RDP Replay Code Release

RDP Replay Code Release

In one of our previous blog posts, we wrote about how during routine monitoring on a client network, Context analysts noticed some unexpected RDP traffic and on further investigation it was found to be an intrusion.

By Steve Elliott

Principal Software Engineer

13 Apr 2016

We took a more in depth look to see what information could be extracted from a PCAP of this activity, and this led to a tool being created to replay the RDP session as the attacker would have seen it. Read the original blog post in full here.

We have made this tool available after being asked by a number of our blog readers. This tool requires the private key for decrypting, which can usually be recovered with cooperation from the client.

It is a Linux tool, and was developed for Ubuntu 14.04. The instructions below are for installing on this operating system.

This is released under Apache License version 2.0. By downloading this tool you are agreeing to the following license agreement. No support is available for helping with installation and/or trouble shooting.

To download the code, please go to our official github page, here: https://github.com/ctxis/RDP-Replay

Quick Start Guide

Run the following 5 commands. They will build rdp_replay, and start a test replay.

tar xzf rdp_build.tgz
sudo apt-get install -y build-essential git-core cmake libssl-dev libx11-dev libxext-dev libxinerama-dev libxcursor-dev libxdamage-dev libxv-dev libxkbfile-dev libasound2-dev libcups2-dev libxml2 libxml2-dev libxrandr-dev libgstreamer0.10-dev libgstreamer-plugins-base0.10-dev libavutil-dev libavcodec-dev libavformat-dev libpcap-dev libreadline-dev
cd rdp_build
replay/rdp_replay -r test/demo1.pcap -p test/demo1.pem --no_cksum

If you have a question for us or require any further information, please get in touch.

Contact Us

About Steve Elliott

Principal Software Engineer

CHECK IT Health Check Service
Cyber Essentials
CESG Certified Service
First - Improving Security Together
BSI ISO 9001 FS 581360
BSI ISO 27001 IS 553326
PCI - Approved Scanning Vendor