[prev in list] [next in list] [prev in thread] [next in thread]
List: cifs-protocol
Subject: Re: [cifs-protocol] [EXTERNAL] MS-CSSP: some notes on appendix <22> Section 2.2.1.2.3.1 - TrackingID
From: Jeff McCashland via cifs-protocol <cifs-protocol () lists ! samba ! org>
Date: 2021-06-21 22:46:19
Message-ID: MW4PR21MB1906B0A0F5F1AE19133CA8E3A30A9 () MW4PR21MB1906 ! namprd21 ! prod ! outlook ! com
[Download RAW message or body]
Hi Isaac,
Thank you for the fast responses and trace file. I have been able to confirm the \
field order and flags as you indicated.
I will file a request to update [MS-CSSP] and follow up.
Thank you for bringing this to our attention. Please continue to send any protocol \
issues you find to our DocHelp alias.
Best regards,
Jeff McCashland | Senior Escalation Engineer | Microsoft Protocol Open Specifications \
Team
Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: (UTC-08:00) Pacific \
Time (US and Canada) Local country phone number found here: \
http://support.microsoft.com/globalenglish | Extension 1138300 We value your \
feedback. My manager is Natesha Morrison (namorri), +1 (704) 430-4292
-----Original Message-----
From: Isaac Boukris <iboukris@gmail.com>
Sent: Monday, June 21, 2021 11:50 AM
To: Jeff McCashland <jeffm@microsoft.com>
Cc: cifs-protocol@lists.samba.org; Jeff McCashland <jeffm@microsoftsupport.com>
Subject: Re: [EXTERNAL] MS-CSSP: some notes on appendix <22> Section 2.2.1.2.3.1 - \
TrackingID#2106210040004026
Uploaded as a zip file; btw last time I checked 'tar -xzvf file.tgz'
worked just fine on modern Windows.
Thanks
On Mon, Jun 21, 2021 at 9:38 PM Jeff McCashland <jeffm@microsoft.com> wrote:
>
> Hi Isaac,
>
> Could you upload the file as a .zip? I don't think we have a site license for \
> WinZip.
> Best regards,
> Jeff McCashland | Senior Escalation Engineer | Microsoft Protocol Open
> Specifications Team
>
> -----Original Message-----
> From: Isaac Boukris <iboukris@gmail.com>
> Sent: Monday, June 21, 2021 11:29 AM
> To: Jeff McCashland <jeffm@microsoft.com>
> Cc: cifs-protocol@lists.samba.org; Jeff McCashland
> <jeffm@microsoftsupport.com>
> Subject: Re: [EXTERNAL] MS-CSSP: some notes on appendix <22> Section
> 2.2.1.2.3.1 - TrackingID#2106210040004026
>
> Hi Jeff,
>
> I've uploaded the file TSRemoteGuardCreds.tgz in there, the relevant packet is 460 \
> on port 3389, to be able to view it thoroughly dissected with wireshark you'd need \
> to build from source with the above MR's patch.
> Here is what I look at:
>
> supplementalCreds: 1 item
> TSRemoteGuardPackageCred
> packageName: NTLM
> credBuffer:
> 0200ffff08000000d389fe0bc98d23bfef683a874e048c59000000000200000054000000...
> NTLM_REMOTE_SUPPLEMENTAL_CREDENTIAL
> Version: MSV1_0_CRED_VERSION_REMOTE (0xffff0002)
> Flags: 0x00000008, credkey_present
> .... .... .... .... .... .... .... ...0 =
> lm_present: False
> .... .... .... .... .... .... .... ..0. =
> nt_present: False
> .... .... .... .... .... .... .... .0.. = removed: False
> .... .... .... .... .... .... .... 1... =
> credkey_present: True
> .... .... .... .... .... .... ...0 .... =
> sha_present: False
> CredentialKey: d389fe0bc98d23bfef683a874e048c5900000000
> CredentialKeyType: DomainUserCredKey (2)
> EncryptedCredsSize: 84
> EncryptedCreds:
> ca7a124b7c282f0c714e025b3f5486310100000000000000000000000000000047e76748...
>
> CredentialKeyType comes first, then it would have a weird value while if it comes \
> after the CredentialKey then it is 2, matching expected DomainUserCredKey value.
> And this is the hex of the whole ASN1 TSRemoteGuardPackageCred structure:
>
> 3081dea00a04084e0054004c004d00a181cf0481cc0200ffff08000000d389fe0bc98d
> 23bfef683a874e048c59000000000200000054000000ca7a124b7c282f0c714e025b3f
> 5486310100000000000000000000000000000047e7674810c28f0cdb956d0aa1f4cac4
> 005fb744b102871e16b207d789b3da815b9fac95ba79da02c2ba0e134472979f4b5926
> 2100000000000000000000000000000000000000000000000000000000000000000000
> 0000000000000000000000000000000000000000000000000000000000000000000000
> 000000000000000000000000000000
>
> Regards
>
> On Mon, Jun 21, 2021 at 8:45 PM Jeff McCashland <jeffm@microsoft.com> wrote:
> >
> > Hi Isacc,
> >
> > I have created a workspace for uploading files related to this case (credentials \
> > below). Can you provide a decrypted network trace showing the structure and flags \
> > as you have reported seeing on the wire?
> > Log in as: 2106210040004026_isaac@dtmxfer.onmicrosoft.com
> > 1-time: (19GrM9h
> >
> > Workspace link:
> > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsu
> > pp
> > ort.microsoft.com%2Ffiles%3Fworkspace%3DeyJ0eXAiOiJKV1QiLCJhbGciOiJS
> > Uz
> > I1NiJ9.eyJ3c2lkIjoiMmRhMDBlMmItNGYxNS00OGM3LTk1ZWMtZGQ1YmZlODY3NGI5I
> > iw
> > ic3IiOiIyMTA2MjEwMDQwMDA0MDI2IiwiYXBwaWQiOiJlNmVlNDNlYi0wZmJjLTQ1NDY
> > tY
> > mM1Mi00YzE2MWZjZGY0YzQiLCJzdiI6InYxIiwicnMiOiJFeHRlcm5hbCIsInd0aWQiO
> > iJ
> > jYjMzYTJlZS04ZjU3LTQ2YzMtYTlmMS0zMjdlMjJlOTgwZDEiLCJpc3MiOiJodHRwczo
> > vL
> > 2FwaS5kdG1uZWJ1bGEubWljcm9zb2Z0LmNvbSIsImF1ZCI6Imh0dHA6Ly9zbWMiLCJle
> > HA
> > iOjE2MzIwNzMzMzAsIm5iZiI6MTYyNDI5NzMzMH0.dMbs8QQZs-GHiLs-8momYF38CXS
> > v6
> > H5bAzw89gvaoWFtTTd25TgdXkdvMivwxsP2lPt5xJV6rKTp5yrRS8c07pJ6pP5tHQoYM
> > 67
> > 1QLkVz364sbJsB9tadcxG1qtH7kapj2FD7Z5l8S4GEaoFNmHhYOWH_45N4blm2K2IWht
> > zS
> > TsJ8Znxmv5CDFfqZ1B92ZHIgDJUUcztgHby1urFC5rIkQ1cTr23TAqbNY5hg5DSYQ1PC
> > GX
> > Hvq1_a8IcgumA8Mf8D5ylxW3IyktK7567sJC2bTns77KDMv5lVUjDXlRhRK1pAejSH3z
> > Xj
> > GPwj4J2rLBYtE2TyI27rFzeKhgVm1sK-g%26wid%3D2da00e2b-4f15-48c7-95ec-dd
> > 5b
> > fe8674b9&data=04%7C01%7Cjeffm%40microsoft.com%7Ca123c3380afb4626
> > b6
> > d308d934e27d7f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C63759896
> > 96
> > 51494871%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzI
> > iL
> > CJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=FN7gYDi%2Fwod5fh%2BF0
> > ea
> > Mf6cvMFV9w2QhqrjVx2TKBfA%3D&reserved=0
> >
> > Best regards,
> > Jeff McCashland | Senior Escalation Engineer | Microsoft Protocol
> > Open Specifications Team
> > Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone:
> > (UTC-08:00) Pacific Time (US and Canada) Local country phone number
> > found here:
> > https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsup
> > po
> > rt.microsoft.com%2Fglobalenglish&data=04%7C01%7Cjeffm%40microsoft.
> > com%7Ca123c3380afb4626b6d308d934e27d7f%7C72f988bf86f141af91ab2d7cd01
> > 1d
> > b47%7C1%7C0%7C637598969651494871%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4
> > wL
> > jAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sda
> > ta
> > =TZ2pl2WtiPB7bla1djS40aic7Ei%2BNBRcntllx4B14xs%3D&reserved=0 |
> > Extension 1138300 We value your feedback. My manager is Natesha
> > Morrison (namorri), +1 (704) 430-4292
> >
> > -----Original Message-----
> > From: Jeff McCashland
> > Sent: Monday, June 21, 2021 10:38 AM
> > To: Isaac Boukris <iboukris@gmail.com>
> > Cc: cifs-protocol@lists.samba.org; jeffm@microsoftsupport.com
> > Subject: RE: [EXTERNAL] MS-CSSP: some notes on appendix <22> Section
> > 2.2.1.2.3.1 - TrackingID#2106210040004026
> >
> > [Mike to BCC]
> >
> > Hi Isaac,
> >
> > I altered the Subject line to branch this to a separate email thread for your \
> > notes on [MS-CSSP] Windows Behavior Note <22> for section 2.2.1.2.3.1 (SR \
> > 2106210040004026). I will not be addressing the point about the ServiceTicket in \
> > this case/thread, just the supplemental creds structure and flags.
> > I will investigate the issues with this note, and let you know what I find.
> >
> > Best regards,
> > Jeff McCashland | Senior Escalation Engineer | Microsoft Protocol
> > Open Specifications Team
> > Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone:
> > (UTC-08:00) Pacific Time (US and Canada) Local country phone number
> > found here:
> > https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsup
> > po
> > rt.microsoft.com%2Fglobalenglish&data=04%7C01%7Cjeffm%40microsoft.
> > com%7Ca123c3380afb4626b6d308d934e27d7f%7C72f988bf86f141af91ab2d7cd01
> > 1d
> > b47%7C1%7C0%7C637598969651494871%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4
> > wL
> > jAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sda
> > ta
> > =TZ2pl2WtiPB7bla1djS40aic7Ei%2BNBRcntllx4B14xs%3D&reserved=0 |
> > Extension 1138300 We value your feedback. My manager is Natesha
> > Morrison (namorri), +1 (704) 430-4292
> >
> > -----Original Message-----
> > From: Mike Bowen <Mike.Bowen@microsoft.com>
> > Sent: Monday, June 21, 2021 9:24 AM
> > To: Isaac Boukris <iboukris@gmail.com>;
> > cifs-protocol@lists.samba.org
> > Cc: Mike Bowen <mibowe@microsoftsupport.com>
> > Subject: RE: [EXTERNAL] MS-CSSP: some notes on appendix <22> Section
> > 2.2.1.2.3.1 - TrackingID#2106210040004166 -
> > TrackingID#2106210040004026
> >
> > [BCC DocHelp]
> >
> > Hi Isaac,
> >
> > Thank you contacting Microsoft Open Specifications Support. Two cases have been \
> > created for this inquiry TrackingID#2106210040004166 and \
> > TrackingID#2106210040004026. Please leave the numbers in the subject line for \
> > reference. One of our team members will follow-up with you soon.
> > Best regards,
> > Mike Bowen
> > Escalation Engineer - Microsoft Open Specifications
> > Mike.Bowen@microsoft.com
> >
> >
> >
> >
> >
> > -----Original Message-----
> > From: Isaac Boukris <iboukris@gmail.com>
> > Sent: Monday, June 21, 2021 3:48 AM
> > To: Interoperability Documentation Help <dochelp@microsoft.com>;
> > cifs-protocol@lists.samba.org
> > Subject: [EXTERNAL] MS-CSSP: some notes on appendix <22> Section
> > 2.2.1.2.3.1
> >
> > Hello dochelp!
> >
> > While working on adding TSRemoteGuardCreds to wireshark's credssp
> > dissector, I noticed that the NTLM_REMOTE_SUPPLEMENTAL_CREDENTIAL
> > struct in MS-CSSP appendix <22> Section 2.2.1.2.3.1 seems to be incorrect and the \
> > MSV1_0_CREDENTIAL_KEY actually comes before the MSV1_0_CREDENTIAL_KEY_TYPE.
> > It looks in fact quite like the below struct, could you amend it please.
> >
> > typedef struct _MSV1_0_REMOTE_SUPPLEMENTAL_CREDENTIAL { ULONG
> > Version; ULONG Flags; MSV1_0_CREDENTIAL_KEY CredentialKey;
> > MSV1_0_CREDENTIAL_KEY_TYPE CredentialKeyType; ULONG
> > EncryptedCredsSize; UCHAR EncryptedCreds[ANYSIZE_ARRAY]; }
> > MSV1_0_REMOTE_SUPPLEMENTAL_CREDENTIAL,
> > *PMSV1_0_REMOTE_SUPPLEMENTAL_CREDENTIAL;
> >
> > Also the appendix only defines the LM_PRESENT and NT_PRESENT as flags, while on \
> > the wire I only see CREDKEY_PRESENT, could you please update the relevant flags \
> > and their meaning or add a link to it.
> > As a last note; the appendix says that "The ServiceTicket member within the \
> > KERB_TICKET_LOGON structure is a ticket to the computer account. Windows CredSSP \
> > clients will use Kerberos User to User tickets ([RFC4120], section 2.9.2) as the \
> > ServiceTicket" - however from the packet capture it looks like although a U2U \
> > ticket is used for the authentication in the credssp exchange, the ServiceTicket \
> > in the KERB_TICKET_LOGON is a regular service ticket, which the Windows client \
> > fetches before fetching the U2U one.
> > You may find a packet capture including the keys on my draft MR
> > (TSRemoteGuardCreds.tgz):
> > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgi
> > tl
> > ab.com%2Fwireshark%2Fwireshark%2F-%2Fmerge_requests%2F3419&data=
> > 04
> > %7C01%7Cjeffm%40microsoft.com%7Ca123c3380afb4626b6d308d934e27d7f%7C7
> > 2f
> > 988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637598969651504839%7CUnknown
> > %7
> > CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJ
> > XV
> > CI6Mn0%3D%7C1000&sdata=%2FSwvaBYUDvCCcaSYZgQmrMC7ZExmHNum7NqSR5o
> > M4
> > go%3D&reserved=0
> >
> > Thanks!
_______________________________________________
cifs-protocol mailing list
cifs-protocol@lists.samba.org
https://lists.samba.org/mailman/listinfo/cifs-protocol
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic