# RDP Authentication {% hint style="info" %} Only one of these RDP connections successfully authenticated to the server. The answer to this challenge is the source port the client used in the connection which successfully logged in. (CAUTION: You only have three attempts!) {% endhint %} Lets fire up the base protocols for rdp and process the pcap for log output. ``` @load base/protocols/rdp @load base/frameworks/notice redef exit_only_after_terminate = F; event zeek_init(){ } ``` ``` zeek -Cr ./rdp-auth_challenge_rdp-bruteforce.pcap main.zeek ├── conn.log ├── files.log ├── main.zeek ├── packet_filter.log ├── rdp-auth_challenge_rdp-bruteforce.pcap ├── rdp.log ├── ssl.log └── x509.log ``` We are looking for a connection that authenticated, and logged in. So we are looking for sign in interaction and RDP events that indicate an open session. The **files.log**, **ssl.log** and **x509.log** didn't appear to be able to uniquely identify a successful interaction. The **rdp.log** give similar looking data but adds additional context as to the sets of usernames attempting to login. ``` Ross, Tim, Bob Homer Simposn Admin and Administrator seem promissing. ``` Finally we look to the **conn.log** It shows for each entry that every **conn\_state** for every connection was either {% hint style="info" %} RSTO: Connection established, originator aborted (sent a RST). {% endhint %} {% hint style="info" %} RSTR: Responder sent a RST. {% endhint %} So looking for a user terminated or originating termination implies that the user terminated the session upon the conclusion of the interaction versus the responding server terminating the connection via a RST command due to an invalid authentication attempt. We can also see in the conn log that the amount of data and packets are larger for this specific conn event allowing us to conclude more interaction occured here than with others. So cross reference the RSTO conn\_state against the originating source port. {% code title="Looking for items in interest in the log" %} ``` In the conn.log id.orig_p = 36190 conn_state = RSTO orig_pkts = 28 orig_ip_bytes = 26 ``` {% endcode %} {% hint style="success" %} The solution ``` 36190 ``` {% endhint %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://eephillip.gitbook.io/zw2020-ctf-writeup/writeup/rdp-authentication.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.