tspkg - EvanMcBroom/lsa-whisperer GitHub Wiki
The tspkg authentication package (AP) supports authenticating to a Remote Desktop server, formally known as terminal services. The tspkg package does not implement any security protocol but instead uses the credssp package to facilitate communication between a client and server.
Protocal messages were only added to tspkg in NT 10 to support the "Remote Desktop Protocol Authentication Redirection Virtual Channel" (MS-RDPEAR), more commonly known as Remote Credential Guard. MS-RDPEAR messages are sent from a server to a client over an established RDP session. These messages allow a server to authenticate a client to networked resources without the client sending the server certain credential material.
Clients will begin processing any recieved MS-RDPEAR messages as a normal package call to tspkg. The tskpg package will first validate the message and then forward it to another AP for further processing. The APs a message may be forwarded to and the commands they support are documented by Microsoft and provided here for convenience.
| Id | Message Type | CLI Support | RDPEAR Version | Internal Function |
|---|---|---|---|---|
|
|
All |
|
|
|
|
All |
|
|
|
|
All |
|
|
|
|
All |
|
|
|
|
All |
|
|
|
|
All |
|
|
|
|
All |
|
|
|
|
All |
|
|
|
|
All |
|
|
|
|
➖ |
❔ |
Not identified |
|
|
➖ |
❔ |
Not identified |
|
|
All |
|
|
|
|
All |
|
|
|
|
❌ |
|
Not identified |
|
|
❌ |
|
Not identified |
|
|
❌ |
|
Not identified |
|
|
❌ |
|
Not identified |
|
|
❌ |
|
Not identified |
|
|
All |
|
|
|
|
❌ |
|
|
|
|
All |
|
|
|
|
All |
|
|
|
|
All |
|
|
|
|
All |
|
|
✏️
|
The internal function for each message type will be located in kerberos.dll or msv1_0.dll.
|