This blog provides details on how the PassStub is used when establishing a remote assistance session of type 1. It presents the password encryption flow and illustrates with Windows APIs and sample data.
Remote assistance overview
Remote Assistance (RA) was introduced in Windows XP and enables one computer user to remotely help another computer user over the Internet (KB 300546). The basic concept is that one user, called the "Expert," can view the desktop of another user, the "Novice". This allows the Expert to share control of the Novice's computer to remotely resolve issues.The main steps of Remote Assistance can be described as follows:
Remote Assistance Invitation file
The Remote Assistance Initiation Protocol [MS-RAI] documents the format of the Remote Assistance Invitation (RAI) file in Section 6 Appendix A. KB300692 also describes the content of the RAI file in more informative details. The purpose of MS-RAI protocol is to obtain the Remote Assistance Connection String. The Remote Assistance Connection String 1 is used on Windows XP or Windows Server 2003 Novice. The Connection String 1 contains the Remote Desktop Protocol parameters required to establish a Remote Assistance connection, as documented in MS-RAI Section 2.2.1.
As previously introduced, Windows provides the option to obtain the connection string by transmitting the RAI file over e-mail as an XML file. The expert computer parses the RAI File to extract the Remote Assistance Connection String and other information.
On Windows implementation, an RAI file uses .MsRcIncident as file extension. In Windows XP, this extension is associated with Help and Support Center (helpcrt.exe). When the Expert executes the .MsRcIncident file, Help and Support starts and passes the information to Remote Assistance, which in turn parses the file and starts the process of initiating a Remote Assistance session with the Novice computer as instructed by the parameters in the file.
The following is an example of RAI file of the first type:
<?xml version="1.0" encoding="Unicode" ?>
The fields in the RAI file are documented in MS-RAI. Three fields are particularly of interest for this blog: RCTICKET, RCTICKETENCRYPTED and PassStub. I will study the PassStub field in more detail and explain its usage.
The RCTICKET field contains the RA Connection String 1 (ref. MS-RAI Section 2.2.1).
RA Connection String 1 is referred to as the connection string of the first type.
The values for the Remote Assistance Connection String 1 entities in the preceding example are as follows.
ProtocolVersion = 65538
protocolType = 1
machineAddressList = 10.0.3.105:3389;winxpsp3.contoso3.com:3389
assistantAccountPwd = *
RASessionID = rb+v0oPmEISmi8N2zK/vuhgul/ABqlDt6wW0VxMyxK8=
RASessionName = *
RASessionPwd = *
protocolSpecificParms = IuaRySSbPDNna4+2mKcsKxsbJFI=
RCTICKETENCRYPTED="1"This field indicates whether or not the Novice set a password during the creation of the invitation. If it is set to 1, Help and Support center prompts the Expert for a password. The password entered by the Expert is sent to the Novice's computer (I will discuss this in more detail). If it set to "0", the Expert is not prompted for a password.
The field is used for encrypting the password set by the novice computer. When the RA connection string is sent as a file over e-mail, a password is used to provide additional security.
PassStub Generation on Windows XP
The function used to generate the Novice PassStub is meant to make its value unpredictable. For all practical means, this could be arbitrarily random. MS-RAI originally suggested using CryptEncrypt API [MSDN-CRYPTO] with RA SessionID encrypted with the password key. In fact, the way the PassStub string is generated does not affect the flow of the protocol.
The key point here is that, with the same PassStub and same password key, both RA Novice and RA Expert will produce the same blob. Recall that the Expert’s operator must get the password from the Novice user that is requesting assistance, i.e. by an out-of-band means, e.g. by phone. In the example of this blog, the password is “Password1“.
Windows XP Novice uses a randomly generated PassStub of 14 ASCII characters. There are no binary characters. As I mentioned previously, a Novice should be able to use an arbitrary string for this.
In the example, the RAI file contains PassStub="RT=0PvIndan52*". How is this generated?
Helpctr.exe on Windows XP follows these steps to generate the PassStub:
All of the 14 characters are ASCII characters.
Characters 1-2 and 7-14 are from the set A-Z a-z 0-9 * _
Character 3 is from the set !@#$&^*()-+=
Character 4 is from the set 0-9
Character 5 is from the set A-Z
Character 6 is from the set a-z
Each character is randomly selected from the respective sets. Using this model provides certain guarantees about the diversity of resulting characters in the PassStub string. Keep in mind that the PassStub string represents the RA Novice PassStub that is sent to the Expert as part of the RAI file.
Session initialization sequence from the Expert
The expert does the following:
The RA session initialization occurs over the RC_CTL virtual channel. The RC_CTL virtual channel persists throughout the duration of the RA connection. As documented in MS-RA Section 184.108.40.206, the REMOTEDESKTOP_CTL_AUTHENTICATE_PACKET is the expert authentication packet. It is only used when the novice or expert is using version 1. The authentication packet includes the RA connection string and is sent to the novice.
The Expert encrypts and sends the PassStub in the expertBlob field of the authentication packet. The expertBlob is a Unicode-based set of PropertyName, PropertyValue pairs, as shown in the following example. Note that each pair is prefixed with the length of the characters in the pair, including the equal (=) sign. "NAME" and "PASS" are the only two properties used in expertBlob.
NOTE: Unless you decrypt the network trace from the client, the expert blob might not be readable in the trace since the traffic of the RDP virtual channel RC_CTL is normally encrypted. One alternative to get the value is to debug the expert.
In the example, the "NAME" property has PropertyValue "Edgar Olougouna", the encoded value of expertBlob is "20;NAME=Edgar Olougouna".
The “PASS” property is used when a version 1 expert is making a connection with a RAI file where RCTICKETENCRYPTED is enabled. As shown in the example, the PASS property value is a string and it contains the result of encryption of the PassStub in the RAI file with the password key (ref. [MS-RAI] section 6).
Password encryption flow and validation for connection string type 1
Here, I walk through the encryption flow and provide relevant Windows APIs [MSDN-CRYPTO].
1. Derivation of the password key
2. Encryption of the PassStub data
In my example where PassStub="RT=0PvIndan52*", the Unicode data passed to the CryptEncrypt () would translate to:
1c 00 00 00 52 00 54 00-3d 00 30 00 50 00 76 00 49 00 6e 00 64 00 61 00-6e 00 35 00 32 00 2a 00
For visual layout:
1c 00 00 00 52 00 54 00-3d 00 30 00 50 00 76 00 ....R.T.=.0.P.v.
49 00 6e 00 64 00 61 00-6e 00 35 00 32 00 2a 00 I.n.d.a.n.5.2.*.
The output of the CryptEncrypt () call is the blob; that is the property value for the “PASS” property in the expertBlob:
[MS-RA]: Remote Assistance Protocol Specification
[MS-RAI]: Remote Assistance Initiation Protocol Specification
[MS-RDPBCGR]: Remote Desktop Protocol: Basic Connectivity and Graphics Remoting Specification
[MS-RDPEGDI]: Remote Desktop Protocol: Graphics Device Interface (GDI) Acceleration Extensions
Description of the Remote Assistance Connection Process
Overview of Remote Assistance in Windows XP
Cryptography Reference [MSDN-CRYPTO]