[prev in list] [next in list] [prev in thread] [next in thread]
List: cifs-protocol
Subject: [cifs-protocol] MS-CSSP: some notes on appendix <22> Section 2.2.1.2.3.1
From: Isaac Boukris via cifs-protocol <cifs-protocol () lists ! samba ! org>
Date: 2021-06-21 10:48:04
Message-ID: CAC-fF8SoeAUtNth6s1F9KJVKO0DNw29u+CTwHdC8s-NGuwGe=A () mail ! gmail ! com
[Download RAW message or body]
Hello dochelp!
While working on adding TSRemoteGuardCreds to wireshark's credssp
dissector, I noticed that the NTLM_REMOTE_SUPPLEMENTAL_CREDENTIAL
struct in MS-CSSP appendix <22> Section 2.2.1.2.3.1 seems to be
incorrect and the MSV1_0_CREDENTIAL_KEY actually comes before the
MSV1_0_CREDENTIAL_KEY_TYPE.
It looks in fact quite like the below struct, could you amend it please.
typedef struct _MSV1_0_REMOTE_SUPPLEMENTAL_CREDENTIAL {
ULONG Version;
ULONG Flags;
MSV1_0_CREDENTIAL_KEY CredentialKey;
MSV1_0_CREDENTIAL_KEY_TYPE CredentialKeyType;
ULONG EncryptedCredsSize;
UCHAR EncryptedCreds[ANYSIZE_ARRAY];
} MSV1_0_REMOTE_SUPPLEMENTAL_CREDENTIAL,
*PMSV1_0_REMOTE_SUPPLEMENTAL_CREDENTIAL;
Also the appendix only defines the LM_PRESENT and NT_PRESENT as flags,
while on the wire I only see CREDKEY_PRESENT, could you please update
the relevant flags and their meaning or add a link to it.
As a last note; the appendix says that "The ServiceTicket member
within the KERB_TICKET_LOGON structure is a ticket to the computer
account. Windows CredSSP clients will use Kerberos User to User
tickets ([RFC4120], section 2.9.2) as the ServiceTicket" - however
from the packet capture it looks like although a U2U ticket is used
for the authentication in the credssp exchange, the ServiceTicket in
the KERB_TICKET_LOGON is a regular service ticket, which the Windows
client fetches before fetching the U2U one.
You may find a packet capture including the keys on my draft MR
(TSRemoteGuardCreds.tgz):
https://gitlab.com/wireshark/wireshark/-/merge_requests/3419
Thanks!
_______________________________________________
cifs-protocol mailing list
cifs-protocol@lists.samba.org
https://lists.samba.org/mailman/listinfo/cifs-protocol
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic