureName = "rdp-test" # change this 151 | $Env:PATH += ";$Env:ProgramFiles\Wireshark" 152 | & editcap --inject-secrets "tls,${CaptureName}.keys" "${CaptureName}.pcapng" "${CaptureName}-tls.pcapng" 153 | @("${CaptureName}.pcapng", "${CaptureName}.keys") | Remove-Item 154 | Move-Item "${CaptureName}-tls.pcapng" "${CaptureName}.pcapng" 155 | ``` 156 | 157 | Congratulations, you now have a Wireshark capture file with RDP traffic that you can easily share with anyone and that will decrypt properly! 158 | 159 | ## Sample Captures 160 | 161 | Sample Wireshark capture files [are available here](captures/README.md)! 162 | -------------------------------------------------------------------------------- /captures/README.md: -------------------------------------------------------------------------------- 1 | # Sample RDP Wireshark capture files 2 | 3 | Here is a collection of RDP decrypted capture files, showing various scenarios. 4 | 5 | ## RDP with NLA, Kerberos password authentication #1 6 | 7 | [rdp-nla-kerberos-auth1.pcapng](rdp-nla-kerberos-auth1.pcapng) 8 | 9 | * Username: Administrator@ad.it-help.ninja 10 | * Server: IT-HELP-TEST.ad.it-help.ninja 11 | * Authentication: RDP NLA with Kerberos 12 | 13 | ## RDP with NLA, Kerberos password authentication #2 14 | 15 | [rdp-nla-kerberos-auth2.pcapng](rdp-nla-kerberos-auth2.pcapng) 16 | 17 | * Username: IT-HELP\Administrator 18 | * Server: IT-HELP-TEST.ad.it-help.ninja 19 | * Authentication: RDP NLA with Kerberos 20 | 21 | ## RDP with NLA, NTLM rejected by server #1 22 | 23 | [rdp-nla-ntlm-rejected1.pcapng](rdp-nla-ntlm-rejected1.pcapng) 24 | 25 | * Username: IT-HELP\Administrator 26 | * Server: 10.10.0.10 27 | * Authentication: RDP NLA with NTLM 28 | 29 | The client connected using the IP address instead of the FQDN, causing an NTLM downgrade on a server configured to reject inbound NTLM. 30 | 31 | ## RDP with NLA, NTLM rejected by server #2 32 | 33 | [rdp-nla-ntlm-rejected2.pcapng](rdp-nla-ntlm-rejected2.pcapng) 34 | 35 | * Username: Administrator@ad.it-help.ninja 36 | * Server: IT-HELP-TEST.ad.it-help.ninja 37 | * Authentication: RDP NLA with Kerberos (password), followed by an NTLM downgrade 38 | 39 | The client connected using the FQDN of the server and attempted Kerberos password-based authentication, but after entering the wrong password, the RDP client downgraded to NTLM which is then rejected by the server due to the user being a member of the Protected Users group in Active Directory. 40 | 41 | ## RDP with NLA, Kerberos smartcard authentication #1 42 | 43 | [rdp-nla-smartcard-auth1.pcapng](rdp-nla-smartcard-auth1.pcapng) 44 | 45 | * Username: Administrator@ad.it-help.ninja 46 | * Server: IT-HELP-TEST.ad.it-help.ninja 47 | * Authentication: RDP NLA with Kerberos (smartcard) 48 | 49 | ## RDP with NLA, Kerberos smartcard authentication #2 50 | 51 | [rdp-nla-smartcard-auth2.pcapng](rdp-nla-smartcard-auth2.pcapng) 52 | 53 | * Username: ProtectedUser@ad.it-help.ninja 54 | * Server: IT-HELP-TEST.ad.it-help.ninja 55 | * Authentication: RDP NLA with Kerberos (smartcard) 56 | 57 | ## RDP without NLA, smartcard authentication #1 58 | 59 | [rdp-no-nla-smartcard-auth1.pcapng](rdp-no-nla-smartcard-auth1.pcapng) 60 | 61 | * Username: ProtectedUser@ad.it-help.ninja 62 | * Server: IT-HELP-TEST.ad.it-help.ninja 63 | * Authentication: RDP without NLA (smartcard) 64 | 65 | ## RDP without NLA, accepted by server #1 66 | 67 | [rdp-no-nla-accepted1.pcapng](rdp-no-nla-accepted1.pcapng) 68 | 69 | * Username: Administrator@ad.it-help.ninja 70 | * Server: IT-HELP-TEST.ad.it-help.ninja 71 | * Authentication: RDP without NLA (password) 72 | 73 | ## RDP without NLA, rejected by server #1 74 | 75 | [rdp-no-nla-rejected1.pcapng](rdp-no-nla-rejected1.pcapng) 76 | 77 | * Username: Administrator@ad.it-help.ninja 78 | * Server: IT-HELP-TEST.ad.it-help.ninja 79 | * Authentication: RDP without NLA (password) 80 | 81 | ## RDP without TLS, accepted by server #1 82 | 83 | [rdp-no-tls-accepted1.pcapng](rdp-no-tls-accepted1.pcapng) 84 | 85 | * Username: Administrator@ad.it-help.ninja 86 | * Server: IT-HELP-TEST.ad.it-help.ninja 87 | * Authentication: RDP without NLA, without TLS (password) 88 | 89 | ## RDP Restricted Admin Mode, accepted by server #1 90 | 91 | [rdp-restricted-admin-accepted1.pcapng](rdp-restricted-admin-accepted1.pcapng) 92 | 93 | * Username: Administrator@ad.it-help.ninja 94 | * Server: IT-HELP-TEST.ad.it-help.ninja 95 | * Authentication: RDP with NLA + Restricted Admin Mode 96 | 97 | ## RDP Restricted Admin Mode, rejected by server #1 98 | 99 | [rdp-restricted-admin-rejected1.pcapng](rdp-restricted-admin-rejected1.pcapng) 100 | 101 | * Username: Administrator@ad.it-help.ninja 102 | * Server: IT-HELP-TEST.ad.it-help.ninja 103 | * Authentication: RDP with NLA + Restricted Admin Mode 104 | 105 | ## RDP Remote Credential Guard, accepted by server #1 106 | 107 | [rdp-credential-guard-accepted1.pcapng](rdp-credential-guard-accepted1.pcapng) 108 | 109 | * Username: Administrator@ad.it-help.ninja 110 | * Server: IT-HELP-TEST.ad.it-help.ninja 111 | * Authentication: RDP with NLA + Remote Credential Guard 112 | 113 | ## RDP Remote Credential Guard, rejected by server #1 114 | 115 | [rdp-credential-guard-rejected1.pcapng](rdp-credential-guard-rejected1.pcapng) 116 | 117 | * Username: Administrator@ad.it-help.ninja 118 | * Server: IT-HELP-TEST.ad.it-help.ninja 119 | * Authentication: RDP with NLA + Remote Credential Guard 120 | 121 | ## RD Gateway with different credentials, Kerberos password authentication 122 | 123 | [rdp-rdg-diff-creds-kerberos-password.pcapng](rdp-rdg-diff-creds-kerberos-password.pcapng) 124 | 125 | RD Gateway: 126 | * Username: Administrator@ad.it-help.ninja 127 | * Server: IT-HELP-GW.ad.it-help.ninja 128 | * Authentication: Kerberos, password-based 129 | 130 | RDP server: 131 | * Username: ProtectedUser@ad.it-help.ninja 132 | * Server: IT-HELP-TEST.ad.it-help.ninja 133 | * Authentication: Kerberos, password-based 134 | 135 | ## RD Gateway with different credentials, Kerberos smartcard authentication 136 | 137 | [rdp-rdg-diff-creds-kerberos-smartcard.pcapng](rdp-rdg-diff-creds-kerberos-smartcard.pcapng) 138 | 139 | RD Gateway: 140 | * Username: Administrator@ad.it-help.ninja 141 | * Server: IT-HELP-GW.ad.it-help.ninja 142 | * Authentication: Kerberos, smartcard-based 143 | 144 | RDP server: 145 | * Username: ProtectedUser@ad.it-help.ninja 146 | * Server: IT-HELP-TEST.ad.it-help.ninja 147 | * Authentication: Kerberos, smartcard-based 148 | 149 | ## RD Gateway with no KDC proxy, NTLM downgrade failure 150 | 151 | [rdp-rdg-no-kdc-proxy-ntlm-downgrade-failure.pcapng](rdp-rdg-no-kdc-proxy-ntlm-downgrade-failure.pcapng) 152 | 153 | RD Gateway: 154 | * Username: ProtectedUser@ad.it-help.ninja 155 | * Server: IT-HELP-GW.ad.it-help.ninja 156 | * Authentication: Kerberos, password-based 157 | 158 | ## RD Gateway with no KDC proxy, NTLM downgrade success 159 | 160 | [rdp-rdg-no-kdc-proxy-ntlm-downgrade-success.pcapng](rdp-rdg-no-kdc-proxy-ntlm-downgrade-success.pcapng) 161 | 162 | RD Gateway: 163 | * Username: Administrator@ad.it-help.ninja 164 | * Server: IT-HELP-GW.ad.it-help.ninja 165 | * Authentication: Kerberos, password-based 166 | 167 | ## RD Gateway with KDC proxy, same credentials, Kerberos password authentication 168 | 169 | [rdp-rdg-same-creds-kerberos-password-success1.pcapng](rdp-rdg-same-creds-kerberos-password-success1.pcapng) 170 | 171 | RD Gateway: 172 | * Username: ProtectedUser@ad.it-help.ninja 173 | * Server: IT-HELP-GW.ad.it-help.ninja 174 | * Authentication: Kerberos, password-based 175 | 176 | RDP server: 177 | * Username: ProtectedUser@ad.it-help.ninja 178 | * Server: IT-HELP-TEST.ad.it-help.ninja 179 | * Authentication: Kerberos, password-based 180 | 181 | ## RD Gateway with KDC line-of-sight, same credentials, Kerberos password authentication 182 | 183 | [rdp-rdg-same-creds-kerberos-password-success2.pcapng](rdp-rdg-same-creds-kerberos-password-success2.pcapng) 184 | 185 | RD Gateway: 186 | * Username: ProtectedUser@ad.it-help.ninja 187 | * Server: IT-HELP-GW.ad.it-help.ninja 188 | * Authentication: Kerberos, password-based 189 | 190 | RDP server: 191 | * Username: ProtectedUser@ad.it-help.ninja 192 | * Server: IT-HELP-TEST.ad.it-help.ninja 193 | * Authentication: Kerberos, password-based 194 | 195 | ## RD Gateway with KDC proxy, same credentials, Kerberos smartcard authentication 196 | 197 | [rdp-rdg-same-creds-kerberos-smartcard-success1.pcapng](rdp-rdg-same-creds-kerberos-smartcard-success1.pcapng) 198 | 199 | RD Gateway: 200 | * Username: ProtectedUser@ad.it-help.ninja 201 | * Server: IT-HELP-GW.ad.it-help.ninja 202 | * Authentication: Kerberos, smartcard-based 203 | 204 | RDP server: 205 | * Username: ProtectedUser@ad.it-help.ninja 206 | * Server: IT-HELP-TEST.ad.it-help.ninja 207 | * Authentication: Kerberos, smartcard-based 208 | 209 | ## RD Gateway with KDC line-of-sight, same credentials, Kerberos smartcard authentication 210 | 211 | [rdp-rdg-same-creds-kerberos-smartcard-success2.pcapng](rdp-rdg-same-creds-kerberos-smartcard-success2.pcapng) 212 | 213 | RD Gateway: 214 | * Username: ProtectedUser@ad.it-help.ninja 215 | * Server: IT-HELP-GW.ad.it-help.ninja 216 | * Authentication: Kerberos, smartcard-based 217 | 218 | RDP server: 219 | * Username: ProtectedUser@ad.it-help.ninja 220 | * Server: IT-HELP-TEST.ad.it-help.ninja 221 | * Authentication: Kerberos, smartcard-based 222 | 223 | ## RDP clipboard redirection with various formats 224 | 225 | [rdp-clipboard-various-formats1.pcapng](rdp-clipboard-various-formats1.pcapng) 226 | 227 | Sample capture showing clipboard redirection with various formats (text, images, rich text, file copy, etc). 228 | 229 | ## RDP vmconnect, local, basic session mode 230 | 231 | [rdp-vmconnect-local-basic-session-mode1.pcapng](rdp-vmconnect-local-basic-session-mode1.pcapng) 232 | 233 | Local RDP vmconnect connection to Hyper-V using implicit credentials, in basic session mode, with an Alpine Linux VM guest. 234 | 235 | ## RDP vmconnect, local, enhanced session mode 236 | 237 | [rdp-vmconnect-local-enhanced-session-mode1.pcapng](rdp-vmconnect-local-enhanced-session-mode1.pcapng) 238 | 239 | Local RDP vmconnect connection to Hyper-V using implicit credentials, in enhanced session mode, with a Windows Server VM guest. 240 | 241 | ## RDP vmconnect, remote, basic session mode 242 | 243 | [rdp-vmconnect-remote-basic-session-mode1.pcapng](rdp-vmconnect-remote-basic-session-mode1.pcapng) 244 | 245 | Remote RDP vmconnect connection to Hyper-V using explicit credentials, in basic session mode, with an Alpine Linux VM guest. 246 | 247 | ## RDP vmconnect, remote, enhanced session mode 248 | 249 | [rdp-vmconnect-remote-enhanced-session-mode1.pcapng](rdp-vmconnect-remote-enhanced-session-mode1.pcapng) 250 | 251 | Remote RDP vmconnect connection to Hyper-V using explicit credentials, in enhanced session mode, with a Windows Server VM guest. 252 | -------------------------------------------------------------------------------- /captures/rdp-clipboard-various-formats1.pcapng: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/awakecoding/wireshark-rdp/683505a753dfd7a2b27713b3a21e9a6951abacc4/captures/rdp-clipboard-various-formats1.pcapng -------------------------------------------------------------------------------- /captures/rdp-credential-guard-accepted1.pcapng: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/awakecoding/wireshark-rdp/683505a753dfd7a2b27713b3a21e9a6951abacc4/captures/rdp-credential-guard-accepted1.pcapng -------------------------------------------------------------------------------- /captures/rdp-credential-guard-rejected1.pcapng: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/awakecoding/wireshark-rdp/683505a753dfd7a2b27713b3a21e9a6951abacc4/captures/rdp-credential-guard-rejected1.pcapng -------------------------------------------------------------------------------- /captures/rdp-nla-kerberos-auth1.pcapng: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/awakecoding/wireshark-rdp/683505a753dfd7a2b27713b3a21e9a6951abacc4/captures/rdp-nla-kerberos-auth1.pcapng -------------------------------------------------------------------------------- /captures/rdp-nla-kerberos-auth2.pcapng: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/awakecoding/wireshark-rdp/683505a753dfd7a2b27713b3a21e9a6951abacc4/captures/rdp-nla-kerberos-auth2.pcapng -------------------------------------------------------------------------------- /captures/rdp-nla-ntlm-rejected1.pcapng: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/awakecoding/wireshark-rdp/683505a753dfd7a2b27713b3a21e9a6951abacc4/captures/rdp-nla-ntlm-rejected1.pcapng -------------------------------------------------------------------------------- /captures/rdp-nla-ntlm-rejected2.pcapng: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/awakecoding/wireshark-rdp/683505a753dfd7a2b27713b3a21e9a6951abacc4/captures/rdp-nla-ntlm-rejected2.pcapng -------------------------------------------------------------------------------- /captures/rdp-nla-smartcard-auth1.pcapng: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/awakecoding/wireshark-rdp/683505a753dfd7a2b27713b3a21e9a6951abacc4/captures/rdp-nla-smartcard-auth1.pcapng -------------------------------------------------------------------------------- /captures/rdp-nla-smartcard-auth2.pcapng: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/awakecoding/wireshark-rdp/683505a753dfd7a2b27713b3a21e9a6951abacc4/captures/rdp-nla-smartcard-auth2.pcapng -------------------------------------------------------------------------------- /captures/rdp-no-nla-accepted1.pcapng: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/awakecoding/wireshark-rdp/683505a753dfd7a2b27713b3a21e9a6951abacc4/captures/rdp-no-nla-accepted1.pcapng -------------------------------------------------------------------------------- /captures/rdp-no-nla-rejected1.pcapng: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/awakecoding/wireshark-rdp/683505a753dfd7a2b27713b3a21e9a6951abacc4/captures/rdp-no-nla-rejected1.pcapng -------------------------------------------------------------------------------- /captures/rdp-no-nla-smartcard-auth1.pcapng: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/awakecoding/wireshark-rdp/683505a753dfd7a2b27713b3a21e9a6951abacc4/captures/rdp-no-nla-smartcard-auth1.pcapng -------------------------------------------------------------------------------- /captures/rdp-no-tls-accepted1.pcapng: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/awakecoding/wireshark-rdp/683505a753dfd7a2b27713b3a21e9a6951abacc4/captures/rdp-no-tls-accepted1.pcapng -------------------------------------------------------------------------------- /captures/rdp-rdg-diff-creds-kerberos-password.pcapng: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/awakecoding/wireshark-rdp/683505a753dfd7a2b27713b3a21e9a6951abacc4/captures/rdp-rdg-diff-creds-kerberos-password.pcapng -------------------------------------------------------------------------------- /captures/rdp-rdg-diff-creds-kerberos-smartcard.pcapng: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/awakecoding/wireshark-rdp/683505a753dfd7a2b27713b3a21e9a6951abacc4/captures/rdp-rdg-diff-creds-kerberos-smartcard.pcapng -------------------------------------------------------------------------------- /captures/rdp-rdg-no-kdc-proxy-ntlm-downgrade-failure.pcapng: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/awakecoding/wireshark-rdp/683505a753dfd7a2b27713b3a21e9a6951abacc4/captures/rdp-rdg-no-kdc-proxy-ntlm-downgrade-failure.pcapng -------------------------------------------------------------------------------- /captures/rdp-rdg-no-kdc-proxy-ntlm-downgrade-success.pcapng: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/awakecoding/wireshark-rdp/683505a753dfd7a2b27713b3a21e9a6951abacc4/captures/rdp-rdg-no-kdc-proxy-ntlm-downgrade-success.pcapng -------------------------------------------------------------------------------- /captures/rdp-rdg-same-creds-kerberos-password-success1.pcapng: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/awakecoding/wireshark-rdp/683505a753dfd7a2b27713b3a21e9a6951abacc4/captures/rdp-rdg-same-creds-kerberos-password-success1.pcapng -------------------------------------------------------------------------------- /captures/rdp-rdg-same-creds-kerberos-password-success2.pcapng: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/awakecoding/wireshark-rdp/683505a753dfd7a2b27713b3a21e9a6951abacc4/captures/rdp-rdg-same-creds-kerberos-password-success2.pcapng -------------------------------------------------------------------------------- /captures/rdp-rdg-same-creds-kerberos-smartcard-success1.pcapng: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/awakecoding/wireshark-rdp/683505a753dfd7a2b27713b3a21e9a6951abacc4/captures/rdp-rdg-same-creds-kerberos-smartcard-success1.pcapng -------------------------------------------------------------------------------- /captures/rdp-rdg-same-creds-kerberos-smartcard-success2.pcapng: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/awakecoding/wireshark-rdp/683505a753dfd7a2b27713b3a21e9a6951abacc4/captures/rdp-rdg-same-creds-kerberos-smartcard-success2.pcapng -------------------------------------------------------------------------------- /captures/rdp-restricted-admin-accepted1.pcapng: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/awakecoding/wireshark-rdp/683505a753dfd7a2b27713b3a21e9a6951abacc4/captures/rdp-restricted-admin-accepted1.pcapng -------------------------------------------------------------------------------- /captures/rdp-restricted-admin-rejected1.pcapng: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/awakecoding/wireshark-rdp/683505a753dfd7a2b27713b3a21e9a6951abacc4/captures/rdp-restricted-admin-rejected1.pcapng -------------------------------------------------------------------------------- /captures/rdp-vmconnect-local-basic-session-mode1.pcapng: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/awakecoding/wireshark-rdp/683505a753dfd7a2b27713b3a21e9a6951abacc4/captures/rdp-vmconnect-local-basic-session-mode1.pcapng -------------------------------------------------------------------------------- /captures/rdp-vmconnect-local-enhanced-session-mode1.pcapng: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/awakecoding/wireshark-rdp/683505a753dfd7a2b27713b3a21e9a6951abacc4/captures/rdp-vmconnect-local-enhanced-session-mode1.pcapng -------------------------------------------------------------------------------- /captures/rdp-vmconnect-remote-basic-session-mode1.pcapng: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/awakecoding/wireshark-rdp/683505a753dfd7a2b27713b3a21e9a6951abacc4/captures/rdp-vmconnect-remote-basic-session-mode1.pcapng -------------------------------------------------------------------------------- /captures/rdp-vmconnect-remote-enhanced-session-mode1.pcapng: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/awakecoding/wireshark-rdp/683505a753dfd7a2b27713b3a21e9a6951abacc4/captures/rdp-vmconnect-remote-enhanced-session-mode1.pcapng -------------------------------------------------------------------------------- /documents/Devolutions_2025_Decrypting_RDP_Traffic_in_Wireshark.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/awakecoding/wireshark-rdp/683505a753dfd7a2b27713b3a21e9a6951abacc4/documents/Devolutions_2025_Decrypting_RDP_Traffic_in_Wireshark.pdf -------------------------------------------------------------------------------- /documents/Devolutions_2025_Decrypting_RDP_Traffic_in_Wireshark.pptx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/awakecoding/wireshark-rdp/683505a753dfd7a2b27713b3a21e9a6951abacc4/documents/Devolutions_2025_Decrypting_RDP_Traffic_in_Wireshark.pptx -------------------------------------------------------------------------------- /documents/ITSec 2024 - Démystifier l'authentification RDP.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/awakecoding/wireshark-rdp/683505a753dfd7a2b27713b3a21e9a6951abacc4/documents/ITSec 2024 - Démystifier l'authentification RDP.pdf -------------------------------------------------------------------------------- /documents/ITSec 2024 - Démystifier l'authentification RDP.pptx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/awakecoding/wireshark-rdp/683505a753dfd7a2b27713b3a21e9a6951abacc4/documents/ITSec 2024 - Démystifier l'authentification RDP.pptx -------------------------------------------------------------------------------- /documents/ITSec 2025 - Déchiffrement et analyse du trafic RDP dans Wireshark.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/awakecoding/wireshark-rdp/683505a753dfd7a2b27713b3a21e9a6951abacc4/documents/ITSec 2025 - Déchiffrement et analyse du trafic RDP dans Wireshark.pdf -------------------------------------------------------------------------------- /documents/ITSec 2025 - Déchiffrement et analyse du trafic RDP dans Wireshark.pptx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/awakecoding/wireshark-rdp/683505a753dfd7a2b27713b3a21e9a6951abacc4/documents/ITSec 2025 - Déchiffrement et analyse du trafic RDP dans Wireshark.pptx -------------------------------------------------------------------------------- /images/wireshark_decode_as_tls.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/awakecoding/wireshark-rdp/683505a753dfd7a2b27713b3a21e9a6951abacc4/images/wireshark_decode_as_tls.png -------------------------------------------------------------------------------- /images/wireshark_follow_tcp_stream.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/awakecoding/wireshark-rdp/683505a753dfd7a2b27713b3a21e9a6951abacc4/images/wireshark_follow_tcp_stream.png -------------------------------------------------------------------------------- /images/wireshark_inject_tls_secrets.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/awakecoding/wireshark-rdp/683505a753dfd7a2b27713b3a21e9a6951abacc4/images/wireshark_inject_tls_secrets.png -------------------------------------------------------------------------------- /images/wireshark_rdp_dissector_filter.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/awakecoding/wireshark-rdp/683505a753dfd7a2b27713b3a21e9a6951abacc4/images/wireshark_rdp_dissector_filter.png -------------------------------------------------------------------------------- /images/wireshark_tls_dissector_rdp.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/awakecoding/wireshark-rdp/683505a753dfd7a2b27713b3a21e9a6951abacc4/images/wireshark_tls_dissector_rdp.png -------------------------------------------------------------------------------- /images/wireshark_tls_key_log_file.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/awakecoding/wireshark-rdp/683505a753dfd7a2b27713b3a21e9a6951abacc4/images/wireshark_tls_key_log_file.png -------------------------------------------------------------------------------- /images/wireshark_tpkt_decode_as.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/awakecoding/wireshark-rdp/683505a753dfd7a2b27713b3a21e9a6951abacc4/images/wireshark_tpkt_decode_as.png --------------------------------------------------------------------------------