Virtual Machine Remote Control (protocol)

VMRC is a pile of garbage which is modified VNC with NTLM and Kerberos authentication. Ain't that fun?

The Kerberos portion of this protocol requires an AD to be present on the server itself, so we will be only covering NTLM itself as no one wants to bother setting up an buggy piece of shit server daemon on an AD out of all things.

Used in Virtual Server 2005.

Opening
When a VMRC client and server exchange information, the exchange of packets will be as follows:

Legend: S = Server, C = Client


 * 1) S → C: RFB 003.006
 * 2) C → S: RFB 003.006
 * 3) S → C: Authentication packet.
 * 4) C → S: NTLMSSP_NEGOTIATE
 * 5) S → C: NTLMSSP_CHALLENGE
 * 6) C → S: NTLMSSP_AUTH

Depending on how successful the authentication is, it can either:
 * 1) S → ❌: Server terminates connection to client
 * 2) S → C: Select Security Type packet with the Security Type set to 0x00.

If you got the second result, go to the Post Authentication section.

Authentication

 * 1) S → C: [0x00, 0x00, 0x00, 0x0y]

The y denotes the authentication method used:
 * 0x00: None (unused?)
 * 0x04: NTLM (NTLMSSP_NEGOTIATE flags set to 0xA208B207.)
 * 0x05: Reconnect, followed by 0x04, 0x05, 0x06, explained below
 * 0x06: Negotiate (No idea what this is... the client calls it NTLM but the structure is way different.)

0x05 always will connect twice if detected, and changes the authentication method to:
 * 0x04: NTLM (NTLMSSP_NEGOTIATE flags set to 0xA2088207.)
 * 0x05: Kerberos.
 * 0x06: NTLM/Negotiate (NTLMSSP_NEGOTIATE flags set to 0xE2088297.)

Post Authentication

 * 1) C → S: Select Security Type packet with the Security Type set to 0x01.
 * 2) S → C: "Share desktop flag" with what seems to be a length of 0x0e followed by "Virtual Server"