Export (0) Print
Expand All

4.5 Annotated Standard Security Server Redirection PDU

The following is an annotated dump of a Standard Security Server Redirection PDU (section 2.2.13.2.1) that was sent from a Microsoft RDP 5.1 server to a Microsoft RDP 5.1 client.

00000000 03 00 02 1f 02 f0 80 68 00 01 03 eb 70 82 10 00 .......h....p...
00000010 0c 00 00 58 dd 3f e5 f3 de 80 26 c0 d6 3f 26 0e ...X.?....&..?&.
00000020 2c b5 93 dd 26 d5 4b 84 a1 1d 2a 78 85 38 cf 1d ,...&.K...*x.8..
00000030 72 80 46 0e 72 fb fd 29 77 e7 e3 0a ba 3f cc a4 r.F.r..)w....?..
00000040 50 2c 5b 87 cb e2 2b 61 ea 9a b7 19 25 a6 ea 33 P,[...+a....%..3
00000050 01 9a 2e 3a 58 fe 7e 1e 66 c0 3c a0 d3 5b d1 96 ...:X.~.f.<..[..
00000060 43 4a f4 94 57 b2 71 ba df 69 ed 3a ad b2 83 a5 CJ..W.q..i.:....
00000070 d8 db 8d e1 c1 5e 73 6c d3 61 3c fc ae 05 78 94 .....^sl.a<...x.
00000080 f2 f6 87 ae 78 24 8e 5b 50 d6 36 2c c6 56 e2 2d ....x$.[P.6,.V.-
00000090 61 46 d3 a3 22 d6 ce 1a 26 1c 1e e0 9b 97 2d 98 aF.."...&.....-.
000000a0 45 3c b9 92 47 1a 25 f0 8c 7c c0 6f 54 b6 09 21 E<..G.%..|.oT..!
000000b0 67 e3 41 3e 4e b9 be d2 86 d9 38 10 69 d7 f5 90 g.A>N.....8.i...
000000c0 ef c1 50 39 13 b2 9b 7c 98 52 35 0f 90 26 cc ad ..P9...|.R5..&..
000000d0 7d df 11 37 97 09 d9 69 12 0a 5f 3b bd 38 28 f6 }..7...i.._;.8(.
000000e0 8a 4d 65 a6 3f 74 8f 6d 09 84 e2 03 b6 35 b9 b1 .Me.?t.m.....5..
000000f0 11 10 b0 53 5e c8 25 f0 b2 bd af 4c ce 49 62 de ...S^.%....L.Ib.
00000100 23 67 43 66 0a f1 3a 8f d7 9d 80 fb 2a 37 c3 de #gCf..:.....*7..
00000110 8e 02 16 e2 12 73 2b 58 b8 5e 7e 61 ba 6f 80 73 .....s+X.^~a.o.s
00000120 0b f5 27 b7 45 1c bf 6a 1c fe 74 55 df 81 f6 06 ..'.E..j..tU....
00000130 f3 ca b2 ce a8 d4 94 75 24 c2 02 0a 56 a9 fd 13 .......u$...V...
00000140 a6 af 8d 53 66 49 4d 4e bc b2 ff 80 5b 48 68 da ...SfIMN....[Hh.
00000150 ee 01 1c bd a2 17 42 50 e5 15 4e 21 0c 6e d3 5b ......BP..N!.n.[
00000160 3c 5a ce bc 0f e3 13 fb a3 7f 3c e0 7a c7 be 06 <Z........<.z...
00000170 90 7a a2 91 33 ce 00 68 21 63 89 a3 5c 43 be 96 .z..3..h!c..\C..
00000180 e0 11 b8 48 a8 47 1a 75 47 22 2f 3f 97 8d bd 14 ...H.G.uG"/?....
00000190 34 a5 89 06 49 6a 8c 19 82 eb 4f 7e ec 06 80 e2 4...Ij....O~....
000001a0 20 b5 ac 04 65 da 98 65 27 8f 45 80 ff 73 3e af  ...e..e'.E..s>.
000001b0 05 ab bc e4 66 4d d0 34 85 a5 9a a4 57 5a c6 b9 ....fM.4....WZ..
000001c0 27 e7 73 37 7e 7c 0b 65 24 cd 5c 61 89 f7 13 a2 '.s7~|.e$.\a....
000001d0 d8 e1 85 ea 6f 81 7a 3b f5 e8 fb 45 92 f2 81 8c ....o.z;...E....
000001e0 cd 59 84 13 d9 6b db 0a ba af 0c 4f 9a de aa d6 .Y...k.....O....
000001f0 a1 44 db cc 07 4c 71 4e 2a c3 50 9c f5 0f 9e 2b .D...LqN*.P....+
00000200 2f 4b bb b6 fa 08 d1 65 e3 1a 1a 62 06 c4 ec 41 /K.....e...b...A
00000210 69 6b d5 86 93 9c 46 de 4f 07 11 55 54 e9 16    ik....F.O..UT..

03 00 02 1f -> TPKT Header (length = 543 bytes)
02 f0 80 -> X.224 Data TPDU

68 00 01 03 eb 70 82 10 -> PER encoded (ALIGNED variant of BASIC-PER) SendDataIndication
initiator = 1002 (0x03ea)
channelId = 1003 (0x03eb)
dataPriority = high
segmentation = begin | end
userData length = 0x210 = 528 bytes

00 0c -> TS_SECURITY_HEADER::flags = 0x0c00 
0x0c00 
= 0x0800 | 0x0400 
= SEC_SECURE_CHECKSUM | SEC_REDIRECTION_PKT

00 00 -> TS_SECURITY_HEADER::flagsHi - ignored as flags field does not contain RDP_SEC_FLAGSHI_VALID (0x8000)
58 dd 3f e5 f3 de 80 26 -> TS_SECURITY_HEADER::dataSignature

c0 d6 3f 26 0e 2c b5 93 dd 26 d5 4b 84 a1 1d 2a 
78 85 38 cf 1d 72 80 46 0e 72 fb fd 29 77 e7 e3 
0a ba 3f cc a4 50 2c 5b 87 cb e2 2b 61 ea 9a b7 
19 25 a6 ea 33 01 9a 2e 3a 58 fe 7e 1e 66 c0 3c 
a0 d3 5b d1 96 43 4a f4 94 57 b2 71 ba df 69 ed 
3a ad b2 83 a5 d8 db 8d e1 c1 5e 73 6c d3 61 3c 
fc ae 05 78 94 f2 f6 87 ae 78 24 8e 5b 50 d6 36 
2c c6 56 e2 2d 61 46 d3 a3 22 d6 ce 1a 26 1c 1e 
e0 9b 97 2d 98 45 3c b9 92 47 1a 25 f0 8c 7c c0 
6f 54 b6 09 21 67 e3 41 3e 4e b9 be d2 86 d9 38 
10 69 d7 f5 90 ef c1 50 39 13 b2 9b 7c 98 52 35 
0f 90 26 cc ad 7d df 11 37 97 09 d9 69 12 0a 5f 
3b bd 38 28 f6 8a 4d 65 a6 3f 74 8f 6d 09 84 e2 
03 b6 35 b9 b1 11 10 b0 53 5e c8 25 f0 b2 bd af 
4c ce 49 62 de 23 67 43 66 0a f1 3a 8f d7 9d 80 
fb 2a 37 c3 de 8e 02 16 e2 12 73 2b 58 b8 5e 7e 
61 ba 6f 80 73 0b f5 27 b7 45 1c bf 6a 1c fe 74 
55 df 81 f6 06 f3 ca b2 ce a8 d4 94 75 24 c2 02 
0a 56 a9 fd 13 a6 af 8d 53 66 49 4d 4e bc b2 ff 
80 5b 48 68 da ee 01 1c bd a2 17 42 50 e5 15 4e 
21 0c 6e d3 5b 3c 5a ce bc 0f e3 13 fb a3 7f 3c 
e0 7a c7 be 06 90 7a a2 91 33 ce 00 68 21 63 89 
a3 5c 43 be 96 e0 11 b8 48 a8 47 1a 75 47 22 2f 
3f 97 8d bd 14 34 a5 89 06 49 6a 8c 19 82 eb 4f 
7e ec 06 80 e2 20 b5 ac 04 65 da 98 65 27 8f 45 
80 ff 73 3e af 05 ab bc e4 66 4d d0 34 85 a5 9a 
a4 57 5a c6 b9 27 e7 73 37 7e 7c 0b 65 24 cd 5c 
61 89 f7 13 a2 d8 e1 85 ea 6f 81 7a 3b f5 e8 fb 
45 92 f2 81 8c cd 59 84 13 d9 6b db 0a ba af 0c 
4f 9a de aa d6 a1 44 db cc 07 4c 71 4e 2a c3 50 
9c f5 0f 9e 2b 2f 4b bb b6 fa 08 d1 65 e3 1a 1a 
62 06 c4 ec 41 69 6b d5 86 93 9c 46 de 4f 07 11 
55 54 e9 16 -> Encrypted RDP_SERVER_REDIRECTION_PACKET

Decrypted RDP_SERVER_REDIRECTION_PACKET:
00000000 00 04 04 02 02 00 00 00 1d 0b 00 00 46 00 00 00 ............F...
00000010 32 00 30 00 30 00 31 00 3a 00 34 00 38 00 39 00 2.0.0.1.:.4.8.9.
00000020 38 00 3a 00 32 00 62 00 3a 00 32 00 3a 00 39 00 8.:.2.b.:.2.:.9.
00000030 64 00 65 00 37 00 3a 00 34 00 35 00 36 00 39 00 d.e.7.:.4.5.6.9.
00000040 3a 00 66 00 62 00 33 00 39 00 3a 00 65 00 66 00 :.f.b.3.9.:.e.f.
00000050 32 00 39 00 00 00 1c 00 00 00 61 00 64 00 6d 00 2.9.......a.d.m.
00000060 69 00 6e 00 69 00 73 00 74 00 72 00 61 00 74 00 i.n.i.s.t.r.a.t.
00000070 6f 00 72 00 00 00 16 00 00 00 54 00 53 00 2d 00 o.r.......T.S.-.
00000080 53 00 54 00 52 00 45 00 53 00 53 00 31 00 00 00 S.T.R.E.S.S.1...
00000090 78 00 00 00 02 00 00 80 44 53 48 4c 06 6f 27 1b x.......DSHL.o'.
000000a0 29 10 f9 d9 58 fb 46 7d f9 e1 02 14 a2 15 aa 00 )...X.F}........
000000b0 34 5c 76 a4 52 76 fd 04 d6 2d 85 8d 64 69 88 80 4\v.Rv...-..di..
000000c0 1b 8d 0e b0 b7 9b d3 d8 84 c6 10 a2 e9 b6 e0 06 ................
000000d0 99 5d 85 16 2d bf d8 f1 99 77 75 2d be e2 77 a6 .]..-....wu-..w.
000000e0 3f 5e fb 86 ca ed 04 81 31 11 d3 b9 fc 32 ad 45 ?^......1....2.E
000000f0 df ad ca b7 8d 02 6f 92 65 c6 d7 b4 68 cd f6 49 ......o.e...h..I
00000100 bc b8 88 87 6e 01 ce d0 95 fd 00 00 5a 00 00 00 ....n.......Z...
00000110 6a 00 69 00 61 00 7a 00 6f 00 75 00 2d 00 74 00 j.i.a.z.o.u.-.t.
00000120 65 00 73 00 74 00 32 00 2e 00 74 00 73 00 2d 00 e.s.t.2...t.s.-.
00000130 73 00 74 00 72 00 65 00 73 00 73 00 31 00 2e 00 s.t.r.e.s.s.1...
00000140 6e 00 74 00 74 00 65 00 73 00 74 00 2e 00 6d 00 n.t.t.e.s.t...m.
00000150 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 i.c.r.o.s.o.f.t.
00000160 2e 00 63 00 6f 00 6d 00 00 00 1a 00 00 00 4a 00 ..c.o.m.......J.
00000170 49 00 41 00 5a 00 4f 00 55 00 2d 00 54 00 45 00 I.A.Z.O.U.-.T.E.
00000180 53 00 54 00 32 00 00 00 70 00 00 00 02 00 00 00 S.T.2...p.......
00000190 46 00 00 00 32 00 30 00 30 00 31 00 3a 00 34 00 F...2.0.0.1.:.4.
000001a0 38 00 39 00 38 00 3a 00 32 00 62 00 3a 00 32 00 8.9.8.:.2.b.:.2.
000001b0 3a 00 39 00 64 00 65 00 37 00 3a 00 34 00 35 00 :.9.d.e.7.:.4.5.
000001c0 36 00 39 00 3a 00 66 00 62 00 33 00 39 00 3a 00 6.9.:.f.b.3.9.:.
000001d0 65 00 66 00 32 00 39 00 00 00 1e 00 00 00 31 00 e.f.2.9.......1.
000001e0 35 00 37 00 2e 00 35 00 39 00 2e 00 32 00 34 00 5.7...5.9...2.4.
000001f0 30 00 2e 00 31 00 34 00 34 00 00 00 c0 c0 c0 c0 0...1.4.4.......
00000200 c0 c0 c0 c0                                     ....

00 04 -> RDP_SERVER_REDIRECTION_PACKET::Flags = 0x0400 = SEC_REDIRECTION_PKT
04 02 -> RDP_SERVER_REDIRECTION_PACKET::Length = 0x204 = 516 bytes
02 00 00 00 -> RDP_SERVER_REDIRECTION_PACKET::SessionID = 2

1d 0b 00 00 -> RDP_SERVER_REDIRECTION_PACKET::RedirFlags = 0x00000b1d
0x00000b1d
= 0x00000800 |
  0x00000200 | 
  0x00000100 | 
  0x00000010 | 
  0x00000008 | 
  0x00000004 | 
  0x00000001
= LB_TARGET_NET_ADDRESSES |
  LB_TARGET_NETBIOS_NAME | 
  LB_TARGET_FQDN |
  LB_PASSWORD |
  LB_DOMAIN |
  LB_USERNAME |    
  LB_TARGET_NET_ADDRESS

46 00 00 00 -> RDP_SERVER_REDIRECTION_PACKET::TargetNetAddressLength = 0x46 = 70 bytes

32 00 30 00 30 00 31 00 3a 00 34 00 38 00 39 00
38 00 3a 00 32 00 62 00 3a 00 32 00 3a 00 39 00
64 00 65 00 37 00 3a 00 34 00 35 00 36 00 39 00
3a 00 66 00 62 00 33 00 39 00 3a 00 65 00 66 00
32 00 39 00 00 00 -> RDP_SERVER_REDIRECTION_PACKET::TargetNetAddress = "2001:4898:2b:2:9de7:4569:fb39:ef29"

1c 00 00 00 -> RDP_SERVER_REDIRECTION_PACKET::UserNameLength = 0x1c = 28

61 00 64 00 6d 00 69 00 6e 00 69 00 73 00 74 00 
72 00 61 00 74 00 6f 00 72 00 00 00 -> RDP_SERVER_REDIRECTION_PACKET::UserName = "administrator"

16 00 00 00 -> RDP_SERVER_REDIRECTION_PACKET::DomainLength = 0x16 = 22 bytes

54 00 53 00 2d 00 53 00 54 00 52 00 45 00 53 00 
53 00 31 00 00 00 -> RDP_SERVER_REDIRECTION_PACKET::Domain = "TS-STRESS1"

78 00 00 00 -> RDP_SERVER_REDIRECTION_PACKET::PasswordLength = 0x78 = 120 bytes

02 00 00 80 44 53 48 4c 06 6f 27 1b 29 10 f9 d9 
58 fb 46 7d f9 e1 02 14 a2 15 aa 00 34 5c 76 a4 
52 76 fd 04 d6 2d 85 8d 64 69 88 80 1b 8d 0e b0 
b7 9b d3 d8 84 c6 10 a2 e9 b6 e0 06 99 5d 85 16 
2d bf d8 f1 99 77 75 2d be e2 77 a6 3f 5e fb 86 
ca ed 04 81 31 11 d3 b9 fc 32 ad 45 df ad ca b7 
8d 02 6f 92 65 c6 d7 b4 68 cd f6 49 bc b8 88 87 
6e 01 ce d0 95 fd 00 00 -> RDP_SERVER_REDIRECTION_PACKET::Password

5a 00 00 00 -> RDP_SERVER_REDIRECTION_PACKET::TargetFQDNLength = 0x5a = 90

6a 00 69 00 61 00 7a 00 6f 00 75 00 2d 00 74 00
65 00 73 00 74 00 32 00 2e 00 74 00 73 00 2d 00
73 00 74 00 72 00 65 00 73 00 73 00 31 00 2e 00
6e 00 74 00 74 00 65 00 73 00 74 00 2e 00 6d 00
69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00
2e 00 63 00 6f 00 6d 00 00 00 -> RDP_SERVER_REDIRECTION_PACKET::TargetFQDN = "jiazou-test2.ts-stress1.nttest.microsoft.com"

1a 00 00 00 -> RDP_SERVER_REDIRECTION_PACKET::TargetNetBiosNameLength = 0x1a = 26

4a 00 49 00 41 00 5a 00 4f 00 55 00 2d 00 54 00 
45 00 53 00 54 00 32 00 00 00 -> RDP_SERVER_REDIRECTION_PACKET::TargetNetBiosName = "JIAZOU-TEST2"

70 00 00 00 -> RDP_SERVER_REDIRECTION_PACKET::TargetNetAddressesLength = 112 bytes

02 00 00 00 -> TARGET_NET_ADDRESSES::addressCount = 2 

46 00 00 00 -> TARGET_NET_ADDRESS::addressLength = 70 bytes

32 00 30 00 30 00 31 00 3a 00 34 00 38 00 39 00 
38 00 3a 00 32 00 62 00 3a 00 32 00 3a 00 39 00 
64 00 65 00 37 00 3a 00 34 00 35 00 36 00 39 00 
3a 00 66 00 62 00 33 00 39 00 3a 00 65 00 66 00 
32 00 39 00 00 00 -> TARGET_NET_ADDRESS::address = "2001:4898:2b:2:9de7:4569:fb39:ef29"

1e 00 00 00 -> TARGET_NET_ADDRESS::addressLength = 30 bytes

31 00 35 00 37 00 2e 00 35 00 39 00 2e 00 32 00 
34 00 30 00 2e 00 31 00 34 00 34 00 00 00 -> TARGET_NET_ADDRESS::address = "157.59.240.144"

c0 c0 c0 c0 c0 c0 c0 c0 -> RDP_SERVER_REDIRECTION_PACKET::Pad
 
Show:
© 2014 Microsoft