RDP Authentication
Only one of these RDP connections successfully authenticated to the server.
The answer to this challenge is the source port the client used in the connection which successfully logged in.
(CAUTION: You only have three attempts!)
Lets fire up the base protocols for rdp and process the pcap for log output.
We are looking for a connection that authenticated, and logged in. So we are looking for sign in interaction and RDP events that indicate an open session.
The files.log, ssl.log and x509.log didn't appear to be able to uniquely identify a successful interaction.
The rdp.log give similar looking data but adds additional context as to the sets of usernames attempting to login.
Finally we look to the conn.log
It shows for each entry that every conn_state for every connection was either
RSTO: Connection established, originator aborted (sent a RST).
RSTR: Responder sent a RST.
So looking for a user terminated or originating termination implies that the user terminated the session upon the conclusion of the interaction versus the responding server terminating the connection via a RST command due to an invalid authentication attempt.
We can also see in the conn log that the amount of data and packets are larger for this specific conn event allowing us to conclude more interaction occured here than with others.
So cross reference the RSTO conn_state against the originating source port.
The solution
Last updated