RDP is proprietary Microsoft protocol based on ITU T.120 series of protocols. You can find more in-depth details about RDP and its relationship to other protocols in Microsoft’s “Remote Desktop Protocol: Basic Connectivity and Graphics Remoting” document⁴.

RDP Connection Initiation

For the purpose of RDP client fingerprinting, we just focus on client messages. The first message in the RDP connection sequence is Client X.224 Connection Request. Two interesting fields in this packet are:

cookie: an optional variable-length string terminated by 0x0D0A

an optional variable-length string terminated by 0x0D0A requestedProtocols: a 4-byte unsigned integer in the RDP Negotiation Request structure (optional) indicating the supported security protocols.

Figure 1. Client X.224 Connection Request

RDP has two security modes: Standard and Enhanced RDP Security. In Standard mode, requestedProtocols flag is set to 0x00000000 and RSA + RC4/3DES is used for encryption. This mode supports four levels of encryption: Low, Client Compatible, High, and FIPS Compliant.

Enhanced RDP Security uses one of the following External Security Protocols instead of implementing its own protocol security mechanisms: TLS 1.0, TLS 1.1, TLS 1.2, CredSSP, RDSTLS.

Profiling RDP Clients with JA3

JA3 is a fingerprinting method for SSL/TLS clients¹. This great blog post by John Althouse explores SSL/TLS fingerprinting and JA3 in detail.

When Enhanced RDP Security is used, traffic is sent over an encrypted TLS channel, so the RDP client can be fingerprinted using the TLS ClientHello message!

Figure 2. TLS ClientHello Message

I generated JA3 for different version of RDP clients (Remote Desktop Connection — RDC) on different Windows versions. The result shows that JA3 is unique per RDP client. Here you can see a list of generated JA3 for different RDP clients.

JA3 would probably be different for different Windows builds or service packs. If you have a packet capture of different RDC versions please share, so I can update the list!

Table 1. JA3 of different RDP clients

Introducing RDFP

RDFP is a profiling method for RDP clients in Standard Security mode. This is an experimental technique and may change a bit before the final release. I first implemented this method in FATT⁵ — a pyshark based script for extracting network metadata and fingerprints from pcap files and live network traffic. The Bro/Zeek script is under development/test and will be released soon!

As mentioned earlier, Standard RDP Security uses its own encryption mechanism based on RSA and RC4/3DES. In the Basic Settings Exchange phase, client sends the MCS Connect Initial PDU containing GCC Conference Create Request⁴. This request contains some interesting data that can potentially be used for fingerprinting RDP clients. You can find an annotated dump of MCS Connect Initial PDU with GCC Conference Create Request here.

Figure 3. part of RDP connection sequence (source: [4])

The current version of RDFP method uses Version, Cluster Flags, Encryption Methods, Ext Encryption Methods, and a list of requested Virtual Channels (channelDefArray) extracted from the clientSecurityData, clientClusterData, clientNetworkData and clientCoreData structures in the following order.

versionMajor,versionMinor,clusterFlags,encryptionMethods,extEncryptionMethods,channelDef

channelDef in the RDFP string is used in the following format:

name1:option1-name2:option2-...-nameN:optionN

The string is then hashed with MD5 to produce the fingerprint (ie. RDFP).