added support of hashed password (aka "password 51") to the "start pr…

…ogram from url" feature

CHANGELOG

@@ -1,4 +1,4 @@
-2017-07-22 Version 1.5.0 (beta)
+2017-07-27 Version 1.5.0 (stable)
 	changed prerequisites: IIS 8+ with websocket protocol enabled and .NET 4.5 (instead of .NET 4.0)
 	replaced Fleck websocket server by IIS 8+ websocket handler (now using standard 80 and 443 ports)
 	added websocket binary communication (no more base64 33% bandwidth overhead)
@@ -16,6 +16,7 @@
 	the remote session log is now configurable into Myrtille.Services config (disabled by default)
 	the remote session display is now responsive (scale to browser size, disabled by default)
 	if starting a program from url without setting a display resolution, it's auto-detetected from the client
+	"start program from url" feature now supports hashed passwords (aka "password 51" into .rdp files)
 	commands can now be sent directly from the browser (i.e.: image quality tweak depending on the available bandwidth)
 	simplified config.js (added enums and autodetection for major settings)
 	customizable framerate (into config.js)

DOCUMENTATION.md

@@ -30,20 +30,29 @@ All releases here: https://github.com/cedrozor/myrtille/releases
 - Myrtille.msi: MSI package (x86)
 
 ## Start remote application from URL
-Starting from version 1.3.x, it's possible to run a program automatically, on session start, from an URL. It's a feature comparable to remoteApp, which makes it easy to launch remote applications directly from internet shortcuts (.url) placed on the desktop.
+Starting from version 1.3.0, it's possible to run a program automatically, on session start, from an URL. It's a feature comparable to remoteApp (.rdp files).
+
+From version 1.5.0, Myrtille does support hashed passwords (so that the password is not plain text into the url).
 
 Currently not working with Windows 2008 servers. See notes and limitations.
 
 ### Syntax
-https://myserver/Myrtille/?__EVENTTARGET=&__EVENTARGUMENT=&server=*server*&domain=*domain* [optional]&user=*username*&password=*password*&stat=*Stat+enabled|disabled* [optional]&debug=*Debug+enabled|disabled* [optional]&browser=*HTML4|HTML5* [optional]&program=*executable path, name and parameters (double quotes must be escaped)* [optional]&width=*width (px)* [optional]&height=*height (px)* [optional]&connect=*Connect%21*
+https://myserver/Myrtille/?__EVENTTARGET=&__EVENTARGUMENT=&server=*server*&domain=*domain* [optional]&user=*username*&passwordHash=*passwordHash*&stat=*Stat+enabled|disabled* [optional]&debug=*Debug+enabled|disabled* [optional]&browser=*HTML4|HTML5* [optional]&program=*executable path, name and parameters (double quotes must be escaped)* [optional]&width=*width (px)* [optional]&height=*height (px)* [optional]&connect=*Connect%21*
+
+The pre version 1.5.0 syntax ("&password=*password*") is still supported, but it's advisable to move to the safer syntax.
+
+The parameters values **must be URL encoded**. You can use a tool like http://www.url-encode-decode.com/ (just copy & paste the encoded parameters into the URL).
 
-The parameters values **must be URL encoded**. You can use a tool like http://www.url-encode-decode.com/ for that purpose (just copy&paste the encoded parameters into the URL).
+### Password Hash
 
-**CAUTION!** please be aware that the user credentials are passed within the URL! it's unsafe to use this feature from an untrusted device or browser, because it will save the URL (and credentials) into its history.
+To generate a password hash, you can use the powershell script "password51.ps1" on the myrtille gateway (requires access to the machine). The script is located into the myrtille bin folder at runtime or into the "Myrtille.Services" project under Visual Studio.
+- Run the script (from its location folder): ". .\password51.ps1" (if needed, see powershell script execution policy: https://technet.microsoft.com/en-us/library/ee176961.aspx)
+- Call the encrypt function: "Encrypt-RDP-Password -Password *password*"
+- Copy & Paste the result into your URL
 
-Fortunaly, it's possible to have browsers into incognito mode (hence not have the URL saved). See http://www.howtogeek.com/137466/how-to-always-start-any-browser-in-private-browsing-mode/
+The password hash is only valid on the machine which generated it (the myrtille gateway); it won't work on another machine. Its length is 492 chars.
 
-Additionnaly, usage of **https://** (instead of **http://**) is strongly advised to secure the network communication.
+For further information, see https://docs.microsoft.com/en-us/dotnet/standard/security/how-to-use-data-protection
 
 ## File transfer
 Myrtille supports both local and network file storage. If you want your domain users to have access to their documents whatever the connected server, follow these steps:

Myrtille.Common/Helpers/RDPCryptoHelper.cs

@@ -0,0 +1,95 @@
+/*
+    Myrtille: A native HTML4/5 Remote Desktop Protocol client.
+
+    Copyright(c) 2014-2017 Cedric Coste
+
+    Licensed under the Apache License, Version 2.0 (the "License");
+    you may not use this file except in compliance with the License.
+    You may obtain a copy of the License at
+
+        http://www.apache.org/licenses/LICENSE-2.0
+
+    Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+*/
+
+using System;
+using System.Diagnostics;
+using System.Security.Cryptography;
+using System.Text;
+using System.Text.RegularExpressions;
+
+namespace Myrtille.Helpers
+{
+    public static class RDPCryptoHelper
+    {
+        /*
+        adapted from https://gallery.technet.microsoft.com/scriptcenter/Password-Text-String-34711a5e
+        original script by Ken Sweet
+
+        the powershell script ("password51.ps1", located into the myrtille bin folder at runtime or into the Myrtille.Services project under Visual Studio)
+        was modified to use "LocalMachine" instead of "CurrentUser" because the powershell user account is different than IIS
+        it was also modified to use unicode (UTF-16LE) instead of UTF-8 in order to work with .rdp files ("password 51:b:")
+        
+        to generate a password hash, you can use the script on the myrtille gateway (requires access to the machine)
+        you may require to update your script execution policy: https://technet.microsoft.com/en-us/library/ee176961.aspx
+        to run the script (from its location folder): ". .\password51.ps1" (more info about the functions usage into the script itself)
+        the password hash is only valid on the machine which generated it (the myrtille gateway); it won't work on another machine
+        the password hash is 492 chars length
+        
+        there is another, older, method to generate rdp passwords: https://www.remkoweijnen.nl/blog/2007/10/18/how-rdp-passwords-are-encrypted/
+        for a .NET/C# implementation (Remko Weijnen's tool is written in Delphi/Pascal), see https://msdn.microsoft.com/en-us/library/aa302402.aspx
+        the script method described above seems to be backward compatible with it (the 492 chars hashed passwords are decrypted by the Remko Weijnen's tool and work into .rdp files)
+        the password hash is 1329 chars length
+                
+        mstsc.exe may not save the hashed passwords by default into .rdp files; see https://superuser.com/questions/139665/windows-7-group-policy-allow-rdp-credentials-to-be-saved/140322
+        to create .rdp files with remoteapp: https://technet.microsoft.com/en-us/library/gg674996(v=ws.10).aspx
+        full remoteapp walkthrough: https://mizitechinfo.wordpress.com/2013/07/26/fast-and-easy-how-to-deploy-remoteapp-on-windows-server-2012/
+        */
+
+        public static string EncryptPassword(string password)
+        {
+            try
+            {
+                var bytes = ProtectedData.Protect(Encoding.Unicode.GetBytes(password), null, DataProtectionScope.LocalMachine);
+
+                var hex = new StringBuilder(bytes.Length * 2);
+                foreach (var _byte in bytes)
+                {
+                    hex.AppendFormat("{0:X2}", _byte);
+                }
+
+                return hex.ToString();
+            }
+            catch (Exception exc)
+            {
+                Trace.TraceError("Failed to encrypt rdp password {0} ({1})", password, exc);
+                throw;
+            }
+        }
+
+        public static string DecryptPassword(string passwordHash)
+        {
+            try
+            {
+                var bytes = new byte[passwordHash.Length / 2];
+
+                var i = 0;
+                foreach (var hex in Regex.Matches(passwordHash, "(..)"))
+                {
+                    bytes[i++] = Convert.ToByte(hex.ToString(), 16);
+                }
+
+                return Encoding.Unicode.GetString(ProtectedData.Unprotect(bytes, null, DataProtectionScope.LocalMachine));
+            }
+            catch (Exception exc)
+            {
+                Trace.TraceError("Failed to decrypt rdp password hash {0} ({1})", passwordHash, exc);
+                throw;
+            }
+        }
+    }
+}

Myrtille.Common/Myrtille.Common.csproj

@@ -92,6 +92,7 @@
     <Reference Include="System.Drawing" />
     <Reference Include="System.Messaging" />
     <Reference Include="System.Runtime.Remoting" />
+    <Reference Include="System.Security" />
     <Reference Include="System.ServiceProcess" />
     <Reference Include="System.Web" />
     <Reference Include="System.Windows.Forms" />
@@ -104,6 +105,7 @@
     <Compile Include="Helpers\IISHelper.cs" />
     <Compile Include="Helpers\PermissionsHelper.cs" />
     <Compile Include="Helpers\PipeHelper.cs" />
+    <Compile Include="Helpers\RDPCryptoHelper.cs" />
     <Compile Include="Helpers\WindowHelper.cs" />
     <Compile Include="Helpers\XmlTools.cs" />
     <Compile Include="Log\Log4netTraceFilter.cs" />

Myrtille.Web/Default.aspx

@@ -99,6 +99,9 @@
                     <input type="password" runat="server" id="password" title="user password"/>
                 </div>
 
+                <!-- hashed password (aka password 51) -->
+                <input type="hidden" runat="server" id="passwordHash"/>
+
                 <!-- program to run -->
                 <div class="inputDiv">
                     <label runat="server" id="programLabel" for="program">Program to run (optional)</label>

Myrtille.Web/Default.aspx.cs

@@ -24,6 +24,7 @@ limitations under the License.
 using System.Web;
 using System.Web.SessionState;
 using System.Web.UI;
+using Myrtille.Helpers;
 
 namespace Myrtille.Web
 {
@@ -201,7 +202,7 @@ protected void ConnectButtonClick(
                     ServerAddress = string.IsNullOrEmpty(server.Value) ? "localhost" : server.Value,
                     UserDomain = domain.Value,
                     UserName = user.Value,
-                    UserPassword = password.Value,
+                    UserPassword = string.IsNullOrEmpty(passwordHash.Value) ? password.Value : RDPCryptoHelper.DecryptPassword(passwordHash.Value),
                     ClientWidth = int.Parse(width.Value),
                     ClientHeight = int.Parse(height.Value),
                     Program = program.Value

README.md

@@ -45,12 +45,14 @@ See DOCUMENTATION.md for more details.
 ## Usage
 Once Myrtille is installed on your server, you can use it at http://myserver/myrtille. Set the rdp server address, user domain (if any), name and password then click "Connect!" to log in. "Disconnect" to log out.
 
+You can also connect a remote desktop and **start a program automatically from an url** (see DOCUMENTATION.md). From version 1.5.0, Myrtille does support encrypted credentials (aka "password 51" into .rdp files) so the urls can be distributed to third parties without compromising on security.
+
 The installer creates a self-signed certificate for https://myserver/myrtille. Like for all self-signed certificates, you will have to add a security exception into your browser (just ignore the warning message and proceed to the website).
 Of course, you can avoid that by installing a certificate provided by a trusted Certification Authority (see DOCUMENTATION.md).
 
-If you want connection information, you can enable stat (displayed on screen or browser console). If you want debug information, you can enable debug (logs are saved under the Myrtille "log" folder). *Hidden from version 1.5.x (can be enabled into default.css)*.
+If you want connection information, you can enable stat (displayed on screen or browser console). If you want debug information, you can enable debug (logs are saved under the Myrtille "log" folder). *Hidden from version 1.5.0 (can be enabled into default.css)*.
 
-You can also choose the rendering mode, HTML4 or HTML5 (HTML4 may be useful, for example, if websockets are blocked by a proxy or firewall). *Hidden (autodetected) from version 1.5.x (can be enabled into default.css)*.
+You can also choose the rendering mode, HTML4 or HTML5 (HTML4 may be useful, for example, if websockets are blocked by a proxy or firewall). *Hidden (autodetected) from version 1.5.0 (can be enabled into default.css)*.
 
 On touchscreen devices, you can pop the device keyboard with the "Keyboard" button. Then enter some text and click "Send". This can be used, for example, to paste the local clipboard content and send it to the server (then it be copied from there, within the remote session).
 Alternatively, you can run **osk.exe** (the Windows on screen keyboard, located into %SystemRoot%\System32) within the remote session. It can even be run automatically on session start (https://www.cybernetman.com/kb/index.cfm/fuseaction/home.viewArticles/articleId/197).