Added support for RDP over TLS

Author: lucaderi

src/lib/protocols/rdp.c

@@ -2,7 +2,7 @@
  * rdp.c
  *
  * Copyright (C) 2009-11 - ipoque GmbH
- * Copyright (C) 2011-22 - ntop.org
+ * Copyright (C) 2011-24 - ntop.org
  *
  * This file is part of nDPI, an open source deep packet inspection
  * library based on the OpenDPI and PACE technology by ipoque GmbH
@@ -32,13 +32,39 @@
 #include "ndpi_api.h"
 #include "ndpi_private.h"
 
+extern int ndpi_tls_obfuscated_heur_search_again(struct ndpi_detection_module_struct* ndpi_struct,
+						 struct ndpi_flow_struct* flow);
+
+/* **************************************** */
+
 static void ndpi_int_rdp_add_connection(struct ndpi_detection_module_struct *ndpi_struct,
 					struct ndpi_flow_struct *flow) {
   NDPI_LOG_INFO(ndpi_struct, "found RDP\n");
   ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_RDP, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI);
   ndpi_set_risk(flow, NDPI_DESKTOP_OR_FILE_SHARING_SESSION, "Found RDP"); /* Remote assistance */
 }
 
+/* **************************************** */
+
+/* tls.c */
+extern int ndpi_search_tls_tcp(struct ndpi_detection_module_struct *ndpi_struct,
+			       struct ndpi_flow_struct *flow);
+
+int ndpi_search_tls_over_rdp(struct ndpi_detection_module_struct *ndpi_struct,
+			     struct ndpi_flow_struct *flow) {
+  const struct ndpi_packet_struct * const packet = &ndpi_struct->packet;
+  
+  if((packet->payload_packet_len > 1)
+     && (packet->payload[0] == 0x16 /* This might be a TLS block */)) {
+    int rc = ndpi_search_tls_tcp(ndpi_struct, flow);
+
+    return(rc);
+  } else
+    return 1; /* Keep searching */
+}
+
+/* **************************************** */
+
 static void ndpi_search_rdp(struct ndpi_detection_module_struct *ndpi_struct,
 			    struct ndpi_flow_struct *flow) {
   const struct ndpi_packet_struct * const packet = &ndpi_struct->packet;
@@ -57,7 +83,21 @@ static void ndpi_search_rdp(struct ndpi_detection_module_struct *ndpi_struct,
              packet->payload[13] == 0x08 /* RDP Length */) ||
 	    (packet->payload_packet_len > 17 &&
 	     memcmp(&packet->payload[11], "Cookie:", 7) == 0))) /* RDP Cookie */ {
+
+	  if(packet->payload_packet_len > 43) {
+	    u_int8_t rdp_requested_proto = packet->payload[43];
+
+	    /* Check if TLS support has been requested in RDP */
+	    if((rdp_requested_proto & 0x1) == 0x1) {
+	      /* RDP Response + Client Hello + Server hello */
+	      flow->max_extra_packets_to_check = 5;
+	      
+	      flow->extra_packets_func = ndpi_search_tls_over_rdp;
+	    }
+	  }
+	  
           ndpi_int_rdp_add_connection(ndpi_struct, flow);
+
           return;
 	}
       } else {
@@ -66,7 +106,7 @@ static void ndpi_search_rdp(struct ndpi_detection_module_struct *ndpi_struct,
 	   packet->payload[11] == 0x02 && /* RDP Negotiation Response */
            packet->payload[13] == 0x08 /* RDP Length */) {
           ndpi_int_rdp_add_connection(ndpi_struct, flow);
-          return;
+	  return;
 	}
       }
     }
@@ -139,6 +179,7 @@ static void ndpi_search_rdp(struct ndpi_detection_module_struct *ndpi_struct,
   }
 }
 
+/* **************************************** */
 
 void init_rdp_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id)
 {

src/lib/protocols/tls.c

@@ -242,6 +242,8 @@ static int check_set(struct ndpi_detection_module_struct* ndpi_struct,
   return 0;
 }
 
+/* **************************************** */
+
 static int tls_obfuscated_heur_search(struct ndpi_detection_module_struct* ndpi_struct,
                                       struct ndpi_flow_struct* flow) {
   struct ndpi_packet_struct* packet = &ndpi_struct->packet;
@@ -396,9 +398,10 @@ static int tls_obfuscated_heur_search(struct ndpi_detection_module_struct* ndpi_
   return 0; /* Continue */
 }
 
+/* **************************************** */
+
 static int tls_obfuscated_heur_search_again(struct ndpi_detection_module_struct* ndpi_struct,
-                                            struct ndpi_flow_struct* flow)
-{
+					    struct ndpi_flow_struct* flow) {
   int rc;
 
   NDPI_LOG_DBG2(ndpi_struct, "TLS-Obf-Heur: extra dissection\n");
@@ -436,6 +439,8 @@ static int tls_obfuscated_heur_search_again(struct ndpi_detection_module_struct*
   return 0; /* Stop */
 }
 
+/* **************************************** */
+
 void switch_extra_dissection_to_tls_obfuscated_heur(struct ndpi_detection_module_struct* ndpi_struct,
                                                     struct ndpi_flow_struct* flow)
 {
@@ -1287,8 +1292,8 @@ static void ndpi_looks_like_tls(struct ndpi_detection_module_struct *ndpi_struct
 
 /* **************************************** */
 
-static int ndpi_search_tls_tcp(struct ndpi_detection_module_struct *ndpi_struct,
-			       struct ndpi_flow_struct *flow) {
+int ndpi_search_tls_tcp(struct ndpi_detection_module_struct *ndpi_struct,
+			struct ndpi_flow_struct *flow) {
   struct ndpi_packet_struct *packet = &ndpi_struct->packet;
   u_int8_t something_went_wrong = 0;
   message_t *message;
@@ -1347,7 +1352,6 @@ static int ndpi_search_tls_tcp(struct ndpi_detection_module_struct *ndpi_struct,
       break;
     }
 
-
 #ifdef DEBUG_TLS_MEMORY
     printf("[TLS Mem] Processing %u bytes message\n", len);
 #endif
@@ -1863,10 +1867,18 @@ static void ndpi_int_tls_add_connection(struct ndpi_detection_module_struct *ndp
   printf("[TLS] %s()\n", __FUNCTION__);
 #endif
 
+  if(flow->detected_protocol_stack[0] == NDPI_PROTOCOL_RDP) {
+    /* RDP over TLS */
+    ndpi_set_detected_protocol(ndpi_struct, flow,
+			       NDPI_PROTOCOL_RDP, NDPI_PROTOCOL_TLS, NDPI_CONFIDENCE_DPI);
+    return;
+  }
+  
   if((flow->detected_protocol_stack[0] != NDPI_PROTOCOL_UNKNOWN) ||
      (flow->detected_protocol_stack[1] != NDPI_PROTOCOL_UNKNOWN)) {
     if(!flow->extra_packets_func)
       tlsInitExtraPacketProcessing(ndpi_struct, flow);
+    
     return;
   }
 

tests/cfgs/default/pcap/rdp_over_tls.pcap

@@ -0,0 +1,32 @@
+DPI Packets (TCP):	7	(7.00 pkts/flow)
+Confidence DPI              : 1 (flows)
+Num dissector calls: 1 (1.00 diss/flow)
+LRU cache ookla:      0/0/0 (insert/search/found)
+LRU cache bittorrent: 0/0/0 (insert/search/found)
+LRU cache stun:       0/0/0 (insert/search/found)
+LRU cache tls_cert:   0/0/0 (insert/search/found)
+LRU cache mining:     0/0/0 (insert/search/found)
+LRU cache msteams:    0/0/0 (insert/search/found)
+LRU cache fpc_dns:    0/1/0 (insert/search/found)
+Automa host:          0/0 (search/found)
+Automa domain:        0/0 (search/found)
+Automa tls cert:      0/0 (search/found)
+Automa risk mask:     0/0 (search/found)
+Automa common alpns:  0/0 (search/found)
+Patricia risk mask:   2/0 (search/found)
+Patricia risk mask IPv6: 0/0 (search/found)
+Patricia risk:        1/0 (search/found)
+Patricia risk IPv6:   0/0 (search/found)
+Patricia protocols:   2/0 (search/found)
+Patricia protocols IPv6: 0/0 (search/found)
+
+RDP	19	3868	1
+
+Acceptable                      19 3868          1            
+
+JA3 Host Stats: 
+		 IP Address                  	 # JA3C     
+	1	 91.238.181.21            	 1      
+
+
+	1	TCP 91.238.181.21:35888 <-> 89.31.79.12:3389 [VLAN: 77][proto: 91.88/TLS.RDP][IP: 0/Unknown][Encrypted][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 7][cat: RemoteAccess/12][11 pkts/1862 bytes <-> 8 pkts/2006 bytes][Goodput ratio: 64/76][1.25 sec][bytes ratio: -0.037 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/34 135/196 1035/961 319/342][Pkt Len c2s/s2c min/avg/max/stddev: 64/64 169/251 696/1255 175/385][Risk: ** Self-signed Cert **** TLS (probably) Not Carrying HTTPS **** Missing SNI TLS Extn **** Desktop/File Sharing **][Risk Score: 170][Risk Info: Found RDP / No ALPN / SNI should always be present / CN=topsalon][TCP Fingerprint: 32962_128_8192_6bb88f5575fd/Unknown][TLSv1.2][JA3C: 043c543b63b895881d9abfbc320cb863][JA4: t12d280600_bbd4f008d9b2_f28add8e7af0][JA3S: ae4edc6faf64d08308082ad26be60767][Issuer: CN=topsalon][Subject: CN=topsalon][Certificate SHA-1: A2:FF:78:9D:71:42:7A:00:97:9C:96:C2:E7:D1:C1:AD:A1:82:CC:2C][Firefox][Validity: 2024-07-26 06:03:40 - 2025-01-25 06:03:40][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384][Plen Bins: 16,25,16,0,8,8,8,0,0,0,0,0,0,0,0,0,0,0,0,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,0,0,0,0,0,0,0,0,0,0]