Captured Windows 8 KMS Activation Network Traffic

Discussion in 'Windows 8' started by Dhilip89, Aug 14, 2012.

  1. Dhilip89

    Dhilip89 MDL Novice

    Aug 14, 2012
    4
    13
    0
    #1 Dhilip89, Aug 14, 2012
    Last edited by a moderator: Jan 31, 2013
    Hello, MDL community

    My first post here
    I've just captured some network traffics while activating Windows 8 Pro with a working KMS server inside the virtual machine. The purpose is to replicate or emulating the real KMS server using some basic TCP programming, but there are some chunk of data inside which need to be studied to make it possible (possible?).

    I have uploaded documents, which I really hope this can be used to aid the KMS emulator development.

    Link:
    (This ZIP file contains 2 set documents, in .DOCX document format.)
     
  2. FreeStyler

    FreeStyler MDL Guru

    Jun 23, 2007
    3,504
    3,619
    120
    #2 FreeStyler, Aug 14, 2012
    Last edited by a moderator: Apr 20, 2017
    I know from Window 7 the data send contains the Application ID, and Windows AppID

    the App ID in the Wireshark capture, Windows 7 App ID 55c92734-d682-4d71-983e-d6ec3f16059f some in Reverse Bytes (Little/Big Endian)

    Code:
    FC 00 00 00 FC 00 00 00 00 00 04 00 01 00 00 00 02 00 00 00 F4 A1 00 00 34 27 C9 55 82 D6 71 4D 98 3E D6 EC 3F 16 05 9F 09 E5 2E AE 34 1B C0 41 AC B7 6D 46 50 16 89 15 19 52 DE 7F FA FB 4A 48 82 C9 34 D1 AD 53 E8 56 2B 14 93 AD 57 3B FE 4F BE 6C 11 B1 94 69 17 70 19 00 00 00 E3 74 27 64 6C 79 CD 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 76 00 42 00 6F 00 78 00 2D 00 50 00 43 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 85 58 55 76 87 D3 A0 81 76 E2 BD B8 82 CD 4B DB
    Application ID, ae2ee509-1b34-41c0-acb7-6d4650168915 (Windows 7 Enterprise)

    Code:
    FC 00 00 00 FC 00 00 00 00 00 04 00 01 00 00 00 02 00 00 00 F4 A1 00 00 34 27 C9 55 82 D6 71 4D 98 3E D6 EC 3F 16 05 9F 09 E5 2E AE 34 1B C0 41 AC B7 6D 46 50 16 89 15 19 52 DE 7F FA FB 4A 48 82 C9 34 D1 AD 53 E8 56 2B 14 93 AD 57 3B FE 4F BE 6C 11 B1 94 69 17 70 19 00 00 00 E3 74 27 64 6C 79 CD 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 76 00 42 00 6F 00 78 00 2D 00 50 00 43 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 85 58 55 76 87 D3 A0 81 76 E2 BD B8 82 CD 4B DB
    What the rest of the data is, i don't know (yet)
     
  3. Dhilip89

    Dhilip89 MDL Novice

    Aug 14, 2012
    4
    13
    0
    Updated document (Set B): http : // www . mediafire . com / view / ? g2c293vwh3r4cwh

    For the new Windows 8 KMS, I can't see any traces of App ID (a98bcd6d-5343-4603-8afe-5908e4611112) inside the stream. Seems something has changed (wrong capture?)
     
  4. segobi

    segobi MDL Addicted

    Jul 14, 2009
    580
    251
    30
    Probably its all encrypted and you do not have any keys to decrypt it.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. nosferati87

    nosferati87 MDL Junior Member

    Apr 6, 2011
    73
    213
    0
    KMS communication has considerably changed with Windows 8. In Windows 7 the messages were unencrypted and only appended by a hash of the message for authentication. In Windows 8 the messages seem to be longer and completely encrypted.
    The first two packets are part of the RPC protocol that is used and are not very interesting. The actual messages begin with the bytes 00 00 04 00 (Windows 7) and 00 00 05 00 (Windows 8).
     
  6. Dhilip89

    Dhilip89 MDL Novice

    Aug 14, 2012
    4
    13
    0
    #6 Dhilip89, Aug 14, 2012
    Last edited: Aug 14, 2012
    (OP)
    Spotted identical bytes (yellow color)
     

    Attached Files:

  7. Dhilip89

    Dhilip89 MDL Novice

    Aug 14, 2012
    4
    13
    0
    #7 Dhilip89, Aug 15, 2012
    Last edited by a moderator: Jan 31, 2013
    (OP)
    Updated document!

    PDF Version:
    DOCX Version:
     
  8. jarod75

    jarod75 MDL Novice

    Oct 29, 2009
    27
    21
    0
    #8 jarod75, Aug 26, 2012
    Last edited: Aug 26, 2012
    in the dump, we can see that 6b a7 13 a8 cd 9a 50 e5 ce 83 28 6d 76 07 71 ea and d2 07 81 e6 6e 32 70 22 84 4d c6 de 03 2e 02 are Salt keys. KMS Client encrypt his stream request with it. KMS decrypt the request with this key, compute the response, encrypt with the key send by client and send it back to client with encrypt key.

    At each request, the key change.
     
  9. FiB3R_OPTiC

    FiB3R_OPTiC MDL Member

    Oct 30, 2011
    154
    45
    10
    Generally speaking, with some encryption types if you already know the exact content of what is being encrypted then it's possible to decrypt the master key by brute force algorithm.
     
  10. nosferati87

    nosferati87 MDL Junior Member

    Apr 6, 2011
    73
    213
    0
    How can you be sure? Why would the server use the same nonce the client used for his request, and then still embed the key again in the response?
     
  11. jarod75

    jarod75 MDL Novice

    Oct 29, 2009
    27
    21
    0
    #11 jarod75, Aug 27, 2012
    Last edited: Aug 28, 2012
    It a non sense to reply a part of the request of the client if this part had no utility during protocol exchange !

    Be sure that if KMS join this, it's must make sense for kms client ... :eek:
     
  12. hack

    hack MDL Senior Member

    Sep 14, 2009
    293
    252
    10
    #12 hack, Aug 30, 2012
    Last edited: Nov 17, 2012
    EDIT 17-11-2012
    This is All made REDUNDANT. Read for Educational Purposes Only!

    The Simple Solution:
    http://forums.mydigitallife.net/thr...ulator-for-Increasing-KMS-Server-Client-Count
    http://forums.mydigitallife.net/threads/39048-HOW-TO-KMS-HOST-Setup-and-Charge-v-2-0



    Seeing as the Windows 7 KMS activation is better understood and depending on how difficult it is to emulate the New Windows 8 KMS activation, is the following approach doable?

    IF a VHD is leaked with a valid Win8/Server2012 KMS Host Key then we only really have to look at achieving the Minimum Activation Count of 25. In actual fact as the Windows 8 KMS activation is backwards compatible with windows 7, would it be possible to just emulate a Win7/Server2008R2 client and have a pool of 30 CMID's. The emulated win7 client activations only would need to be successful as far as the KMS host server is concerned and increase the Activation count. Would this allow the windows 8 clients to then activate against the KMS Host, is the Activation count globally applied against different OS's.

    Provided the necessary pieces of the puzzle come together we could side step the encryption of the New KMS if it proves difficult to crack.
    The only down side I can see if Windows 8/Server2012 is capable of marking systems as "Non-Genuine" against the Extended PID.

    Edit:
    After thoughts:
    Reading through old threads on the Bug in the original ZWT key-gen is it not easier just to have the Proposed Emulated Win7 KMS client change it's CMID
    to attain the Activation count on the KMS Host. I think it was discussed as an option which was doable with Office KMS activation but reading about it in a thread is not exactly like reviewing a Technical Document. Feel free to correct me if I am wrong and if this post puts at risk somebodies work let me know. It is a good read and I learnt a good lesson about treading on other peoples toes from this thread
    http://forums.mydigitallife.net/thr...er-and-Anti-AV?p=399195&viewfull=1#post399195
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  13. FreeStyler

    FreeStyler MDL Guru

    Jun 23, 2007
    3,504
    3,619
    120
    #13 FreeStyler, Aug 30, 2012
    Last edited: Aug 30, 2012
    Not exactly sure what you are saying, but i don't see what the ZWT keygen has to do with fake CMID request.
    First of all the ZWT keygen is no real KMS, it doesn't use make use of a KMS host key and basically it does not really matter much what data you send to it, it always returns the same value. eg: activated.
    Not sure if i am right, but if i am right the ZWT keygen contained a list of Windows Application ID's it was able to activate.
    The only alterations to the ZWT keygen was to recognize Office Application ID's as well... that is, if i remember right
     
  14. FreeStyler

    FreeStyler MDL Guru

    Jun 23, 2007
    3,504
    3,619
    120
    Yes that would allow Windows 8 clients (threshold 25) and Windows Server 2012 (threshold 5) as well.
    How the threshold works:
    4 client CMID's and 1 Server CMID make a total of 5 from where you can start activating Server OS's
    5 server CMID's and 20 Client CMID make a total of 25 from where you can start activating Client OS's as well

    I have been looking into something to fake Windows 7/Windows Server 2008 R2 activation request, faking CMID count to be able to use a KMS VHD with only a few clients.
    If anyone has more info how to accomplish this, please share.
     
  15. hack

    hack MDL Senior Member

    Sep 14, 2009
    293
    252
    10
    #15 hack, Aug 30, 2012
    Last edited: Aug 30, 2012
    Sorry probably could have worded it better. One of the approaches with the activation failure of Office with the Original ZWT was to clear the CMID (Besides changing the Hardcoded Extended PID). Is it possible rather to create an simple app that clears the windows 8 CMID from the machine and then attempts to activate it multiple times against the Valid KMS Host thus increasing the current count without the need for the emulation of the client.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  16. Stannieman

    Stannieman MDL Guru

    Sep 4, 2009
    2,232
    1,803
    90
    If the trafic is encrypted at the client side then how does the host know how to decrypt it? Either it's a fixed key and something in the first message is used a salting, or the key is based in the current time, or it's a combo.
    We need more systems and keys to play with I think. See if the first message changes when using a different machine, or a different installation id. Also see if it changes when using a different KMS key etc...
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  17. FreeStyler

    FreeStyler MDL Guru

    Jun 23, 2007
    3,504
    3,619
    120
    #17 FreeStyler, Aug 30, 2012
    Last edited: Aug 30, 2012
    The clients's CMID was send to modified keygen like it always/normally does, what could this possibly have to do with the Office activation failing using KMS keygen and/or a hardcoded Extended PID :confused:
    The CMID data send to the keygen is original, the keygen does not use this or other submitted data other for the purpose of returning proper valid data to the client, eg:
    The Windows 7 KMS activation seems to send data as clear text (unencrypted) using a hash to validate submitted/returned data.

    Clearing/changing the CMID is a solution, as far as i know this can only be done using sysprep /generalize (making it time consuming to be able to reach the 25 client threshold)
     
  18. Stannieman

    Stannieman MDL Guru

    Sep 4, 2009
    2,232
    1,803
    90
    Make a vm -> snapshot -> change CMID -> snapshot, change CMID -> snapshot. 25 snapshots.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  19. FreeStyler

    FreeStyler MDL Guru

    Jun 23, 2007
    3,504
    3,619
    120
  20. Stannieman

    Stannieman MDL Guru

    Sep 4, 2009
    2,232
    1,803
    90
    Can vm operations be batched (vmware, virtualbox, ... doesn't matter)? So when some shortcut is clicked vmware starts the first snapshot and let it run for 10 minutes, then it goes automatically to the 2nd snapshot and runs it for 10 minutes... If in each vm a kms activation script is placed in the startup folder then all clients will connect to the host. Only once a month the thing needs to be started to be good, and you can run it during the night or whatever moment you're doing nothing with your pc.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...