License Negotiation

During RDP setup, license negotiation takes place. This directly affected our work with implementing RDP5 support for rdesktop.

The license negotiation used in RDP is quite complex. Basically, each device that connects to a Terminal Server is granted a license. That is, the licenses are granted per machine connected, not per user. Note that in Windows 2003 Server, a “per user” licensing mode has appeared, but we have not been able to investigate this.

Now, in earlier versions of Terminal Services, the license was granted before the user logged in. This caused problems since you could easily run out of licenses. In later versions, temporary licenses are granted at first connect. If a valid user logs in, a permanent license is granted the next time a connection is made.

Security Problems With Microsoft’s RDP Client

Implementations 103

Regardless of this, the license negotiation at the protocol level is also very complex. To start with, there is extra encryption added to the license tokens. In RDP4, this meant the license tokens where encrypted once, but in later versions they are encrypted with the transport encryption as well, meaning two different encryptions on top of each other. This was a problem when listening to the traffic between client and server using rdpproxy, since the RC4 state got invalid when trying to decrypt and then encrypt the license data. Therefore, we had to keep track of the RC4 state to be able to correctly pass through the license negotiation between the client and the server.

104 INDEX

Generic Conference Control. . .23

host key . . . 92, 93

Man-In-The-Middle Attack . . . . 9

MCS . . . 23 Remote Desktop Protocol . . 1, 21 Reverse Engineering . . . 5

INDEX 105

reverse engineering . . . 8

RSA . . . 24

selection . . . 39

session key . . . 24, 92 Software maintenance . . . 31

symmetric encryption . . . 24

T.124 . . . 23

Terminal Server Mode . . . 13

TPKT . . . 23

Virtual Private Network . . . 28

VPN . . . 28

X Window System. . . .39 X.509 . . . 26, 93

Avdelning, Institution

 ¨Ovrig rapport

 URL f¨or elektronisk version

ISBN

ISRN

Serietitel och serienummer Title of series, numbering

ISSN

The Remote Desktop Protocol (RDP) is a protocol for accessing Mi-crosoft Windows Terminal Services. The protocol provides remote desk-top services, meaning a graphical deskdesk-top is sent to the client, and user input (keyboard and mouse events) are sent to the server, all over a bandwidth-narrow channel. The protocol is used by thin clients, i.e.

clients with small resources, to reach servers in a server-based comput-ing environment.

There is an RDP-client called Rdesktop, written for Unix-like oper-ating systems. It has an X Window System graphical user interface and provides access to Terminal Servers from the Unix environment.

Rdesktop, however, only supports version 4 of the RDP. The current version of RDP (August 2003) is 5.

Documentation of RDP can be acquired from Microsoft, but not without signing a non-disclosure agreement (most often referred to as

“NDA”). This means it is not possible to create a program with the source code available without breaking the agreement. Therefore, im-plementation of open source RDP clients must be preceded by reverse engineering activities.

In this report we describe how we reverse engineered version 5 of RDP and how we implemented support for it in rdesktop. We have implemented support for basic RDP5 as well as support for clipboard operations between the X Window System and Microsoft Windows.

Among the future work on rdesktop that will be possible to investi-gate as a result of this thesis work are support for sound redirection, disk drive redirection as well as support for more clipboard formats.

ADIT,

Dept. of Computer and Information Science 581 83 Link¨oping

2004-03-05

—

LITH-IDA-EX–04/082- -SE

—

2004-03-05

Reverse-Engineering and Implementation of the RDP 5 Protocol Reverse-Engineering och Implementation av RDP 5

Erik Forsberg

×

×

Reverse Engineering, Network Analysis, Software Engineering, Network Security, Remote Desktop Protocol.

Copyright

Svenska

Detta dokument h˚alls tillg¨angligt p˚a Internet - eller dess framtida ers¨attare - under en l¨ an-gre tid fr˚an publiceringsdatum under f¨oruts¨attning att inga extra-ordin¨ara omst¨andigheter uppst˚ar.

Tillg˚ang till dokumentet inneb¨ar tillst˚and f¨or var och en att l¨asa, ladda ner, skriva ut enstaka kopior f¨or enskilt bruk och att anv¨anda det of¨or¨andrat f¨or ickekommersiell forskning och f¨or undervisning. ¨Overf¨oring av upphovsr¨atten vid en senare tidpunkt kan inte upph¨ava detta tillst˚and. All annan anv¨andning av dokumentet kr¨aver upphovsmannens medgivande.

F¨or att garantera ¨aktheten, s¨akerheten och tillg¨angligheten finns det l¨osningar av teknisk och administrativ art.

Upphovsmannens ideella r¨att innefattar r¨att att bli n¨amnd som upphovsman i den om-fattning som god sed kr¨aver vid anv¨andning av dokumentet p˚a ovan beskrivna s¨att samt skydd mot att dokumentet ¨andras eller presenteras i s˚adan form eller i s˚adant sammanhang som ¨ar kr¨ankande f¨or upphovsmannens litter¨ara eller konstn¨arliga anseende eller egenart.

F¨or ytterligare information om Link¨oping University Electronic Press se f¨orlagets hemsida http://www.ep.liu.se/

English

The publishers will keep this document online on the Internet or its possible replacement -for a considerable time from the date of publication barring exceptional circumstances.

The online availability of the document implies a permanent permission for anyone to read, to download, to print out single copies for your own use and to use it unchanged for any non-commercial research and educational purpose. Subsequent transfers of copyright cannot revoke this permission. All other uses of the document are conditional on the consent of the copyright owner. The publisher has taken technical and administrative measures to assure authenticity, security and accessibility.

According to intellectual property law the author has the right to be mentioned when his/her work is accessed as described above and to be protected against infringement. For additional information about the Link¨oping University Electronic Press and its procedures for publication and for assurance of document integrity, please refer to its WWW home page:

http://www.ep.liu.se/

Erik Forsbergc

Link¨oping, 16th January 2006