Only one of these RDP connections successfully authenticated to the server.
The answer to this challenge is the source port the client used in the connection which successfully logged in.
(CAUTION: You only have three attempts!)
Lets fire up the base protocols for rdp and process the pcap for log output.
redef exit_only_after_terminate = F;
zeek -Cr ./rdp-auth_challenge_rdp-bruteforce.pcap main.zeek
We are looking for a connection that authenticated, and logged in. So we are looking for sign in interaction and RDP events that indicate an open session.
The files.log, ssl.log and x509.log didn't appear to be able to uniquely identify a successful interaction.
The rdp.log give similar looking data but adds additional context as to the sets of usernames attempting to login.
Ross, Tim, Bob Homer Simposn
Admin and Administrator seem promissing.
Finally we look to the conn.log
It shows for each entry that every conn_state for every connection was either
RSTO: Connection established, originator aborted (sent a RST).
RSTR: Responder sent a RST.
So looking for a user terminated or originating termination implies that the user terminated the session upon the conclusion of the interaction versus the responding server terminating the connection via a RST command due to an invalid authentication attempt.
We can also see in the conn log that the amount of data and packets are larger for this specific conn event allowing us to conclude more interaction occured here than with others.
So cross reference the RSTO conn_state against the originating source port.
Looking for items in interest in the log
In the conn.log
id.orig_p = 36190
conn_state = RSTO
orig_pkts = 28
orig_ip_bytes = 26