Daily Blog #519: Forensic Lunch Test Kitchen 10/26/18

RDP Testing with NLA Testing of the OSX RDP v8 by David Cowen - Hacking Exposed Computer Forensics Blog

Hello Reader,
           Well I didn't have time today to do a forensic lunch which means tonight we had another Test Kitchen! I will have to do a forensic lunch early next week to meet the two broadcast a month goal of the forensic lunch, likely Tuesday unless we have a special Halloween edition! I'll line up guests and follow up with. Tonight we continued our RDP testing with NLA testing of the OSX RDP v8 client as suggested by Mike Carey and also testing Beau Bollock's statements regarding the logging or lack there of ip addresses when NLA is present prior to Server 2016.

Here is what we learned:

  • The OSX RDP v8 client is in fact doing NLA, at least the version I tested. Meaning we got a type 3 4624 event in the security log.
  • That the OSX RDP v8 client provides the hostname of the OSX system
  • That the OSX RDP v10 client does not provide the hostname of the OSX system
  • That Windows 10 does log IP and Hostname from failed NLA logins with valid usernames 
  • That Windows 7 does not log IP addresses but only hostnames when handling failed logins with NLA. But we found this was true for invalid as well as valid usernames. 

You can watch the video of our testing here:

Also Read: Daily Blog #518 

Post a Comment