Decrypting RDP connections

Task	Description	Command/Details
Task 1: Open RDP PCAP in Wireshark	Unzip RDP-analysis.zip and open the rdp.pcapng file in Wireshark.	Extract the file, then open rdp.pcapng in Wireshark.
Task 2: Initial RDP Traffic Analysis	Apply an RDP filter to identify RDP traffic within the capture.	RDP Filter: rdp Verify Port 3389: tcp.port == 3389
Task 3: Add Decryption Key in Wireshark	Use the RDP key found on Bob's host to decrypt RDP traffic in Wireshark.	Steps: 1. Go to Edit → Preferences → Protocols → TLS. 2. Click Edit under RSA keys list and add new entry: - IP: 10.129.43.29 - Port: 3389 - Protocol: tpkt or blank - Key File: Browse and add the server.key file. 3. Save and refresh the pcap file.
Task 4: Decrypted RDP Traffic Analysis	Reapply the RDP filter after decryption to view and analyze unencrypted RDP traffic.	Filter: rdp (or follow TCP streams to examine data further)
Questions
Initiating Host IP	Identify the IP address of the host initiating the RDP session.	Answer: Check the IP in the first packet (#8) of the three-way handshake. Host initiating connection: 10.129.43.27
Username Used	Examine RDP traffic for user credentials, often visible in ASCII within an "Ignored Unknown Record" entry when filtered by tcp.port == 3389.	Answer: Use ASCII details in "Ignored Unknown Record" entry to view username.
Summary	Wireshark’s ability to decrypt and analyze captured RDP traffic, given an RSA key, demonstrates its power in forensic analysis and incident response.	Key Insight: With an encryption key, Wireshark can decrypt various encrypted protocols (e.g., RDP) to facilitate in-depth packet analysis for IR purposes.