none
Decrypt RDP Standard Security Packets - Server Demand Active PDU RRS feed

  • Question

  • I use Windows 7(as server) and my program as client, when server send Server Demand Active PDU, decryption wrong, but with this decrypt key, i can decrypt the Server License Error PDU before. Does Server Demand Active PDU use another key to encrypt ?

    Here is RC4 decrypt key: EB 5B 1F 1A C3 A0 81 09 BE B2 3D 4C 04 B0 74 C2.

    Server Error PDU: 03 00 00 2A 02 F0 80 68 00 01 03 EB 70 1C 88 02

                                00 00 AE CC A2 87 C8 ED 43 B2 A1 20 B3 B1 F2 B2

                                7C EB ED 91 98 34 01 63 01 5D.

    Decrypt Server License Error PDU:

    03 00 00 2A 02 F0 80 68 00 01 03 EB 70 1C 88 02

    00 00 AE CC A2 87 C8 ED 43 B2 FF 03 10 00 07 00

    00 00 02 00 00 00 04 00 00 00

    Server Demand Active PDU:

    03 00 01 AA 02 F0 80 68 00 01 03 EB 70 81 9B 08 00 00 00 DE 1F 57 3D 05 E4 F6 83 0A 4F 3E 56 06 D7 65 15 86 EB 60 DF 6F 5F 1E B7 0D 08 6C 23 6B 82 22 D1 E5 25 8B 6F AB AC C6 3A EC 54 FA F6 06 C8 E6 87 C0 D4 E7 5C 8C F5 DB A7 4B 48 3C A6 39 C5 F0 1B A2 83 D6 EE 5F E8 A9 65 07 69 DB 8C 91 A9 67 B1 D6 22 8F 8F 81 77 2A DD FB 3D 45 CA D7 78 FC 93 DE 1E DE 28 E4 6C 33 49 F0 2D A2 F0 A7 26 C7 D2 51 C4 E3 7C ED 31 2D E5 A3 2D E2 DF AE CE A7 E5 6E 30 2F B8 0A 43 CE 28 48 34 6E B2 21 57 E7 2B 27 D2 F2 BB 62 A0 73 AF 09 F0 C6 BE C1 A5 50 A3 6D DD DC 5B 06 8C 13 A3 E5 C8 B5 57 11 A4 2F 31 A9 71 72 77 42 CC 3B 6A 75 23 40 D5 69 5B A0 B5 F6 D0 21 81 4D CC 2F C9 F1 EE 25 27 BB 84 A4 0D 36 46 57 62 CB E9 88 2F 19 BF B1 93 C5 27 CA 59 69 05 9D 45 91 90 50 A8 83 69 1C AF 93 7F EB C0 C4 71 72 D4 2B 16 56 03 46 1F E7 14 1D 86 0C 04 B1 24 21 66 CF 5C 72 B1 56 14 62 BA 2F EF 19 4F 53 2E FF 7B 7B 53 EA F6 16 12 C8 C6 04 7B 78 83 17 F6 D9 2E 4E 97 D4 5E 1F 24 D4 23 EA 0F C2 E0 0A ED 3D AD 4A 8A B5 81 75 AF 4A E3 BA 44 DC FC 2B 85 D2 26 6B 43 BC 6A 8D EA 1C 0C 03 50 30 98 5C A7 C7 A5 41 03 0F CC 17 4D A8 2F AD 09 62 6A 61 8C 01 D0 70 2B 29 B2 EC 2B F1 7C 4B 47 B9 3E 0D 53 6D BF B6 71 9B BE 9D 67 EA 74 31 42 B3 E8 F4 2A 43 F3 BE 02 A0 75 17 E0 5F F5 DF BE 47 95 09 B9 30 A9 75 5E B5

    Decrypt Server Demand Active PDU(wrong):

    03 00 01 AA 02 F0 80 68 00 01 03 EB 70 81 9B 08 00 00 00 DE 1F 57 3D 05 E4 F6 83 54 6C 9D E7 F3 65 19 FE 69 7A F8 EB 6A 3C 1F EA 88 46 43 75 87 56 AD C7 62 CE EF B0 BD F2 8A C9 B1 5C 87 D5 6D 4A CD 56 2D F1 86 30 27 59 1C 9D BF 1C C7 50 3C 0D 16 9E 62 57 31 B2 CE 19 72 C2 4C 21 E7 2A A9 6D 83 AA 78 A1 5B 61 DE 9F C3 BE FC 54 88 46 6E D1 9A 22 08 3C AE 58 9A E4 18 94 0B 10 E7 3A 70 5E 3B 41 8F DA 3D 54 09 5D 1E AC 53 00 40 2F 09 E8 60 37 3F F4 C2 C4 EF 72 E2 CD EB 19 8E 6D 93 99 60 CE 48 E2 DC 03 69 E3 E9 82 41 C7 A8 0C E1 F2 B6 88 4A 01 2F E0 64 2C 63 0C B4 38 73 E9 D0 01 7F 92 C4 AC AE 2C 44 40 28 C9 90 EB B5 C0 77 FF 8E 84 4B A1 53 F6 0E 00 14 A3 2E CD 64 F3 D3 DE 05 B8 C0 97 77 E2 86 24 A7 E6 E8 50 95 B5 7F A2 6F 55 5E 43 CB 26 5B 78 D8 87 9A D6 0C 3A 54 58 61 DB A2 74 AF D3 B5 86 07 AB C5 76 FB BB 8E F9 ED C4 7D 55 55 B2 E4 4A 36 B2 18 0B 84 AE 32 69 1D 4B E8 0A DF 1D AD 0F 81 47 5B 06 AC 7C 2A 94 6C CC 1C D8 53 55 35 C4 3E A8 09 36 1C E5 EE 74 BA 63 1D 1B E4 83 04 1D 61 DF 6A 8B 9E C0 50 4B 1E 1C 21 68 EF 8B 21 C9 09 EB F8 45 56 EF B9 14 EC 64 77 22 15 83 2A 40 B3 A6 9A A7 B4 23 AE 59 52 F2 3D 2B C6 75 31 28 26 7E FB 66 59 53 E6 4E DB 54 6C DF 6C 6F C6 5A A5 0C 79 4C 18 08 7A 05 12 D6 F2 79 2C 4C 08 73 38 C7 8A 9E B5 87 EE FD F4 67 FD 9B 73 F5 5F 5C 15

    Note: I know it wrong because after pack signature: "DE 1F 57 3D 05 E4 F6 83" follow must be 2 bytes(decrypted) indicate data length. And CHECKSUM recaculated from decrypted data not match the original.

    Funny: I found the crazy way to force two Windows 7 use Standard RDP(to anyone want learn about Standard RDP) by make the proxy between two machines, and hardcode some bytes in the Initial Connection packet.

    Wednesday, June 11, 2014 8:03 AM

Answers

  • Hi THVBlu,

    A colleague will contact you soon to begin investigating this issue.

    Regards,

    Mark Miller | Microsoft Open Specifications Team

    • Marked as answer by THVBlu Thursday, June 12, 2014 2:07 AM
    Wednesday, June 11, 2014 12:14 PM

All replies

  • Hi THVBlu,

    A colleague will contact you soon to begin investigating this issue.

    Regards,

    Mark Miller | Microsoft Open Specifications Team

    • Marked as answer by THVBlu Thursday, June 12, 2014 2:07 AM
    Wednesday, June 11, 2014 12:14 PM
  • Hello THVBlu - I'm researching this for you.

    Tarun Chopra | Escalation Engineer | Open Specifications Support Team

    Thursday, June 12, 2014 2:16 AM
  • Tarun Chopra: Thank you :)
    Thursday, June 12, 2014 4:47 AM
  • I worked with Tran offline and we worked on several scenarios.  You’re able to decrypt the License Error (valid client) PDU, but not the next server-to-client packet the Server Demand Active PDU.  The session keys do not change after the licensing packet.  And, indeed, it is completely optional that the Licensing packet is even encrypted (it’s the one exception).  I suggested he turn off licensing PDU encryption (don’t advertise to the server that it supports licensing PDU encryption).   I further suggested that Tran also disable server-to-client COMPRESSION and client-to-server COMPRESSION.  Not because I think that is a part of the problem, but it would take that transformation off the table.  I also ask that you send me a trace so that I can see the flavor of Standard RDP security that is being negotiated so that I can match the experience here.  After that, I can produce a sample using the same configuration.


    Bryan S. Burgin Senior Escalation Engineer Microsoft Protocol Open Specifications Team

    Friday, July 18, 2014 5:57 PM
    Moderator