Unable to use Windows Message Analyzer with RDP CSSP and Remote Credential Guard - RRS feed

  • Question

  • Hi,

    I am developing the CSSP client for RDP protocol and I had doubts with Remote Credential Guard (RCG). Since it is working from Windows client, I thought of analyzing the Remote Credential Guard packets from Windows Client to Server.

    I am analyzing the Windows Message Analyzer packets for Microsoft RDP protocol to identify the structure used with CredSSP or CSSP for Remote Credential Guard.

    I have followed the steps given by Bryan @ https://docplayer.net/7643622-Decrypting-rdp-traffic-with-message-analyzer-bryan-s-burgin-sr-escalation-engineer-developer-support-open-specs-microsoft-corporation.html

    I am able to see the first level CSSP decrypted packets with Windows Message Analyzer.  CSSP has double encryption for credentials - first one is with TLS and second one is with SPNEGO token. 

    But the problem with Windows Message Analyzer is that it is showing only first level decryption and it is not showing the second level decrypted authinfo because authinfo in TSRequest. First one is with TLS and second one with SPNEGO token.

    How can I use Windows Message Analyzer to decode authinfo in TSRequest structure which is doubly encrypted to decode the RCG packets for my understanding.

    Please help.



    Friday, March 27, 2020 2:18 AM

All replies

  • Hi Ramanujam,

    Thank you for your question. One of the Open Specifications support team members will reply shortly to assist you with this issue.

    HungChun Yu (MSFT)

    Friday, March 27, 2020 4:55 PM
  • Hi Ramanujam:

    I'll help you with this issue.

    Message Analyzer does not have the capability to decrypt the CredSSP messages encrypted by NTLM or Kerberos.

    If you are using NTLM, one possible way is to manually decrypt CSSP messages since NTLM decryption is fairly straight forward. For details, please consult MS-NLMP document ( https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-nlmp/b38c36ed-2804-4868-a9ff-8dd3182128e4 ).

    As an alternative, I can help you decrypt your CSSP packets. Please send me an email at dochelp at Microsoft dot com and I'll send you instructions on how to collect and upload traces.

    Regards, Obaid Farooqi

    Friday, March 27, 2020 6:56 PM
  • Hi Obaid Farooqi,

    Thanks for the quick response.

    I have sent the mail to dochelp@microsoft.com



    Saturday, March 28, 2020 1:03 AM
  • Thursday, May 7, 2020 4:46 PM