none
Creation of PassStub for the Remote Assistance Ticket RRS feed

  • Question

  •  I want to create a PassStub for the Remote Assistance Ticket, but still iam not successfull.

    Following are the things which i had tried for getting the PassStub.

    1> I had read the MS-RAI Protocol document, which gives the steps for creating the PassStub, following is the Link

    http://msdn.microsoft.com/en-us/library/cc240115(PROT.10).aspx

    2> The document states that the PassStub is arrived by taking the Password(key) and the RA Session ID.

    3> Iam able to generate the ticket (Remote Assistance Connection String 1 ), without the Password or PassStub by using the RemoteConnectionParams method.

    4> In the ticket, it also gives the RA Session ID, which i am using in the Encryption process, to get the PassStub. But it is gives some binary result, which does not matches the PassStub.

    5> I tried other ways, by changing the parameters of the Crypt methods, but it does not work.

    6> Finally i tried to do the API hooking for the helpctr.exe , in order to find out what parameters the Crypt functions are using, then for me it was a surprise.

    7> The CryptEncrypt method was passing the PassStub as the RA Session ID and it use to get some encrypted output.

    8> Now the question arises, how the helpctr.exe got the PassStub, which it passed to the CryptEncrypt function, instead of passing the RA Session ID. The PassStub which is passed to the function is a UNICODE string, where first Byte is 1C (in hex) and then next three bytes are NULL, then it starts the actual PassStub in a UNICODE format.

    9> A similar process or Flow Diagram is also given for Windows Vista and further versions, in order to Encrypt the (Remote Assistance Connection String 2 ), when i followed the process, i got total success, i was able to generate the Encrypted Remote Assistance Connection String 2.

    10> But the Flow diagram given for Remote Assistance Connection String 1, is not working.

    Please correct me, if iam making any mistake, in understanding the document.

    Any help will be really usefull for me.

    Thanks & Regards,

    Kedar.

    Saturday, July 23, 2011 4:45 AM

Answers

  • Hi Edgar,

                Thanks for the reply, i verified the above steps and it worked properly.  :)

    Thanks & Regards,

    Kedar.

     

    • Marked as answer by YashNxt Monday, September 19, 2011 11:27 AM
    Monday, September 19, 2011 11:25 AM
  • Kedar,

    Thanks for confirming. I will communicate with the product team so they can proceed with the document update. This logic will be reflected in a future release of MS-RAI.

    Thanks again for helping us improve the specfication.

    Regards,

    Edgar

     

    Monday, September 19, 2011 3:34 PM
    Moderator

All replies

  • Hi Kedar:

    I have alerted protocol documentation team regarding your inquiry on Ms-RAI. A member of the team will be in touch soon.


    Regards, Obaid Farooqi
    Saturday, July 23, 2011 5:35 PM
    Owner
  • Hi Obaid Farooqi,

    Thanks for the reply, i will be waiting for further response, from the protocol team.

    Thanks & Regards,

    Kedar.

     

     


    Monday, July 25, 2011 8:44 AM
  • Hi,

    Today one more thing i noticed, as per the Flow diagram of Remote Assistance Ticket 1, the CryptEncrypt API needs to be called two times, but as per the API hooking it is getting called only once. I thought that the API hooking might be wrong, hence i downloaded other API hooking softwares and all of them are giving me the same result. The CryptEncrypt API is only called once, with the Password(key) and the PassStub. Still it is not understood, how the CryptEncrypt API is able to get the PassStub.

    Thanks & Regards,

    Kedar.


    Monday, July 25, 2011 1:09 PM
  • Hi Kedar,

    I will follow-up as soon as I complete my investigation or have further clarification questions.

    Thanks,

    Edgar

    Tuesday, July 26, 2011 7:24 PM
    Moderator
  • Hi Edgar,

    Waiting for your reply.

    Thanks & Regards,

    Kedar Babar.

     

    Friday, July 29, 2011 12:42 PM
  • Hi Edgar,

         Please reply to the above issue, since iam answerable to my managment, with respect to the above issue. Atleast give me the information, whether the document (MS-RAI) published by Microsoft is correct or incorrect, with respect to the flow diagram of Remote Assistance Ticket 1.

    Your small help/reply will be of great help for me.

    Thanks & Regards,

    Kedar.

     

    Tuesday, August 2, 2011 8:26 AM
  • Kedar,

    I am still investigating and will follow-up soon. Thanks for your patience.

    Regards,

    Edgar

    Tuesday, August 2, 2011 2:37 PM
    Moderator
  • Hi Edgar,

        It has been around three weeks, please reply to the above issue.

    Thanks & Regards,

    Kedar

     

    Friday, August 12, 2011 4:19 PM
  • Kedar,

    In Windows XP or Windows Server 2003 password encryption flow, there is 4 bytes size in the front of the PassStub data. This explains the observed 0x1C 00 00 00 in front of the PassStub Unicode string in the call to CryptEncrypt. Also, the password is translated in Unicode string before it is hashed.

    As documented in Section 6 Appendix A, Windows implementation transmits the passStub as part of the Remote Assistance Invitation File communicated over e-mail.

    Regards,

    Edgar

    Monday, August 15, 2011 7:38 PM
    Moderator
  • Hi Edgar,

          The things regarding the passstub which you had explained are correct, i do not deny on that, but the question is related to something else, let me explain you the stuff once again.

    If your refer to page 41 of the MS-RAI document, it tells the flow diagram for creation of remote assistance ticket 1 for Windows XP and Windows 2003.

    If you check the flow diagram, the first CryptEncrypt function is called with two inputs i.e. the Key and the RA Session ID, the output of the function, gives us the passstub. When the same process i followed with the same Key (Unicode Hashed Password) and the same RA Session ID, it gives me some binary data, which does not matches with the PassStub.

    The logic is pretty simple and straight forward, if you take the same Password/Key and the same RA Session ID, it should give me the same output, even though i tried the thousand times, the output should be same, but it does not happens in the creation of Passstub.

    At the same time the flow diagram states, that is uses the CryptEncrypt function two times, in the creation of the remote assistance ticket, but as per my observation, it is getting called only once, with the two inputs as the Key/Password and the PassStub.

    Now the question arises, how did the CryptEncrypt function had got the PassStub, without calling the previous CryptEncrypt function. Because if the CryptEncrypt function had to get the PaasStub, then it should call with two inputs i.e. Key/Password and the RA Session ID, but this call is missing.

    That means, these steps need to be followed as per the flow diagram

    1> CryptEncrypt (KEY  , RA Session ID) the output is PassStub

    2> CryptEncrypt(KEY   ,  PassStub) the output is User Blob.

    But in the above process the first step or step 1 is missing, only i see the step 2 getting called.

    Now if the step 1 is missing, then how the CryptEncrypt function got the PassStub.

     

    Thanks & Regards,

    Kedar.

     

     

     

    Tuesday, August 16, 2011 9:45 AM
  • Kedar,

    I will post a response soon.

    Thanks,

    Edgar

    Tuesday, August 16, 2011 3:04 PM
    Moderator
  • Kedar,

    Upon review of the source code and MS-RAI, the RA Novice PassStub is sent to the Expert as part of the RA Invitation File. With the same password (key), both RA Novice and RA Expert will produce the same blob.  

    Please note the function used to generate the Novice PassStub is meant to make it unpredictable, so as to avoid dictionary attacks etc. The diagram suggests using CryptEncrypt with RA SessionID encrypted with the Password key but this does not affect the flow itself.

    One important step in the flow is that the RA Novice PassStub must be communicated to the RA Expert.

    Therefore the diagram in the appendix appears correct.

    Thanks,

    Edgar

    Tuesday, August 16, 2011 9:07 PM
    Moderator
  • Hi Edgar,

       Thanks for your quick response, let me first state what i had understood from your reply

    RA Novice PassStub is sent to the Expert as part of the RA Invitation File. With the same password (key), both RA Novice and RA Expert will produce the same blob.  

    I total agree with you for the above statement, which is correct

    ==========================================================================================

    Please note the function used to generate the Novice PassStub is meant to make it unpredictable, so as to avoid dictionary attacks etc. The diagram suggests using CryptEncrypt with RA SessionID encrypted with the Password key but this does not affect the flow itself.

    Does it means that we should not use the CryptEncrypt API for getting the PassStub. Is there any other API which does the job or is there some other way for getting the Passstub.

    Please correct me, if iam wrong.

    Still i had not put the code snippets, because this is a protocol forum, if you want i can put the code snippets, with the flow diagram.

    Thanks & Regards,

    Kedar.

     

     

    Wednesday, August 17, 2011 2:58 PM
  • Kedar,

    The RA Expert retrieves the PassStub from the RA Invitation XML File. For Windows implementation, please see details in MS-RAI Section 6 Appendix A. On Windows implementation, to get the Novice PassStub, the Expert parses the XML file. Now, the Expert uses CryptEncrypt (Novice PassStub, Key) to produce the Expert PassStub that will be sent in the Expert blob.

    As we agreed on, both Novice and Expert should produce the same blob.

    Please keep in mind that the Open Specifications forums do not support coding, development, or API questions.

    Hope this helps.

    Regards,

    Edgar

    Wednesday, August 17, 2011 4:27 PM
    Moderator
  • Hi Edgar,

         As per your reply, again i had read the MS-RAI document, in order to check whether iam going wrong or not. I think there is some misunderstaing from my side, in order to explain my issue, so let me draft the question in other fromat.

    In the Remote Assistance, there are two users that is Novice and Expert, iam not concern about the expert user, because he will be required when he receives the remote assistance file, either by Messenger or by E-mail. Currently i am only concern about the Novice user, because iam going to create the remote assistance ticket with password on his machine, which will be send to the expert for further remote assistance connection.

    Hence i had created the remote assistance file on my system, which i will use for further explanation.

    The contents of the file are as follows, i had changed the IP addressess for security reasons.

    <?xml version="1.0" encoding="Unicode" ?><UPLOADINFO TYPE="Escalated"><UPLOADDATA USERNAME="Administrator" RCTICKET="65538,1,127.0.0.1:3389;127.0.0.1:3389;KEDAR:3389,*,4MBltNlrPE0oQJN9AD4igIWlHWOYWrwbeb3Aze5yhns=,*,*,qblq1rKEDE+hj8PMGhIcqD+WPgk=" RCTICKETENCRYPTED="1" DtStart="1313761561" DtLength="60" PassStub="m9*2Oan3*wRhkN" L="1" /></UPLOADINFO>

    Here iam not explaining the full meaning of each field, but you can please refer to page no 13 of the MS-RAI document for the detail explanation of each field.

    Now from the above file, i only need the RA Session ID, which i will use in CryptEncrypt API. As per the MS-RAI document, the RA Session ID is "4MBltNlrPE0oQJN9AD4igIWlHWOYWrwbeb3Aze5yhns="

    The password which i had used is abc123

    Now i followed the process as per the flow diagram. Converted the password in UNICODE format, got the Hash and the KEY , now i need to use the above RA Session ID with the KEY in the API CryptEncrypt, so i could get the above PassStub as "m9*2Oan3*wRhkN". But the CryptEncrypt API gives some other output which does not matches with the passstub, either in data nor the lenght of the passstub. But when i follow the flow diagram of Remote Assistance String 2, it works properly, for Vista and above.

    I had taken care not to submit the source code, since this is a protocol forum.

    A similar question was raised previuosly in this forum, but the reply does not seems to be satisfactory, here is the link of the question.

    http://social.msdn.microsoft.com/Forums/pl-PL/os_windowsprotocols/thread/fbbe094a-34bb-4a0b-8c59-1e69584acad8

    The above process is expected to be followed by the helpctr.exe, but as per the API hooking it does not seems to happen. The helpctr.exe is calling the CryptEncrypt API with the PassStub as the parameter, which is basically is the second step in the flow diagram, which gives the "user blob" as  output .

    Thanks & Regards,

    Kedar.

     

     


    Friday, August 19, 2011 2:26 PM
  • Kedar,

     

    It appears that you are trying to validate the generation of the PassStub at the RA Novice side. Per the protocol flow sequence, if the Novice sends the PassStub to the Expert, things should work properly as the Expert would be able to produce the right blob. So I do not see this as a blocking issue for implementing a Novice.

    Nonetheless, I have filed a document bug so that the product team can review the flow diagram for Remote Assistance Connection String 1 in “Figure 2: Windows XP and Windows Server 2003 password encryption flow” related to Section 6 Appendix A.

     

    Regards,

    Edgar

    Friday, August 19, 2011 7:16 PM
    Moderator
  • Hi Edgar,


     Thanks for the reply, yes iam trying to create the PassStub on the novice system, by the help of the flow diagram. The remote assistance file can be created by two ways, without the password/passstub or with the password/passstub, but if i create the file without the password/passstub, i am creating a security risk for the novice user. Once the file is created and given to the expert user, his system will decode the password/passstub, in order to connect to the novice system. Hence iam trying hard to create the remote assistance file with the password/passstub with the COM/C++ language. The process which i followed, is also expected to be followed by the helpctr.exe, hence i need to do the API hooking on helpctr.exe to know the correct process, but the process followed by helpctr.exe does not matches with the flow diagram given in MS-RAI.
     
    Thanks & Regards,
    Kedar.

    Saturday, August 20, 2011 8:45 AM
  • Hi Edgar,

        An reply from the Product Team.

    Thanks & Regards,

    Kedar.

     

    Monday, September 5, 2011 10:24 AM
  • Kedar,

    We are investigating this. I will update you as soon as I have news.

    Thanks,

    Edgar

    Tuesday, September 6, 2011 4:31 PM
    Moderator
  • Kedar,

     For an XP/server 2003 novice PassStub, can you try the following:

    Use a randomly generated PassStub of 14 characters as the input to CryptEncrypt.

    Let me know the outcome.

     

    Thanks,

    Edgar

    Monday, September 12, 2011 5:10 PM
    Moderator
  • Hi Edgar,

        As per your suggestion i followed the following steps

    1> Acquire the Context by using the PROV_RSA_FULL in the CryptAcquireContext API.

    2> Created the Hash by using CALG_MD5 in the CryptCreateHash API.

    3> Created the Hash data by using the password abc@123 in UNICODE format, in the CryptHashData API.

    4> Derived the key by using CALG_RC4 in the CryptDeriveKey API

    5> Now finally i called the

    CryptEncrypt API by giving the random 14 characters. The 14 characters which was passed are as follows

    "AB1D=FG2IJ5LMN"

    The Output of the CryptEncrypt API was, binary 14 characters.

    Thanks & Regards,

    Kedar.

     

    Tuesday, September 13, 2011 3:46 PM
  • Kedar,

    Can I conclude that the issue has been resolved? If so, I can proceed and pass feedback to the product team on the flow diagram.

    Regards,

    Edgar


    Tuesday, September 13, 2011 4:37 PM
    Moderator
  • Hi Edgar,

          If you look at the PassStub, it does not contain any binary characters, it only contains readable characters, so how i can include the binary characters into the PassStub, Or is it something that the PassStub contains only random 14 characters, which does not have any meaning in the Remote Assistance file. At the same time, the MS-RAI doc, does not states anything about random 14 characters. It will be really good if the Product team would be able to give me the steps, to create the PassStub, in the same way i had given the steps, for encrypting 14 random characters.

    I am not asking for any code, but only steps in generating the PassStub.

    Thanks & Regards,

    Kedar.

     

     

     

    Wednesday, September 14, 2011 9:43 AM
  • Kedar,

    I will follow up soon.

    Thanks,

    Edgar

    Wednesday, September 14, 2011 4:36 PM
    Moderator
  • Kedar,

     

    We advise you modify your novice to use a randomly generated PassStub of ASCII characters as input to CryptEncrypt.  When calling CryptEncrypt to produce the blob, remember there is 4 bytes data size in the front of the PassStub Unicode data.

     

     

    According to our current investigation on Windows XP, the PassStub is composed of randomly generated 14 ASCII characters. There are no binary characters. A Novice should be able to use an arbitrary string for this.

     

    In case you would like to try how the helpctr.exe generates the PassStub on Windows XP, these steps can be followed:

     

    All of the 14 characters are ASCII.

    Characters 1 and 6-14 are from the set A-Z a-z 0-9 * _

    Character 2 is from the set !@#$&^*()-+=

    Character 3 is from the set 0-9

    Character 4 is from the set A-Z

    Character 5 is from the set a-z

     

    Each character is randomly selected from the respective sets. Using this model provides certain guarantees about the diversity of resulting characters in the PassStub string.

     

    To recap the proposed behavior for Windows XP Novice:

     

    1. Instead of CryptEncrypt (KEY  , RA Session ID), the Novice PassStub is randomly generated as described previously. This Novice PassStub is sent to the expert in the invitation file.

     

    2. CryptEncrypt(KEY  ,  PassStub),  the output is User Blob. Here the Unicode PassStub is prefixed with a 4 bytes data size, this would be 0x1C 00 00 00 for a PassStub of 14 characters (0x1C is 28 because of the Unicode).

     

    Let me know the outcome.

     

    Thanks,

    Edgar
    Thursday, September 15, 2011 10:08 PM
    Moderator
  • Hi Edgar,

                Thanks for the reply, i verified the above steps and it worked properly.  :)

    Thanks & Regards,

    Kedar.

     

    • Marked as answer by YashNxt Monday, September 19, 2011 11:27 AM
    Monday, September 19, 2011 11:25 AM
  • Kedar,

    Thanks for confirming. I will communicate with the product team so they can proceed with the document update. This logic will be reflected in a future release of MS-RAI.

    Thanks again for helping us improve the specfication.

    Regards,

    Edgar

     

    Monday, September 19, 2011 3:34 PM
    Moderator