[cifs-protocol] MS-CSSP: some notes on appendix <22> Section 2.2.1.2.3.1
Isaac Boukris
iboukris at gmail.com
Mon Jun 21 10:48:04 UTC 2021
Hello dochelp!
While working on adding TSRemoteGuardCreds to wireshark's credssp
dissector, I noticed that the NTLM_REMOTE_SUPPLEMENTAL_CREDENTIAL
struct in MS-CSSP appendix <22> Section 2.2.1.2.3.1 seems to be
incorrect and the MSV1_0_CREDENTIAL_KEY actually comes before the
MSV1_0_CREDENTIAL_KEY_TYPE.
It looks in fact quite like the below struct, could you amend it please.
typedef struct _MSV1_0_REMOTE_SUPPLEMENTAL_CREDENTIAL {
ULONG Version;
ULONG Flags;
MSV1_0_CREDENTIAL_KEY CredentialKey;
MSV1_0_CREDENTIAL_KEY_TYPE CredentialKeyType;
ULONG EncryptedCredsSize;
UCHAR EncryptedCreds[ANYSIZE_ARRAY];
} MSV1_0_REMOTE_SUPPLEMENTAL_CREDENTIAL,
*PMSV1_0_REMOTE_SUPPLEMENTAL_CREDENTIAL;
Also the appendix only defines the LM_PRESENT and NT_PRESENT as flags,
while on the wire I only see CREDKEY_PRESENT, could you please update
the relevant flags and their meaning or add a link to it.
As a last note; the appendix says that "The ServiceTicket member
within the KERB_TICKET_LOGON structure is a ticket to the computer
account. Windows CredSSP clients will use Kerberos User to User
tickets ([RFC4120], section 2.9.2) as the ServiceTicket" - however
from the packet capture it looks like although a U2U ticket is used
for the authentication in the credssp exchange, the ServiceTicket in
the KERB_TICKET_LOGON is a regular service ticket, which the Windows
client fetches before fetching the U2U one.
You may find a packet capture including the keys on my draft MR
(TSRemoteGuardCreds.tgz):
https://gitlab.com/wireshark/wireshark/-/merge_requests/3419
Thanks!
More information about the cifs-protocol
mailing list