Comments on: [Defcamp Quals 2024] [FORENSiCS 50 – rerdp] Write Up https://0x90r00t.com/2024/09/30/defcamp-quals-2024-forensics-50-rerdp-write-up/ 0x90r00t, 0x90r00f Tue, 01 Oct 2024 08:09:58 +0000 hourly 1 https://wordpress.org/?v=6.8.3 By: Abdalrhman https://0x90r00t.com/2024/09/30/defcamp-quals-2024-forensics-50-rerdp-write-up/#comment-125174 Tue, 01 Oct 2024 08:09:58 +0000 https://0x90r00t.com/?p=3768#comment-125174 In reply to Abdalrhman.

even when I tried this
We export the decoded Wireshark’s session into rerdp.pcap by selecting File > Export PDUs and selecting OSI Layer 7.
I get an empty file

]]> By: Abdalrhman https://0x90r00t.com/2024/09/30/defcamp-quals-2024-forensics-50-rerdp-write-up/#comment-125173 Tue, 01 Oct 2024 08:06:17 +0000 https://0x90r00t.com/?p=3768#comment-125173 thanks for your help, I have a question after I put those lines into file
CLIENT_RANDOM 3a59c211663a5bffe1d7c216ec5fd10db830043423cc8384aa522baf55622c73 9bedb2b2685c2e6fb82a3e6a23fe7e9407d9a8bcf5417ee49b02b8cc6edb4316ec90fe37dcc0171378e8fd790ad9c307
CLIENT_RANDOM e4dddc52093aaa44867506e88f778737dcae9da4e297093c678049ef80136b1f 2e080bdc8fdc85862b185b3ad0a24f050d6576a520eb154afa0dcaf286daa420230d4914d101916c3c44c33819cff420

the file name is keylog.log and I followed what you write
Edit > Preferences > Protocols > TLS
(Pre)-Master-Secret log filename: File containing the `CLIENT_RANDOM` lines.
but there is no difference in the pcap file I used rdp as a filter but there is no any rdp packets
can you help

]]>