RDP Authentication

Only one of these RDP connections successfully authenticated to the server.
The answer to this challenge is the source port the client used in the connection which successfully logged in.
(CAUTION: You only have three attempts!)
Lets fire up the base protocols for rdp and process the pcap for log output.
@load base/protocols/rdp
@load base/frameworks/notice
​
redef exit_only_after_terminate = F;
​
event zeek_init(){
​
}
zeek -Cr ./rdp-auth_challenge_rdp-bruteforce.pcap main.zeek
​
├── conn.log
├── files.log
├── main.zeek
├── packet_filter.log
├── rdp-auth_challenge_rdp-bruteforce.pcap
├── rdp.log
├── ssl.log
└── x509.log
We are looking for a connection that authenticated, and logged in. So we are looking for sign in interaction and RDP events that indicate an open session.
The files.log, ssl.log and x509.log didn't appear to be able to uniquely identify a successful interaction.
The rdp.log give similar looking data but adds additional context as to the sets of usernames attempting to login.
Ross, Tim, Bob Homer Simposn
Admin and Administrator seem promissing.
Finally we look to the conn.log
It shows for each entry that every conn_state for every connection was either
RSTO: Connection established, originator aborted (sent a RST).
​
RSTR: Responder sent a RST.
​
So looking for a user terminated or originating termination implies that the user terminated the session upon the conclusion of the interaction versus the responding server terminating the connection via a RST command due to an invalid authentication attempt.
We can also see in the conn log that the amount of data and packets are larger for this specific conn event allowing us to conclude more interaction occured here than with others.
So cross reference the RSTO conn_state against the originating source port.
Looking for items in interest in the log
In the conn.log
​
id.orig_p = 36190
conn_state = RSTO
orig_pkts = 28
orig_ip_bytes = 26
​
The solution
36190