> For the complete documentation index, see [llms.txt](https://eephillip.gitbook.io/zw2020-ctf-writeup/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://eephillip.gitbook.io/zw2020-ctf-writeup/writeup/rdp-authentication.md).

# RDP Authentication

{% hint style="info" %}
Only one of these RDP connections successfully authenticated to the server.

The answer to this challenge is the source port the client used in the connection which successfully logged in.

(CAUTION: You only have three attempts!)
{% endhint %}

Lets fire up the base protocols for rdp and process the pcap for log output.

```
@load base/protocols/rdp
@load base/frameworks/notice

redef exit_only_after_terminate = F;

event zeek_init(){

}
```

```
zeek -Cr ./rdp-auth_challenge_rdp-bruteforce.pcap main.zeek

├── conn.log
├── files.log
├── main.zeek
├── packet_filter.log
├── rdp-auth_challenge_rdp-bruteforce.pcap
├── rdp.log
├── ssl.log
└── x509.log
```

We are looking for a connection that authenticated, and logged in. So we are looking for sign in interaction and RDP events that indicate an open session.

The **files.log**, **ssl.log** and **x509.log** didn't appear to be able to uniquely identify a successful interaction.

The **rdp.log** give similar looking data but adds additional context as to the sets of usernames attempting to login.

```
Ross, Tim, Bob Homer Simposn
Admin and Administrator seem promissing. 
```

Finally we look to the **conn.log**

It shows for each entry that every **conn\_state** for every connection was either

{% hint style="info" %}
RSTO: Connection established, originator aborted (sent a RST).

{% endhint %}

{% hint style="info" %}
RSTR: Responder sent a RST.

{% endhint %}

So looking for a user terminated or originating termination implies that the user terminated the session upon the conclusion of the interaction versus the responding server terminating the connection via a RST command due to an invalid authentication attempt.

We can also see in the conn log that the amount of data and packets are larger for this specific conn event allowing us to conclude more interaction occured here than with others.

So cross reference the RSTO conn\_state against the originating source port.&#x20;

{% code title="Looking for items in interest in the log" %}

```
In the conn.log

id.orig_p = 36190
conn_state = RSTO
orig_pkts = 28
orig_ip_bytes = 26

```

{% endcode %}

{% hint style="success" %}
The solution

```
36190
```

{% endhint %}
