negoexts - EvanMcBroom/lsa-whisperer GitHub Wiki

Negotiate Extender (NegoExtender)

Negoexts is the security package (SP) for the SPNEGO Extended Negotiation (NEGOEX) protocol. Negoexts was added in NT 6.1 to allow the Negotiate SSP to support more than NTLM and Keberos and to extend the GSS-API with additional features.

Microsoft waited until 2020 to publish a technical document on NEGOEX, which was 11 years after the release of NT 6.1. They did however apply for a US patent in 2008 on the "Advanced Security Negotiation Protocol" which was the original name for NEGOEX and an RFC draft for NEGOEX in 2011. The patent defined the Windows Security Type (WST) Library message which is not documented on MSDN but is the basis of the NEGOEX message and is referenced in all versions of the NegoExtender SSP.

Due to its design, negoexts also supports authentication package (AP) functions for user logons and package calls (e.g., LsaApCallPackage). The NegoExtender compatable SSPs include CloudAP, LiveSSP, and PKU2U.

Functions

The protocol messages that negoexts supports is not documented by Microsoft but is provided here. Negoexts support is not a priority for Lsa Whisperer and the implemented commands should be considered unstable.

Id Message Type CLI Support NT Version Internal Function

0x1

GetCredUIContext

✔️

>=6.1

WSTGetCredUIContext

0x2

UpdateCredentials

✔️

>=6.1

WSTUpdateCredentials

0x3

LookupContext

✔️

>=6.1

WSTLookupContext

0x4

FlushContext

✔️

>=6.1

WSTFlushContext

FlushContext

Remove a context from the global table of WST contexts that negoexts maintains.

negoexts FlushContext --handle {value}

GetCredUIContext

Returns a flat buffer of information about the WST context. The requested information may be for a certificate, cryptographic service provider (CSP) data, or a password. Facilitates the SpGetCredUIContextFn API.

negoexts GetCredUIContext --handle {value} {--cert | --csp | --password} --luid {session id}

LookupContext

Lookup the handle for a WST context. The handle value will be a pointer to the context in the global table of WST contexts that negoexts maintains. The target name may be the name as specified by the TargetName parameter to SpInitLsaModeContext or the target’s associated hostname.

negoexts LookupContext --target {name}

UpdateCredentials

Updates the WST context with a flat buffer of information. The information may be for a certificate, CSP data, or a password. Facilitates the SpUpdateCredentialsFn API.

negoexts UpdateCredentials --handle {value} {--cert | --csp | --password} --data {value}
⚠️ **GitHub.com Fallback** ⚠️