Nothing Special   »   [go: up one dir, main page]

Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use RDPDR logged on message to time payloads properly #98

Closed
xshill opened this issue Apr 15, 2019 · 7 comments
Closed

Use RDPDR logged on message to time payloads properly #98

xshill opened this issue Apr 15, 2019 · 7 comments
Labels
enhancement New feature or request

Comments

@xshill
Copy link
Collaborator
xshill commented Apr 15, 2019

The RDPDR channel seems to send a special PDU when the user has logged on. This would be ideal for timing on-connection payloads.

The packet ID for this message is PAKID_CORE_USER_LOGGEDON.

To do:

  1. Check when the message is sent. It's possible we might have to use a small delay to make sure everything works properly. Also check if the message is always sent if the RDPDR channel is initialized, even if the client doesn't actually use the channel.
  2. Run the payload when receiving the message in the cases where we can predict that the message will indeed be sent. In other cases, keep it the way it currently works (user-configured delay).
@xshill xshill added the enhancement New feature or request label Apr 15, 2019
@Res260
Copy link
Collaborator
Res260 commented Apr 15, 2019

Need to confirm, but i'm 90% sure the message does not get sent if the RDPDR channel is not activated. The purpose of this PDU is to prevent the client from sending useless disk/other IO requests that won't get answered because the client should not have access to the devices

@Res260
Copy link
Collaborator
Res260 commented Apr 15, 2019

However, in a typical work environnent, I think its a fair assumption to say that the channel is active most of the time (since I think its activated by default)

@xshill
Copy link
Collaborator Author
xshill commented Apr 15, 2019

What I would really like to know is whether or not it gets sent even if the client does not have the intention of mapping drives or anything. I'm think all MS clients initialize all channels anyway. If this is indeed the case, then we could probably make use of that message 100% of the time.

@Res260
Copy link
Collaborator
Res260 commented Apr 15, 2019

It is sent when the user is logged on, or when the server reconnects to a session with an already logged-on user, immediately after it receives a Client Core Capability Response. This packet is sent only if the client's general capability set has the RDPDR_USER_LOGGEDON_PDU bit set in the extendedPDU field.

https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpefs/2ecd5c18-8c8c-4f5d-97ef-794ce19e91ba

So the client needs to send its capabilities first, we just gotta confirm that tsclient.exe indeed does that even if you don't map anything (I'd think its the case)

@Res260
Copy link
Collaborator
Res260 commented Apr 15, 2019

@Pourliver
Copy link
Contributor

I've done a few tests to understand how the RDPDR channel works, and from my understanding, it only seems enabled when connecting via the default Windows RDP client.

I've tried a few other RDP clients. For example, using Windows Remote Client, the server sends the "PAKID_CORE_SERVER_ANNOUNCE" request after connection, but the client never sent any DeviceRedirectionPDU.

@alxbl
Copy link
Collaborator
alxbl commented Aug 6, 2020

I'm going to close this since the proposed solution would not work across all clients (FreeRDP uses rdpdr for announce lists but never seems to receive a USER LOGGED ON) and would require handling both behaviors.

We can revisit this if we find a better way to detect authentication in the future.

@alxbl alxbl closed this as completed Aug 6, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

4 participants