none
Unable to use Windows Message Analyzer with RDP CSSP and Remote Credential Guard - RRS feed

  • Question

  • Hi,

    I am developing the CSSP client for RDP protocol and I had doubts with Remote Credential Guard (RCG). Since it is working from Windows client, I thought of analyzing the Remote Credential Guard packets from Windows Client to Server.

    I am analyzing the Windows Message Analyzer packets for Microsoft RDP protocol to identify the structure used with CredSSP or CSSP for Remote Credential Guard.

    I have followed the steps given by Bryan @ https://docplayer.net/7643622-Decrypting-rdp-traffic-with-message-analyzer-bryan-s-burgin-sr-escalation-engineer-developer-support-open-specs-microsoft-corporation.html

    I am able to see the first level CSSP decrypted packets with Windows Message Analyzer.  CSSP has double encryption for credentials - first one is with TLS and second one is with SPNEGO token. 

    But the problem with Windows Message Analyzer is that it is showing only first level decryption and it is not showing the second level decrypted authinfo because authinfo in TSRequest. First one is with TLS and second one with SPNEGO token.

    How can I use Windows Message Analyzer to decode authinfo in TSRequest structure which is doubly encrypted to decode the RCG packets for my understanding.

    Please help.

    Regards,

    Ramanujam  


    Friday, March 27, 2020 2:18 AM

All replies