[cifs-protocol] [EXTERNAL] MS-CSSP: some notes on appendix <22> Section 2.2.1.2.3.1 - TrackingID#2106210040004026

Jeff McCashland jeffm at microsoft.com
Mon Jun 21 22:46:19 UTC 2021


Hi Isaac, 

Thank you for the fast responses and trace file. I have been able to confirm the field order and flags as you indicated. 

I will file a request to update [MS-CSSP] and follow up. 

Thank you for bringing this to our attention. Please continue to send any protocol issues you find to our DocHelp alias. 

Best regards,
Jeff McCashland | Senior Escalation Engineer | Microsoft Protocol Open Specifications Team 
Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: (UTC-08:00) Pacific Time (US and Canada)
Local country phone number found here: http://support.microsoft.com/globalenglish | Extension 1138300
We value your feedback.  My manager is Natesha Morrison (namorri), +1 (704) 430-4292

-----Original Message-----
From: Isaac Boukris <iboukris at gmail.com> 
Sent: Monday, June 21, 2021 11:50 AM
To: Jeff McCashland <jeffm at microsoft.com>
Cc: cifs-protocol at lists.samba.org; Jeff McCashland <jeffm at microsoftsupport.com>
Subject: Re: [EXTERNAL] MS-CSSP: some notes on appendix <22> Section 2.2.1.2.3.1 - TrackingID#2106210040004026

Uploaded as a zip file; btw last time I checked 'tar -xzvf file.tgz'
worked just fine on modern Windows.

Thanks

On Mon, Jun 21, 2021 at 9:38 PM Jeff McCashland <jeffm at microsoft.com> wrote:
>
> Hi Isaac,
>
> Could you upload the file as a .zip? I don't think we have a site license for WinZip.
>
> Best regards,
> Jeff McCashland | Senior Escalation Engineer | Microsoft Protocol Open 
> Specifications Team
>
> -----Original Message-----
> From: Isaac Boukris <iboukris at gmail.com>
> Sent: Monday, June 21, 2021 11:29 AM
> To: Jeff McCashland <jeffm at microsoft.com>
> Cc: cifs-protocol at lists.samba.org; Jeff McCashland 
> <jeffm at microsoftsupport.com>
> Subject: Re: [EXTERNAL] MS-CSSP: some notes on appendix <22> Section 
> 2.2.1.2.3.1 - TrackingID#2106210040004026
>
> Hi Jeff,
>
> I've uploaded the file TSRemoteGuardCreds.tgz in there, the relevant packet is 460 on port 3389, to be able to view it thoroughly dissected with wireshark you'd need to build from source with the above MR's patch.
>
> Here is what I look at:
>
>  supplementalCreds: 1 item
>         TSRemoteGuardPackageCred
>             packageName: NTLM
>             credBuffer:
> 0200ffff08000000d389fe0bc98d23bfef683a874e048c59000000000200000054000000...
>                 NTLM_REMOTE_SUPPLEMENTAL_CREDENTIAL
>                     Version: MSV1_0_CRED_VERSION_REMOTE (0xffff0002)
>                     Flags: 0x00000008, credkey_present
>                         .... .... .... .... .... .... .... ...0 =
> lm_present: False
>                         .... .... .... .... .... .... .... ..0. =
> nt_present: False
>                         .... .... .... .... .... .... .... .0.. = removed: False
>                         .... .... .... .... .... .... .... 1... =
> credkey_present: True
>                         .... .... .... .... .... .... ...0 .... =
> sha_present: False
>                     CredentialKey: d389fe0bc98d23bfef683a874e048c5900000000
>                     CredentialKeyType: DomainUserCredKey (2)
>                     EncryptedCredsSize: 84
>                     EncryptedCreds:
> ca7a124b7c282f0c714e025b3f5486310100000000000000000000000000000047e76748...
>
> CredentialKeyType comes first, then it would have a weird value while if it comes after the CredentialKey then it is 2, matching expected DomainUserCredKey value.
>
> And this is the hex of the whole ASN1 TSRemoteGuardPackageCred structure:
>
> 3081dea00a04084e0054004c004d00a181cf0481cc0200ffff08000000d389fe0bc98d
> 23bfef683a874e048c59000000000200000054000000ca7a124b7c282f0c714e025b3f
> 5486310100000000000000000000000000000047e7674810c28f0cdb956d0aa1f4cac4
> 005fb744b102871e16b207d789b3da815b9fac95ba79da02c2ba0e134472979f4b5926
> 2100000000000000000000000000000000000000000000000000000000000000000000
> 0000000000000000000000000000000000000000000000000000000000000000000000
> 000000000000000000000000000000
>
> Regards
>
> On Mon, Jun 21, 2021 at 8:45 PM Jeff McCashland <jeffm at microsoft.com> wrote:
> >
> > Hi Isacc,
> >
> > I have created a workspace for uploading files related to this case (credentials below). Can you provide a decrypted network trace showing the structure and flags as you have reported seeing on the wire?
> >
> > Log in as: 2106210040004026_isaac at dtmxfer.onmicrosoft.com
> > 1-time: (19GrM9h
> >
> > Workspace link:
> > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsu
> > pp 
> > ort.microsoft.com%2Ffiles%3Fworkspace%3DeyJ0eXAiOiJKV1QiLCJhbGciOiJS
> > Uz 
> > I1NiJ9.eyJ3c2lkIjoiMmRhMDBlMmItNGYxNS00OGM3LTk1ZWMtZGQ1YmZlODY3NGI5I
> > iw 
> > ic3IiOiIyMTA2MjEwMDQwMDA0MDI2IiwiYXBwaWQiOiJlNmVlNDNlYi0wZmJjLTQ1NDY
> > tY 
> > mM1Mi00YzE2MWZjZGY0YzQiLCJzdiI6InYxIiwicnMiOiJFeHRlcm5hbCIsInd0aWQiO
> > iJ 
> > jYjMzYTJlZS04ZjU3LTQ2YzMtYTlmMS0zMjdlMjJlOTgwZDEiLCJpc3MiOiJodHRwczo
> > vL 
> > 2FwaS5kdG1uZWJ1bGEubWljcm9zb2Z0LmNvbSIsImF1ZCI6Imh0dHA6Ly9zbWMiLCJle
> > HA
> > iOjE2MzIwNzMzMzAsIm5iZiI6MTYyNDI5NzMzMH0.dMbs8QQZs-GHiLs-8momYF38CXS
> > v6
> > H5bAzw89gvaoWFtTTd25TgdXkdvMivwxsP2lPt5xJV6rKTp5yrRS8c07pJ6pP5tHQoYM
> > 67 
> > 1QLkVz364sbJsB9tadcxG1qtH7kapj2FD7Z5l8S4GEaoFNmHhYOWH_45N4blm2K2IWht
> > zS 
> > TsJ8Znxmv5CDFfqZ1B92ZHIgDJUUcztgHby1urFC5rIkQ1cTr23TAqbNY5hg5DSYQ1PC
> > GX 
> > Hvq1_a8IcgumA8Mf8D5ylxW3IyktK7567sJC2bTns77KDMv5lVUjDXlRhRK1pAejSH3z
> > Xj 
> > GPwj4J2rLBYtE2TyI27rFzeKhgVm1sK-g%26wid%3D2da00e2b-4f15-48c7-95ec-dd
> > 5b
> > fe8674b9&data=04%7C01%7Cjeffm%40microsoft.com%7Ca123c3380afb4626
> > b6
> > d308d934e27d7f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C63759896
> > 96 
> > 51494871%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzI
> > iL 
> > CJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=FN7gYDi%2Fwod5fh%2BF0
> > ea
> > Mf6cvMFV9w2QhqrjVx2TKBfA%3D&reserved=0
> >
> > Best regards,
> > Jeff McCashland | Senior Escalation Engineer | Microsoft Protocol 
> > Open Specifications Team
> > Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone:
> > (UTC-08:00) Pacific Time (US and Canada) Local country phone number 
> > found here:
> > https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsup
> > po 
> > rt.microsoft.com%2Fglobalenglish&data=04%7C01%7Cjeffm%40microsoft.
> > com%7Ca123c3380afb4626b6d308d934e27d7f%7C72f988bf86f141af91ab2d7cd01
> > 1d 
> > b47%7C1%7C0%7C637598969651494871%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4
> > wL 
> > jAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sda
> > ta
> > =TZ2pl2WtiPB7bla1djS40aic7Ei%2BNBRcntllx4B14xs%3D&reserved=0 | 
> > Extension 1138300 We value your feedback.  My manager is Natesha 
> > Morrison (namorri), +1 (704) 430-4292
> >
> > -----Original Message-----
> > From: Jeff McCashland
> > Sent: Monday, June 21, 2021 10:38 AM
> > To: Isaac Boukris <iboukris at gmail.com>
> > Cc: cifs-protocol at lists.samba.org; jeffm at microsoftsupport.com
> > Subject: RE: [EXTERNAL] MS-CSSP: some notes on appendix <22> Section
> > 2.2.1.2.3.1 - TrackingID#2106210040004026
> >
> > [Mike to BCC]
> >
> > Hi Isaac,
> >
> > I altered the Subject line to branch this to a separate email thread for your notes on [MS-CSSP] Windows Behavior Note <22> for section 2.2.1.2.3.1 (SR 2106210040004026). I will not be addressing the point about the ServiceTicket in this case/thread, just the supplemental creds structure and flags.
> >
> > I will investigate the issues with this note, and let you know what I find.
> >
> > Best regards,
> > Jeff McCashland | Senior Escalation Engineer | Microsoft Protocol 
> > Open Specifications Team
> > Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone:
> > (UTC-08:00) Pacific Time (US and Canada) Local country phone number 
> > found here:
> > https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsup
> > po 
> > rt.microsoft.com%2Fglobalenglish&data=04%7C01%7Cjeffm%40microsoft.
> > com%7Ca123c3380afb4626b6d308d934e27d7f%7C72f988bf86f141af91ab2d7cd01
> > 1d 
> > b47%7C1%7C0%7C637598969651494871%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4
> > wL 
> > jAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sda
> > ta
> > =TZ2pl2WtiPB7bla1djS40aic7Ei%2BNBRcntllx4B14xs%3D&reserved=0 | 
> > Extension 1138300 We value your feedback.  My manager is Natesha 
> > Morrison (namorri), +1 (704) 430-4292
> >
> > -----Original Message-----
> > From: Mike Bowen <Mike.Bowen at microsoft.com>
> > Sent: Monday, June 21, 2021 9:24 AM
> > To: Isaac Boukris <iboukris at gmail.com>; 
> > cifs-protocol at lists.samba.org
> > Cc: Mike Bowen <mibowe at microsoftsupport.com>
> > Subject: RE: [EXTERNAL] MS-CSSP: some notes on appendix <22> Section
> > 2.2.1.2.3.1 - TrackingID#2106210040004166 -
> > TrackingID#2106210040004026
> >
> > [BCC DocHelp]
> >
> > Hi Isaac,
> >
> > Thank you contacting Microsoft Open Specifications Support. Two cases have been created for this inquiry TrackingID#2106210040004166 and TrackingID#2106210040004026. Please leave the numbers in the subject line for reference. One of our team members will follow-up with you soon.
> >
> > Best regards,
> > Mike Bowen
> > Escalation Engineer - Microsoft Open Specifications 
> > Mike.Bowen at microsoft.com
> >
> >
> >
> >
> >
> > -----Original Message-----
> > From: Isaac Boukris <iboukris at gmail.com>
> > Sent: Monday, June 21, 2021 3:48 AM
> > To: Interoperability Documentation Help <dochelp at microsoft.com>; 
> > cifs-protocol at lists.samba.org
> > Subject: [EXTERNAL] MS-CSSP: some notes on appendix <22> Section
> > 2.2.1.2.3.1
> >
> > Hello dochelp!
> >
> > While working on adding TSRemoteGuardCreds to wireshark's credssp 
> > dissector, I noticed that the NTLM_REMOTE_SUPPLEMENTAL_CREDENTIAL
> > struct in MS-CSSP appendix <22> Section 2.2.1.2.3.1 seems to be incorrect and the MSV1_0_CREDENTIAL_KEY actually comes before the MSV1_0_CREDENTIAL_KEY_TYPE.
> >
> > It looks in fact quite like the below struct, could you amend it please.
> >
> > typedef struct _MSV1_0_REMOTE_SUPPLEMENTAL_CREDENTIAL { ULONG 
> > Version; ULONG Flags; MSV1_0_CREDENTIAL_KEY CredentialKey; 
> > MSV1_0_CREDENTIAL_KEY_TYPE CredentialKeyType; ULONG 
> > EncryptedCredsSize; UCHAR EncryptedCreds[ANYSIZE_ARRAY]; } 
> > MSV1_0_REMOTE_SUPPLEMENTAL_CREDENTIAL,
> > *PMSV1_0_REMOTE_SUPPLEMENTAL_CREDENTIAL;
> >
> > Also the appendix only defines the LM_PRESENT and NT_PRESENT as flags, while on the wire I only see CREDKEY_PRESENT, could you please update the relevant flags and their meaning or add a link to it.
> >
> > As a last note; the appendix says that "The ServiceTicket member within the KERB_TICKET_LOGON structure is a ticket to the computer account. Windows CredSSP clients will use Kerberos User to User tickets ([RFC4120], section 2.9.2) as the ServiceTicket" - however from the packet capture it looks like although a U2U ticket is used for the authentication in the credssp exchange, the ServiceTicket in the KERB_TICKET_LOGON is a regular service ticket, which the Windows client fetches before fetching the U2U one.
> >
> > You may find a packet capture including the keys on my draft MR
> > (TSRemoteGuardCreds.tgz):
> > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgi
> > tl
> > ab.com%2Fwireshark%2Fwireshark%2F-%2Fmerge_requests%2F3419&data=
> > 04 
> > %7C01%7Cjeffm%40microsoft.com%7Ca123c3380afb4626b6d308d934e27d7f%7C7
> > 2f
> > 988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637598969651504839%7CUnknown
> > %7 
> > CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJ
> > XV
> > CI6Mn0%3D%7C1000&sdata=%2FSwvaBYUDvCCcaSYZgQmrMC7ZExmHNum7NqSR5o
> > M4
> > go%3D&reserved=0
> >
> > Thanks!



More information about the cifs-protocol mailing list