Sniffing traffic going through Remote Desktop

[jtvang125]

I know you can determine the IP of the host and remote client easily but can network monitoring software determine what exactly is being sent between the two?

 

[NXIL]

Windows?

128-bit encryption, using the RC4 encryption algorithm, as of Version 6.[15]

http://en.wikipedia.org/wiki/Remote_Desktop_Protocol

I think there are keylogging and screen capture programs--but as far as catching the encrypted communication and reading it: sounds unlikely.

 

[NXIL]

Security issues

The RDP protocol in its default configuration is vulnerable to a man-in-the-middle attack. Administrators can enable transport layer encryption to mitigate this risk.[17] [18]

RDP sessions are also susceptible to in-memory credential harvesting, which can be used to launch pass the hash attacks.

 

[bobdole369]

Essentially you'd need to MITM, provide the keys to both sides in order to eavesdrop. I don't know of anything out of the box that would do this (not saying it doesn't exist). 128bit RC4 as above - not fundamentally broken right now - if your transport layer is secure than you have nothing to worry about.

I always openSSH into the network I'm to connect with beforehand, this normally takes care of any MITM (provided the keys match I can be reasonably sure of the identity of my openSSH box, but of course if someone has rooted the openssh box they can nab the keys and DNS poison to MITM the openssh session), that still leaves me vulnerable to keyloggers and screen scrapers on the client end. It's "good enough for non-financial/non-HIPAA" installations - in those cases physical access is the only thing trusted.