Encountered an error while attempting to connect to a non-Windows 10 system

[Bain-Evans]

Hi,
When I attempt to use pyrdp to proxy for non-Windows 10 versions of Windows, such as Windows Server 2003 R2, Windows XP SP3, and Windows 7, I consistently encounter the following errors:

[2024-01-29 16:29:37,173] - INFO - fervent_thompson_3947517 - pyrdp.mitm.connections.tcp - New client connected from 192.168.1.1:24452
[2024-01-29 16:29:37,173] - INFO - fervent_thompson_3947517 - pyrdp.mitm.connections.x224 - No cookie for this connection
[2024-01-29 16:29:37,174] - INFO - fervent_thompson_3947517 - pyrdp.mitm.connections.tcp - Server connected
[2024-01-29 16:29:37,232] - INFO - fervent_thompson_3947517 - pyrdp.mitm.connections.tcp - Server connection closed. Connection to the other side was lost in a non-clean fashion: Connection lost.
Unhandled Error
Traceback (most recent call last):
  File "/usr/lib/python3.10/asyncio/base_events.py", line 603, in run_forever
    self._run_once()
  File "/usr/lib/python3.10/asyncio/base_events.py", line 1909, in _run_once
    handle._run()
  File "/usr/lib/python3.10/asyncio/events.py", line 80, in _run
    self._context.run(self._callback, *self._args)
  File "/opt/venv/lib/python3.10/site-packages/twisted/internet/asyncioreactor.py", line 269, in _onTimer
    self.runUntilCurrent()
--- <exception caught here> ---
  File "/opt/venv/lib/python3.10/site-packages/twisted/internet/base.py", line 1090, in runUntilCurrent
    call.func(*call.args, **call.kw)
  File "/opt/venv/lib/python3.10/site-packages/pyrdp/mitm/RDPMITM.py", line 221, in doClientTls
    cert = self.server.tcp.transport.getPeerCertificate()
  File "/opt/venv/lib/python3.10/site-packages/twisted/protocols/tls.py", line 554, in getPeerCertificate
    return self._tlsConnection.get_peer_certificate()
builtins.AttributeError: 'NoneType' object has no attribute 'get_peer_certificate'

[obilodeau]

How do you run pyrdp-mitm? Exact command-line please.

Does the destination RDP system enforce NLA (default) or not? If it enforces NLA you need to perform private key extraction. This is documented here.

You are using the mstsc client? Does it work with a Windows 10 client, with the same setup?

[obilodeau]

Aaah, it could be the TLS version expected that is too new for these old operating systems. Can you grab a pcap of the client without PyRDP and with PyRDP? I could then compare SSL/TLS versions.

[Bain-Evans]

The command being run: pyrdp-mitm -l 3399 192.168.122.100:3389

It appears that the target RDP system does enforce NLA, and I will proceed to attempt the extraction of the private key.

I am using the native mstsc client included in the Windows 11 system, and it works properly when connecting to a Windows 10 system that is being proxied by pyrdp.

Here are the two pcap files I've captured; I've placed them inside a compressed archive. The target RDP system here is Windows XP SP3.
pcap.zip

Thank you.

[Bain-Evans]

When using pyrdp to proxy a Windows Server 2008 R2 system where Network Level Authentication (NLA) has been disabled, I encountered the following error upon attempting a remote connection:

[2024-01-31 17:11:55,272] - INFO - practical_jepsen_6368251 - pyrdp.mitm.connections.tcp - New client connected from 192.168.1.1:22061
[2024-01-31 17:11:55,272] - INFO - practical_jepsen_6368251 - pyrdp.mitm.connections.x224 - No cookie for this connection
[2024-01-31 17:11:55,273] - INFO - practical_jepsen_6368251 - pyrdp.mitm.connections.tcp - Server connected
[2024-01-31 17:11:55,278] - INFO - practical_jepsen_6368251 - pyrdp.mitm.connections.tcp - Server connection closed. [('SSL routines', '', 'unsupported protocol')]
Unhandled Error
Traceback (most recent call last):
  File "/usr/lib/python3.10/asyncio/base_events.py", line 603, in run_forever
    self._run_once()
  File "/usr/lib/python3.10/asyncio/base_events.py", line 1909, in _run_once
    handle._run()
  File "/usr/lib/python3.10/asyncio/events.py", line 80, in _run
    self._context.run(self._callback, *self._args)
  File "/opt/venv/lib/python3.10/site-packages/twisted/internet/asyncioreactor.py", line 269, in _onTimer
    self.runUntilCurrent()
--- <exception caught here> ---
  File "/opt/venv/lib/python3.10/site-packages/twisted/internet/base.py", line 1090, in runUntilCurrent
    call.func(*call.args, **call.kw)
  File "/opt/venv/lib/python3.10/site-packages/pyrdp/mitm/RDPMITM.py", line 221, in doClientTls
    cert = self.server.tcp.transport.getPeerCertificate()
  File "/opt/venv/lib/python3.10/site-packages/twisted/protocols/tls.py", line 554, in getPeerCertificate
    return self._tlsConnection.get_peer_certificate()
builtins.AttributeError: 'NoneType' object has no attribute 'get_peer_certificate'

The command I used to run pyrdp is: pyrdp-mitm -l 3399 192.168.122.100:3389

[obilodeau]

That last error contains:

'SSL routines', '', 'unsupported protocol'

Windows 2008 R2 probably requires an SSL version that is too old for recent OpenSSL to accept. We could bundle our own OpenSSL with weak ciphers enabled to handle cases like these.

To be sure, can you run openssl s_client -connect 192.168.122.100:3389 and post the result?

[Bain-Evans]

I executed the command you provided, and obtained the following results:

root@987ad9bd7b52:/vs# openssl s_client -connect 192.168.122.100:3389
CONNECTED(00000003)
40272C2A5B7F0000:error:0A000102:SSL routines:ssl_choose_client_version:unsupported protocol:../ssl/statem/statem_lib.c:1952:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 835 bytes and written 300 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

[obilodeau]

I misguided you, that was not helpful. Try with this instead: nmap -Pn -sV --script ssl-enum-ciphers -p 3389 192.168.122.100

[Bain-Evans]

I executed the aforementioned command, and the result was as follows:

root@987ad9bd7b52:/vs# nmap -Pn -sV --script ssl-enum-ciphers -p 3389 192.168.122.100
Starting Nmap 7.80 ( https://nmap.org ) at 2024-02-01 13:58 CST
Nmap scan report for 192.168.122.100
Host is up (0.00030s latency).

PORT     STATE SERVICE        VERSION
3389/tcp open  ms-wbt-server?
| ssl-enum-ciphers: 
|   TLSv1.0: 
|     ciphers: 
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_RC4_128_SHA (rsa 2048) - C
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
|       TLS_RSA_WITH_RC4_128_MD5 (rsa 2048) - C
|     compressors: 
|       NULL
|     cipher preference: server
|     warnings: 
|       64-bit block cipher 3DES vulnerable to SWEET32 attack
|       Broken cipher RC4 is deprecated by RFC 7465
|       Ciphersuite uses MD5 for message integrity
|       Weak certificate signature: SHA1
|_  least strength: C
MAC Address: 52:54:00:DE:6E:CF (QEMU virtual NIC)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 90.32 seconds

[obilodeau]

Sorry for the lack of updates, I couldn't find time to dedicate to this issue in the last couple of weeks.

I think we will need to provide a special build of OpenSSL that accepts deprecated ciphers. Reference: https://stackoverflow.com/questions/37619759/how-to-force-openssl-to-use-old-ciphers