I'm currently working on old system that uses RDP. According to 4.1.4 Server MCS Connect Response PDU with GCC Conference Create Response described in [MS-RDPBCGR], packet is containing modulus, which should be part of RSA key. And I need to know where this came from because I need to decrypt some RDP packets stored as log.
First thing I've done is looking up certificates by using mmc. But there was no certificate matching with modulus. Even if I issued new self-signed certificate, there was no luck. Modulus is not changing by it.
More specifically, this is response packet from testing server(VM) containing modulus.
0000: 03 00 02 15 02 f0 80 7f 66 82 02 09 0a 01 00 02 | ......f......
0016: 01 00 30 1a 02 01 22 02 01 03 02 01 00 02 01 01 | ..0...".........
0032: 02 01 00 02 01 01 02 03 00 ff f8 02 01 02 04 82 | .............
0048: 01 e3 00 05 00 14 7c 00 01 2a 14 76 0a 01 01 00 | .....|..*.v....
0064: 01 c0 00 4d 63 44 6e 81 cc 01 0c 10 00 0c 00 08 | ..McDn.......
0080: 00 00 00 00 00 04 00 00 00 03 0c 10 00 eb 03 04 | ...............
0096: 00 ec 03 ed 03 ee 03 ef 03 02 0c ac 01 02 00 00 | ...........
0112: 00 02 00 00 00 20 00 00 00 78 01 00 00 bb e4 de | ..... ...x...
0128: 58 1a 05 8f 26 89 f8 94 0b 88 d4 79 d4 00 ac bf | X..&.y.
0144: e0 07 72 3a e5 9b 17 7f 17 d6 18 92 7f 01 00 00 | .r:........
0160: 00 01 00 00 00 01 00 00 00 06 00 1c 01 52 53 41 | .............RSA
0176: 31 08 01 00 00 00 08 00 00 ff 00 00 00 01 00 01 | 1..............
0192: 00 2d 13 bc 1d a9 5b c8 60 9b be 66 61 ab 09 13 | .-..[`fa..
0208: 4e 0a 1f 64 27 72 df 92 18 42 ea 2c 05 5d 0d a7 | N..d'r..B,.].
0224: f7 06 51 5d 22 2e 4a fa 03 c5 8d 52 47 7c fa 13 | .Q]".J..RG|.
0240: ec dd bb 81 15 50 4b b3 f0 7b e4 75 0e e6 0d b5 | ..PK{u..
0256: ab d2 4a 9c ab f6 8c 83 a3 53 0b 87 b1 07 fc 0f | JS...
0272: 29 12 f4 c8 18 fb 9f 6d 29 10 34 af 34 d0 ca 8d | )..m).44.
0288: 48 a9 2e 9e 85 9a 39 d6 6c be cb f3 36 75 60 a5 | H.9l6u`
0304: 56 a5 a3 f5 b0 6f af c3 8e 5b 03 11 e4 27 27 bf | Vo.[..''
0320: a0 05 51 aa f1 8d 84 11 53 43 59 b8 83 4f f2 2d | .Q.SCYO-
0336: 40 44 b1 f9 5a 5b e6 2d 32 e4 d8 ef 2a 5a f8 01 | @DZ[-2*Z.
0352: 08 7a 68 a0 05 e2 5b fe 50 b5 38 cd a6 f0 ef e0 | .zh.[P8.
0368: c4 6f 4e f3 f1 9d 0a 89 ce 79 4e 3d 6f e3 a2 b3 | oN.yN=o.
0384: c7 fd dc b2 d8 c6 76 e8 79 67 ca fe 71 5d a5 3d | .vygq]=
0400: d3 40 c4 a4 28 5c 11 b7 2a 51 cd 65 e4 5f fc 2a | @.(\.*Qe_*
0416: bf 4c b1 e0 96 89 05 4b c6 72 1a 62 eb a2 51 0d | L.Kr.bQ.
0432: 45 2f 23 27 67 0e a8 c6 12 ed 81 ee 09 58 10 02 | E/#'g...X..
0448: b2 00 00 00 00 00 00 00 00 08 00 48 00 e9 95 02 | ..........H..
0464: 48 e7 84 d6 fc 60 cd 29 b2 91 7c f4 e8 b4 36 5d | H`)|6]
0480: e5 5e b4 90 d4 d4 5d 6a a1 42 69 c6 4e 5c 87 f2 | ^]jBiN\
0496: 0a cd 86 f5 64 e3 4d 61 60 0a 17 c2 f8 94 93 83 | ..dMa`..
0512: cf 23 7d c4 a3 07 ad f0 b6 bc 1a b1 00 00 00 00 | #}.......
0528: 00 00 00 00 00 | .....
Public exponent is 01 00 01 00, modulus is 2d 13 bc 1d ... 58 10 02 b2 with additional 8 bytes of zero-padding.
After that, if I know what private exponent is, then I can decrypt Client Random and generate session key.
But as I've mentioned, I can't find where modulus is coming from. How can I obtain RSA key(or certificate, so I can use Mimikatz) for it?
I found there is Proprietary Certificate. It seems this is what I need to find, but I still don't know where it is.
It was located at registry HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\RCM and is just public key BLOB. Still need to find private key...
Currently I'm looking into registry key Secrets under RCM, but I don't know what are these values right now.
I'm closing this because I found public key BLOB at HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\RCM\Certificate from registry though I don't know what private key is.