[AnimalMuppet]

The story has a familiar ring.

Back in the day, Microsoft stored passwords in a fairly insecure format. Then they got security religion, and improved the strength of their password storage dramatically. It was very hard to crack the new format. (I don't remember exactly, but this would have been somewhere around when NT came out.)

But Microsoft was always big on backward compatibility. They wanted users of old machines to still be able to log in to the new servers. So they stored the passwords in the new, strong format, and in the old, weak format, so that they could still authenticate old clients. And that meant that attackers could still get the passwords in the weak format if they could get on the server.

This is from memory, and it's been over a decade, so I may not have all the details exactly correct...

[rogerbinns]

I worked on reverse engineering Microsoft's remote desktop protocol (RDP) back in the day. It was wrapped in encryption much like how SSL operates. France outlawed encryption except for authentication, so you just had to put the client and the server in the French country setting and then man in the middle the tcp connection. Reverse engineer away. Thanks France!

[geofft]

Ah, is that what the "Disable encryption. This option is only needed (and will only work) if you have a French version of NT TSE." option to rdesktop(1) means. I always wondered about that!

[yuhong]

Of course, the private key turned out to be hardcoded anyway.

[rogerbinns]

It was more akin to a self signed certificate, but also more complicated depending on domain setup. But also things changed a lot between RDP protocol versions.

It did take me quite a while to reverse engineer the encryption. It was mostly done using IDA Pro and SoftIce. The hardest bit was because I had several crypto books, and whichever Microsoft employee implemented their security kept doing what the books said not to do, so I'd never expect to keep encountering the "wrong" way of doing things.

https://www.hex-rays.com/products/ida/index.shtml

https://en.wikipedia.org/wiki/SoftICE

[yuhong]

http://www.rapid7.com/db/vulnerabilities/windows-rdp-constan...

I think the newer RDP versions uses TLS BTW.

[rogerbinns]

I did the reverse engineering on RDP 4, almost 10 years before that vulnerability report. With each RDP release they did very big changes to the security layer as well as other pieces. Somewhat surprisingly Microsoft did base RDP on open standards, especially a whole bunch around video messaging.

But those standards were developed by committee, so the number of ways you could do things was usually the same as the number of committee members. Then their implementation had bugs (eg drawing some parts from bottom to top when the standards said top to bottom), but they didn't know this since they didn't try interoperating with other implementations. The initial "security" was some half assed hack, and yes in later versions they did switch to TLS.

Note that the security is complicated because of domain membership, WAN vs LAN, and a bunch of other related issues.

[jakejake]

Yep I remember there were password cracker programs that would recover the "LM" version of the password in seconds. I was a network admin at the time and remember having to turn this "feature" off once we discovered it.

[yuhong]

Ah, LM vs NT hash.

[dsp1234]

http://en.wikipedia.org/wiki/LM_hash

vs

http://en.wikipedia.org/wiki/NT_LAN_Manager#NTLMv1

and

http://en.wikipedia.org/wiki/NT_LAN_Manager#NTLMv2

[yuhong]

In summary, the original LM protocol used a "hash" based on 56-bit DES. NTLMv1 supports both the older LM hash and the newer NT hash based on MD4, but still used 56-bit DES encryption to encrypt them (this is what CloudCracker was designed to crack though nothing stops it from using it to crack any DES encryption). NTLMv2 uses HMAC-MD5 instead which fixes the problem.

[AnimalMuppet]

Yeah, that was it.