[cifs-protocol] [EXTERNAL] MS-CSSP: some notes on appendix <22> Section 2.2.1.2.3.1 - TrackingID#2106210040004026

Mon Jun 21 17:45:25 UTC 2021

Hi Isacc,

I have created a workspace for uploading files related to this case (credentials below). Can you provide a decrypted network trace showing the structure and flags as you have reported seeing on the wire? 

Log in as: 2106210040004026_isaac at dtmxfer.onmicrosoft.com
1-time: (19GrM9h

Workspace link: https://support.microsoft.com/files?workspace=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJ3c2lkIjoiMmRhMDBlMmItNGYxNS00OGM3LTk1ZWMtZGQ1YmZlODY3NGI5Iiwic3IiOiIyMTA2MjEwMDQwMDA0MDI2IiwiYXBwaWQiOiJlNmVlNDNlYi0wZmJjLTQ1NDYtYmM1Mi00YzE2MWZjZGY0YzQiLCJzdiI6InYxIiwicnMiOiJFeHRlcm5hbCIsInd0aWQiOiJjYjMzYTJlZS04ZjU3LTQ2YzMtYTlmMS0zMjdlMjJlOTgwZDEiLCJpc3MiOiJodHRwczovL2FwaS5kdG1uZWJ1bGEubWljcm9zb2Z0LmNvbSIsImF1ZCI6Imh0dHA6Ly9zbWMiLCJleHAiOjE2MzIwNzMzMzAsIm5iZiI6MTYyNDI5NzMzMH0.dMbs8QQZs-GHiLs-8momYF38CXSv6H5bAzw89gvaoWFtTTd25TgdXkdvMivwxsP2lPt5xJV6rKTp5yrRS8c07pJ6pP5tHQoYM671QLkVz364sbJsB9tadcxG1qtH7kapj2FD7Z5l8S4GEaoFNmHhYOWH_45N4blm2K2IWhtzSTsJ8Znxmv5CDFfqZ1B92ZHIgDJUUcztgHby1urFC5rIkQ1cTr23TAqbNY5hg5DSYQ1PCGXHvq1_a8IcgumA8Mf8D5ylxW3IyktK7567sJC2bTns77KDMv5lVUjDXlRhRK1pAejSH3zXjGPwj4J2rLBYtE2TyI27rFzeKhgVm1sK-g&wid=2da00e2b-4f15-48c7-95ec-dd5bfe8674b9

Best regards,
Jeff McCashland | Senior Escalation Engineer | Microsoft Protocol Open Specifications Team 
Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: (UTC-08:00) Pacific Time (US and Canada)
Local country phone number found here: http://support.microsoft.com/globalenglish | Extension 1138300
We value your feedback.  My manager is Natesha Morrison (namorri), +1 (704) 430-4292

-----Original Message-----
From: Jeff McCashland 
Sent: Monday, June 21, 2021 10:38 AM
To: Isaac Boukris <iboukris at gmail.com>
Cc: cifs-protocol at lists.samba.org; jeffm at microsoftsupport.com
Subject: RE: [EXTERNAL] MS-CSSP: some notes on appendix <22> Section 2.2.1.2.3.1 - TrackingID#2106210040004026

[Mike to BCC]

Hi Isaac,

I altered the Subject line to branch this to a separate email thread for your notes on [MS-CSSP] Windows Behavior Note <22> for section 2.2.1.2.3.1 (SR 2106210040004026). I will not be addressing the point about the ServiceTicket in this case/thread, just the supplemental creds structure and flags. 

I will investigate the issues with this note, and let you know what I find. 

Best regards,
Jeff McCashland | Senior Escalation Engineer | Microsoft Protocol Open Specifications Team
Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: (UTC-08:00) Pacific Time (US and Canada) Local country phone number found here: http://support.microsoft.com/globalenglish | Extension 1138300 We value your feedback.  My manager is Natesha Morrison (namorri), +1 (704) 430-4292

-----Original Message-----
From: Mike Bowen <Mike.Bowen at microsoft.com>
Sent: Monday, June 21, 2021 9:24 AM
To: Isaac Boukris <iboukris at gmail.com>; cifs-protocol at lists.samba.org
Cc: Mike Bowen <mibowe at microsoftsupport.com>
Subject: RE: [EXTERNAL] MS-CSSP: some notes on appendix <22> Section 2.2.1.2.3.1 - TrackingID#2106210040004166 - TrackingID#2106210040004026

[BCC DocHelp]

Hi Isaac,

Thank you contacting Microsoft Open Specifications Support. Two cases have been created for this inquiry TrackingID#2106210040004166 and TrackingID#2106210040004026. Please leave the numbers in the subject line for reference. One of our team members will follow-up with you soon.

Best regards,
Mike Bowen
Escalation Engineer - Microsoft Open Specifications Mike.Bowen at microsoft.com

-----Original Message-----
From: Isaac Boukris <iboukris at gmail.com>
Sent: Monday, June 21, 2021 3:48 AM
To: Interoperability Documentation Help <dochelp at microsoft.com>; cifs-protocol at lists.samba.org
Subject: [EXTERNAL] MS-CSSP: some notes on appendix <22> Section 2.2.1.2.3.1

Hello dochelp!

While working on adding TSRemoteGuardCreds to wireshark's credssp dissector, I noticed that the NTLM_REMOTE_SUPPLEMENTAL_CREDENTIAL
struct in MS-CSSP appendix <22> Section 2.2.1.2.3.1 seems to be incorrect and the MSV1_0_CREDENTIAL_KEY actually comes before the MSV1_0_CREDENTIAL_KEY_TYPE.

It looks in fact quite like the below struct, could you amend it please.

typedef struct _MSV1_0_REMOTE_SUPPLEMENTAL_CREDENTIAL { ULONG Version; ULONG Flags; MSV1_0_CREDENTIAL_KEY CredentialKey; MSV1_0_CREDENTIAL_KEY_TYPE CredentialKeyType; ULONG EncryptedCredsSize; UCHAR EncryptedCreds[ANYSIZE_ARRAY]; } MSV1_0_REMOTE_SUPPLEMENTAL_CREDENTIAL,
*PMSV1_0_REMOTE_SUPPLEMENTAL_CREDENTIAL;

Also the appendix only defines the LM_PRESENT and NT_PRESENT as flags, while on the wire I only see CREDKEY_PRESENT, could you please update the relevant flags and their meaning or add a link to it.

As a last note; the appendix says that "The ServiceTicket member within the KERB_TICKET_LOGON structure is a ticket to the computer account. Windows CredSSP clients will use Kerberos User to User tickets ([RFC4120], section 2.9.2) as the ServiceTicket" - however from the packet capture it looks like although a U2U ticket is used for the authentication in the credssp exchange, the ServiceTicket in the KERB_TICKET_LOGON is a regular service ticket, which the Windows client fetches before fetching the U2U one.

You may find a packet capture including the keys on my draft MR
(TSRemoteGuardCreds.tgz):
https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgitlab.com%2Fwireshark%2Fwireshark%2F-%2Fmerge_requests%2F3419&data=04%7C01%7Cjeffm%40microsoft.com%7Cde95759311484cc9786608d934d0fa2c%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637598894429437020%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=nLM%2F7T5Ax6xL3NGkI4nKrvgNhR42X8ODYll1PA4PcpA%3D&reserved=0

Thanks!