Using SPNEGO/SSPI in SMB (Extended Security)

Using SPNEGO/SSPI in SMB (Extended Security)
Secure Home | Search | About
Login Password
Register Now! Lost Password?

Microsoft Applications Security - Microsoft's general security discussions and announcements 

Bookmark this page:  YahooMyWeb Yahoo!  Google Google  Windows Live Favorites Windows Live  del.icio.us del.icio.us  digg digg  Add to Netscape Netscape
Subject Author Date
Using SPNEGO/SSPI in SMB (Extended Security) overbored 08-18-2005
Posted by overbored on August 18, 2005, 5:56 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
Hi all, I'm trying to understand how the SPNEGO and SSPI security blobs
used in the SMB protocol. The following are packet dumps illustrating
what I"m seeing:

http://www.overbored.net/temp/smb/0.png

This is an SMB protocol negotiation response (sent by the server) using
extended security. I don't understand what the security blob is supposed
to be. I understand that it's using SPNEGO to negotiation a security
protocol to be used subsequently (by SSPI), but is there any API in
Windows that will let me obtain such a list? Furthermore, how would I
encode this?

http://www.overbored.net/temp/smb/1.png
http://www.overbored.net/temp/smb/2.png
http://www.overbored.net/temp/smb/3.png

This is the corresponding SMB session setup requests/responses. Are
these entire security blobs just the direct outputs of the SSPI calls to
InitializeSecurityContext()/AcceptSecurityContext()? Or is there
additional (meta-)data/encoding here that I need to be aware of?

Are there any good resources out there that explain these in detail?

Thanks in advance for any help!

Posted by Richard Ward on September 7, 2005, 1:13 am
If you were  Registered and logged in, you could reply and use other advanced thread options
The SMB server just calls AcceptSecurityContext, the redirector
just calls InitializeSecurityContext.


> Hi all, I'm trying to understand how the SPNEGO and SSPI security blobs
> used in the SMB protocol. The following are packet dumps illustrating
> what I"m seeing:
>
> http://www.overbored.net/temp/smb/0.png
>
> This is an SMB protocol negotiation response (sent by the server) using
> extended security. I don't understand what the security blob is supposed
> to be. I understand that it's using SPNEGO to negotiation a security
> protocol to be used subsequently (by SSPI), but is there any API in
> Windows that will let me obtain such a list? Furthermore, how would I
> encode this?
>
> http://www.overbored.net/temp/smb/1.png
> http://www.overbored.net/temp/smb/2.png
> http://www.overbored.net/temp/smb/3.png
>
> This is the corresponding SMB session setup requests/responses. Are
> these entire security blobs just the direct outputs of the SSPI calls to
> InitializeSecurityContext()/AcceptSecurityContext()? Or is there
> additional (meta-)data/encoding here that I need to be aware of?
>
> Are there any good resources out there that explain these in detail?
>
> Thanks in advance for any help!



Similar ThreadsPosted
MBSA 1.2 End of Life date extended March 30, 2006, 4:18 pm
Security Breaches Pandemic - Deloitte Touche 2006 Global Security Survey June 27, 2006, 2:10 am
Role-based security from Windows Server 2003 Security Guide gives problems November 6, 2006, 7:58 am
Security discussion regarding hubs, firewalls, anti-virus and Vista Security August 20, 2008, 3:41 pm
Folder Security - Finding Group or User Name in Security settings January 30, 2006, 11:09 am
Unable to Manage Security Settings in Security Center April 14, 2006, 11:14 pm
New site dedicated to security conferences : www.security-briefings.com May 7, 2006, 4:40 am
Vista Security Vulnerabilities showing in Security scan December 14, 2006, 3:14 pm
WinXPSP2 IE 7 Security Zones - security concern November 29, 2007, 12:28 am
Windows Security Center/Windows Security Essentials February 24, 2010, 8:44 pm

The site map in XML format XML site map

Contact Us | Privacy Policy