[jcifs] None
eglass1 at attbi.com
eglass1 at attbi.com
Wed Mar 26 22:13:53 EST 2003
I noticed a few inconsistencies with the NTLMSSP stuff from the "innovation"
document (http://www.innovation.ch/java/ntlm.html) which appear to be causing
the issues with Win9x clients. I did a whole bunch of research, and here is
what I came up with. I apologize in advance for the size of this message; it
will probably have to be "pushed out" to the jCIFS list.
This is based primarily on the OpenGroup documentation available at:
http://www.opengroup.org/comsource/techref2/NCH1222X.HTM
The rest is taken from a patch to the squid proxy server which I more or less
stumbled upon, but which has been extremely helpful:
http://cvs.sourceforge.net/cgi-
bin/viewcvs.cgi/squid/squid/src/auth/ntlm/helpers/smbpasswd/Attic/ntlm.h?
rev=1.1.2.4&only_with_tag=ntlm_smbpasswd&content-type=text/vnd.viewcvs-markup
Attached is a testing program (NTLMRelay.java & NTLMAnalysis.java) which does a
man-in-the-middle analysis of the NTLM messages between a client and server.
Assuming you have a web server providing NTLM authentication running on port 80
on host "foo", you would run:
java NTLMRelay 888 foo 80 log.txt
and connect to http://localhost:888, which will forward requests to port 80 on
foo. Results for several scenarios are attached in "results.txt".
I will also be sending the patches based on this analysis which fix the
authentication for Windows 2000, Windows XP, Windows 98 and Windows 95 clients.
MESSAGE FORMATS:
There are a few "variants" of each of the message types; what I am calling
the "conformant" form in the notes below is based on the OpenGroup documented
format. The "extended" form (which is used by most of the newer clients) is
taken from the squid stuff and interpretation of results using the attached
testing program.
The flags mentioned in these messages are described later (as best as I could
infer their meaning). In addition, the "security buffer" type mentioned is
defined in the OpenGroup documentation, and consists of:
Length (2 bytes)
little-endian, 16-bit unsigned value
Maximum Length (2 bytes)
little-endian, 16-bit unsigned value
Offset (4 bytes)
little-endian, 32-bit unsigned value
This is used as a pointer to a data value (typically a string) within the
message. The length is the length of the data buffer. The maximum length is
the amount of space allocated to the data (usually the same as the length).
The offset is in bytes, from the start of the message.
If the data in the buffer is a string, it is nonterminated and may be either
Unicode (if negotiated via the NTLMSSP_NEGOTIATE_UNICODE flag described in the
flags section) or OEM. I'm not sure if that really means in the DOS OEM
codepage (i.e., Cp437) or the Windows ANSI codepage (i.e., Cp1252) -- I
understand there is a difference, but for the values being passed (username,
domain, workstation) it is more or less ASCII. This is one of the issues
affecting the Win9x clients with jCIFS -- they don't negotiate Unicode, but the
hardcoded Type 2 flags in the current version of NtlmSsp indicate that only
Unicode is accepted.
Type 1 message -- conformant form
0. Signature (8 bytes)
null-terminated ASCII string ("NTLMSSP", 0x4e544c4d53535000)
8. Type (4 bytes)
little-endian, 32-bit unsigned value (1, 0x01000000)
12. Flags (4 bytes)
little-endian, 32-bit unsigned value
This is the message format described by the OpenGroup documentation.
Type 1 message -- extended form
0. Signature (8 bytes)
null-terminated ASCII string ("NTLMSSP", 0x4e544c4d53535000)
8. Type (4 bytes)
little-endian, 32-bit unsigned value (1, 0x01000000)
12. Flags (4 bytes)
little-endian, 32-bit unsigned value
16. Supplied Domain (8 bytes)
security buffer (OEM String)
24. Supplied Workstation (8 bytes)
security buffer (OEM String)
32. Data Block
This is described in the squid code, and appears to be the form used
by "modern" clients (Win2k, WinXP).
The supplied domain and workstation (extended form) are only sent
when "automatic" NTLM authentication is being performed (i.e., single-sign-
on). Manual NTLM authentication effectively uses conformant form; although
security buffers are allocated for the supplied domain and workstation, they
are empty.
Windows 95 clients use conformant form (even during automatic NTLM), in that no
supplied domain or workstation are sent by these clients. They appear to
allocate empty security buffers for these fields, however, as well as some
extraneous information at the end (which appears to be an empty 32-bit value
and two more empty security buffers). The first two empty buffers may be the
empty supplied domain and workstations; don't know what the additional stuff is
for.
Type 2 message -- conformant form
0. Signature (8 bytes)
null-terminated ASCII string ("NTLMSSP", 0x4e544c4d53535000)
8. Type (4 bytes)
little-endian, 32-bit unsigned value (2, 0x02000000)
12. TargetName (8 bytes)
security buffer (String)
20. Flags (4 bytes)
little-endian, 32-bit unsigned value
24. Challenge (8 bytes)
random challenge
32. Data Block
This is the message format described by the OpenGroup documentation. The
OpenGroup documentation indicates that the TargetName is a string (as opposed
to a security buffer); this is apparently incorrect. This is the "barebones"
type 2 message.
Type 2 message -- jCIFS form
0. Signature (8 bytes)
null-terminated ASCII string ("NTLMSSP", 0x4e544c4d53535000)
8. Type (4 bytes)
little-endian, 32-bit unsigned value (2, 0x02000000)
12. TargetName (8 bytes)
security buffer (String)
20. Flags (4 bytes)
little-endian, 32-bit unsigned value
24. Challenge (8 bytes)
random challenge
32. empty (8 bytes)
empty bytes
40. Data Block
This is the form currently used by jCIFS. The 8 empty bytes at the end
probably represent an empty server context (see below).
Type 2 message -- extended form
0. Signature (8 bytes)
null-terminated ASCII string ("NTLMSSP", 0x4e544c4d53535000)
8. Type (4 bytes)
little-endian, 32-bit unsigned value (2, 0x02000000)
12. TargetName (8 bytes)
security buffer (String)
20. Flags (4 bytes)
little-endian, 32-bit unsigned value
24. Challenge (8 bytes)
random challenge
32. Context (8 bytes)
context information of some sort?
40. ServerInfo (8 bytes)
security buffer (host information)
48. Data Block
This is the form described by the squid code, and used by IIS 5.0. I wasn't
able to find any documentation on the meaning of the Context field; as
mentioned previously, jCIFS effectively sends 8 empty bytes. The ServerInfo
buffer points to a "host information" block. This may be documented somewhere,
but appears to be a sequence of subblocks, each consisting of:
Type (2 bytes)
little-endian, 16-bit unsigned value
1 = NT server name
2 = NT domain
3 = fully-qualified DNS host name (host.domain.com)
4 = DNS domain (domain.com)
Length (2 bytes)
little-endian, 16-bit unsigned value
String Block (length bytes)
with the sequence being terminated by a type "0" subblock of zero length
(0x00000000). The string values in the subblocks appear to always be sent as
Unicode (even to Win9x clients).
Type 3 message -- non-conformant form
0. Signature (8 bytes)
null-terminated ASCII string ("NTLMSSP", 0x4e544c4d53535000)
8. Type (4 bytes)
little-endian, 32-bit unsigned value (3, 0x03000000)
12. LanManager Response (8 bytes)
security buffer
20. NT Response (8 bytes)
security buffer (empty)
28. DomainName (8 bytes)
security buffer (OEM String)
36. UserName (8 bytes)
security buffer (OEM String)
44. Workstation (8 bytes)
security buffer (OEM String)
52. Data Block
This is the form sent by Win9x clients. This is apparently undocumented, but
is simply the conformant form below with the session key and flags truncated.
Strings are always in OEM (since there is no flag to specify Unicode, and these
clients don't support it anyway). Also significant is the absence of an NT
hash -- only the LanManager response is supplied. This is the other problem
with the Win9x clients and jCIFS; even after the Unicode issues are resolved,
SmbSession.logon results in SmbComSessionSetupAndX throwing an exception at
line 124 due to an unexpected zero-length unicodePassword.
Type 3 message -- conformant form
0. Signature (8 bytes)
null-terminated ASCII string ("NTLMSSP", 0x4e544c4d53535000)
8. Type (4 bytes)
little-endian, 32-bit unsigned value (3, 0x03000000)
12. LanManager Response (8 bytes)
security buffer
20. NT Response (8 bytes)
security buffer
28. DomainName (8 bytes)
security buffer (String)
36. UserName (8 bytes)
security buffer (String)
44. Workstation (8 bytes)
security buffer (String)
52. Session Key (8 bytes)
security buffer
60. Flags (4 bytes)
little-endian, 32-bit unsigned value
64. Data Block
This is the form documented in both the OpenGroup document and the squid code.
The session key is apparently always empty; according the OpenGroup document,
this is only used during datagram authentication. It is interesting to note
that the OpenGroup document also indicates that the flags are unused in the
Type 3 message. This does not appear to be the case; the Unicode flag, at
least, appears to be significant. Upon analysis, it appears that IE
regurgitates the received Type 2 flags with slight modifications for the Type 3
message.
In both the non-conformant and conformant forms there appear to be trailing
bytes at the very end of the message, after the security buffer data (24 bytes
in the non-conformant form, and 48 in the conformant form). I will take a
blind stab at this and guess that it is either random junk or a signature of
some sort.
Another interesting phenomenon presents itself when a Windows 2000 box is
authenticating to IIS locally (i.e., the server and client are the same
machine). When "automatic" NTLM is used, the Type 2 message has the
NTLMSSP_NEGOTIATE_LOCAL_CALL flag set. The client responds with a conformant
Type 3 message that is essentially completely empty. When using manual NTLM,
the flag is not set, and authentication is performed as though the client was
external.
FLAGS:
NTLMSSP_NEGOTIATE_UNICODE = 0x00000001
Type 1 message -- indicates that the client can accept unicode strings in the
body of security buffers.
Type 2 message -- indicates that the server will send unicode strings in the
body of security buffers.
NTLMSSP_NEGOTIATE_OEM = 0x00000002
Type 1 message -- indicates that the client can accept OEM strings in the body
of security buffers.
Type 2 message -- indicates that the server will send OEM strings in the body
of security buffers.
I'm not sure if this really means DOS OEM codepage (i.e., Cp437) or Windows
ANSI codepage (i.e., Cp1252); for the fields being sent (domain, workstation,
username), this information will usually be ASCII-clean anyways.
NTLMSSP_REQUEST_TARGET = 0x00000004
Type 1 message -- sent by the client to request that the server's
authentication realm (domain, server, or share?) be included in the Type 2
message (specifying where the authentication is occurring).
Although the opengroup document indicates that the authentication can occur at
the server or at its domain, the squid code includes an additional flag for
a "share" target type. Also, the opengroup document states that none of the
clients set this flag; all tested clients, however, did have this flag set.
NTLMSSP_NEGOTIATE_SIGN = 0x00000010
Specifies that generated messages should contain a digital signature. None of
the tested clients set this flag.
NTLMSSP_NEGOTIATE_SEAL = 0x00000020
Specifies that generated messages should be encrypted for transmission. None
of the tested clients set this flag.
NTLMSSP_NEGOTIATE_DATAGRAM_STYLE = 0x00000040
This is from the squid code. I'm not sure what this means, although the
opengroup document states that the session key and flag fields for the Type 3
message are only used during datagram authentication; it might be possible that
setting this flag is intended to enable those fields during connection-oriented
authentication as well. None of the tested clients set this flag.
NTLMSSP_NEGOTIATE_LM_KEY = 0x00000080
Enables message sequence and replay detection, according to the opengroup
documentation. None of the tested clients set this flag.
NTLMSSP_NEGOTIATE_NETWARE = 0x00000100
This is from the squid code. I'm guessing that this indicates authentication
against Novell NDS rather than a domain, but I have no idea. None of the
tested clients set this flag.
NTLMSSP_NEGOTIATE_NTLM = 0x00000200
This specifies that NTLM authentication is being used. This is always set for
all messages. I'm not sure if the Netware flag is intended to be an
alternative.
NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED = 0x00001000
Type 1 message -- This is from the squid code, and is part of the extended Type
1 message. The client sends this to indicate that the workstation's domain is
being supplied for use as a desired authentication target.
NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED = 0x00002000
Type 1 message -- This is from the squid code, and is part of the extended Type
1 message. The client sends this to indicate that the workstation's host name
is being supplied.
NTLMSSP_NEGOTIATE_LOCAL_CALL = 0x00004000
Type 2 message -- The server may set this flag if the server and client are on
the same machine.
NTLMSSP_NEGOTIATE_ALWAYS_SIGN = 0x00008000
According to the opengroup documentation, the client sets this flag to indicate
that each message should be signed with a dummy signature. This flag was set
on all tested clients; additionally, IIS sends this flag as part of the Type 2
message.
NTLMSSP_TARGET_TYPE_DOMAIN = 0x00010000
Type 2 message -- The server sets this flag to indicate that the target
authentication realm is a domain.
NTLMSSP_TARGET_TYPE_SERVER = 0x00020000
Type 2 message -- The server sets this flag to indicate that the target
authentication realm is a server (server is not part of a domain?)
NTLMSSP_TARGET_TYPE_SHARE = 0x00040000
Type 2 message -- The server sets this flag to indicate that the target
authentication realm is a share. This is from the squid stuff; I'm not sure
when this would apply.
NTLMSSP_NEGOTIATE_NTLM2 = 0x00080000
Indicates that the client/server support NTLM version 2. This is from the
squid code.
NTLMSSP_REQUEST_INIT_RESPONSE = 0x00100000
This is from the squid code. This flag was not set on any of the tested
clients.
NTLMSSP_REQUEST_ACCEPT_RESPONSE = 0x00200000
This is from the squid code. This flag was not set on any of the tested
clients.
NTLMSSP_REQUEST_NON_NT_SESSION_KEY = 0x00400000
This is from the squid code. This flag was not set on any of the tested
clients.
NTLMSSP_NEGOTIATE_TARGET_INFO = 0x00800000
This is from the squid code. Not sure exactly what this means, although it was
set on the 2000/XP clients.
NTLMSSP_NEGOTIATE_128 = 0x20000000
This is from the squid code. Not sure exactly what this means, although it was
set on the 2000/XP clients.
NTLMSSP_NEGOTIATE_KEY_EXCH = 0x40000000
This is from the squid code. This flag was not set on any of the tested
clients.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/octet-stream
Size: 12208 bytes
Desc: not available
Url : http://lists.samba.org/archive/jcifs/attachments/20030326/54850e76/attachment.obj
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/octet-stream
Size: 23140 bytes
Desc: not available
Url : http://lists.samba.org/archive/jcifs/attachments/20030326/54850e76/attachment-0001.obj
-------------- next part --------------
1. Automatic NTLM authentication of a Windows 2000 client against an IIS 5.0 server
This is the "classic case", I guess. Probably the one most often encountered in the wild. Note that there is one flag (0x80000000) I wasn't able to find any documentation on. Windows XP looks almost exactly the same, except NTLMSSP_NEGOTIATE_NTLM2 and NTLMSSP_NEGOTIATE_128 are also specified.
-------------------------- Type 1 (Negotiate) Message --------------------------
Timestamp: 11:46:29.836 March 25, 2003
From Client: 192.168.49.133 (192.168.49.133)
To Server: nttest (192.168.49.7)
Flags: 0x8000b207 (10000000|00000000|10110010|00000111)
NTLMSSP_NEGOTIATE_UNICODE: 00000000|00000000|00000000|00000001
NTLMSSP_NEGOTIATE_OEM: 00000000|00000000|00000000|00000010
NTLMSSP_REQUEST_TARGET: 00000000|00000000|00000000|00000100
NTLMSSP_NEGOTIATE_SIGN:
NTLMSSP_NEGOTIATE_SEAL:
NTLMSSP_NEGOTIATE_DATAGRAM_STYLE:
NTLMSSP_NEGOTIATE_LM_KEY:
NTLMSSP_NEGOTIATE_NETWARE:
NTLMSSP_NEGOTIATE_NTLM: 00000000|00000000|00000010|00000000
NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED: 00000000|00000000|00010000|00000000
NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED: 00000000|00000000|00100000|00000000
NTLMSSP_NEGOTIATE_LOCAL_CALL:
NTLMSSP_NEGOTIATE_ALWAYS_SIGN: 00000000|00000000|10000000|00000000
NTLMSSP_TARGET_TYPE_DOMAIN:
NTLMSSP_TARGET_TYPE_SERVER:
NTLMSSP_TARGET_TYPE_SHARE:
NTLMSSP_NEGOTIATE_NTLM2:
NTLMSSP_REQUEST_INIT_RESPONSE:
NTLMSSP_REQUEST_ACCEPT_RESPONSE:
NTLMSSP_REQUEST_NON_NT_SESSION_KEY:
NTLMSSP_NEGOTIATE_TARGET_INFO:
NTLMSSP_NEGOTIATE_128:
NTLMSSP_NEGOTIATE_KEY_EXCH:
Unknown: 10000000|00000000|00000000|00000000
This is an extended Type 1 message.
Supplied Domain: NTTEST
Maximum Length: 6
Length: 6
Offset: 40
Buffer: 0x4e5454455354
Supplied Workstation: WIN2KPRO
Maximum Length: 8
Length: 8
Offset: 32
Buffer: 0x57494e324b50524f
Message Body:
__+0___+1___+2___+3__ __+0___+1___+2___+3__
000| 4e 54 4c 4d | | N T L M |
004| 53 53 50 00 | | S S P |
008| 01 00 00 00 | | |
012| 07 b2 00 80 | | ? ? |
016| 06 00 06 00 | | |
020| 28 00 00 00 | | ( |
024| 08 00 08 00 | | |
028| 20 00 00 00 | | |
032| 57 49 4e 32 | | W I N 2 |
036| 4b 50 52 4f | | K P R O |
040| 4e 54 54 45 | | N T T E |
044| 53 54 | | S T |
--------------------- ---------------------
-------------------------- Type 2 (Challenge) Message --------------------------
Timestamp: 11:46:30.006 March 25, 2003
From Server: nttest (192.168.49.7)
To Client: 192.168.49.133 (192.168.49.133)
Flags: 0x80818205 (10000000|10000001|10000010|00000101)
NTLMSSP_NEGOTIATE_UNICODE: 00000000|00000000|00000000|00000001
NTLMSSP_NEGOTIATE_OEM:
NTLMSSP_REQUEST_TARGET: 00000000|00000000|00000000|00000100
NTLMSSP_NEGOTIATE_SIGN:
NTLMSSP_NEGOTIATE_SEAL:
NTLMSSP_NEGOTIATE_DATAGRAM_STYLE:
NTLMSSP_NEGOTIATE_LM_KEY:
NTLMSSP_NEGOTIATE_NETWARE:
NTLMSSP_NEGOTIATE_NTLM: 00000000|00000000|00000010|00000000
NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED:
NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED:
NTLMSSP_NEGOTIATE_LOCAL_CALL:
NTLMSSP_NEGOTIATE_ALWAYS_SIGN: 00000000|00000000|10000000|00000000
NTLMSSP_TARGET_TYPE_DOMAIN: 00000000|00000001|00000000|00000000
NTLMSSP_TARGET_TYPE_SERVER:
NTLMSSP_TARGET_TYPE_SHARE:
NTLMSSP_NEGOTIATE_NTLM2:
NTLMSSP_REQUEST_INIT_RESPONSE:
NTLMSSP_REQUEST_ACCEPT_RESPONSE:
NTLMSSP_REQUEST_NON_NT_SESSION_KEY:
NTLMSSP_NEGOTIATE_TARGET_INFO: 00000000|10000000|00000000|00000000
NTLMSSP_NEGOTIATE_128:
NTLMSSP_NEGOTIATE_KEY_EXCH:
Unknown: 10000000|00000000|00000000|00000000
TargetName: NTTEST
Maximum Length: 12
Length: 12
Offset: 48
Buffer: 0x4e0054005400450053005400
Challenge: 0x773ccd564a97e4df
This is an extended Type 2 message:
Context?: 0x0000000000000000
ServerInfo:
Maximum Length: 82
Length: 82
Offset: 60
Buffer: 0x02000c004e00540054004500530054000100080054004500530054000400100074006500730074002e0063006f006d0003001a0074006500730074002e0074006500730074002e0063006f006d0000000000
NT Domain: NTTEST
NT Server: TEST
DNS Domain: test.com
DNS FQDN: test.test.com
Message Body:
__+0___+1___+2___+3__ __+0___+1___+2___+3__
000| 4e 54 4c 4d | | N T L M |
004| 53 53 50 00 | | S S P |
008| 02 00 00 00 | | |
012| 0c 00 0c 00 | | |
016| 30 00 00 00 | | 0 |
020| 05 82 81 80 | | ? ? ? |
024| 77 3c cd 56 | | w < ? V |
028| 4a 97 e4 df | | J ? ? ? |
032| 00 00 00 00 | | |
036| 00 00 00 00 | | |
040| 52 00 52 00 | | R R |
044| 3c 00 00 00 | | < |
048| 4e 00 54 00 | | N T |
052| 54 00 45 00 | | T E |
056| 53 00 54 00 | | S T |
060| 02 00 0c 00 | | |
064| 4e 00 54 00 | | N T |
068| 54 00 45 00 | | T E |
072| 53 00 54 00 | | S T |
076| 01 00 08 00 | | |
080| 54 00 45 00 | | T E |
084| 53 00 54 00 | | S T |
088| 04 00 10 00 | | |
092| 74 00 65 00 | | t e |
096| 73 00 74 00 | | s t |
100| 2e 00 63 00 | | . c |
104| 6f 00 6d 00 | | o m |
108| 03 00 1a 00 | | |
112| 74 00 65 00 | | t e |
116| 73 00 74 00 | | s t |
120| 2e 00 74 00 | | . t |
124| 65 00 73 00 | | e s |
128| 74 00 2e 00 | | t . |
132| 63 00 6f 00 | | c o |
136| 6d 00 00 00 | | m |
140| 00 00 | | |
--------------------- ---------------------
-------------------------- Type 3 (Authenticate) Message -----------------------
Timestamp: 11:46:30.086 March 25, 2003
From Client: 192.168.49.133 (192.168.49.133)
To Server: nttest (192.168.49.7)
Flags: 0x80808205 (10000000|10000000|10000010|00000101)
NTLMSSP_NEGOTIATE_UNICODE: 00000000|00000000|00000000|00000001
NTLMSSP_NEGOTIATE_OEM:
NTLMSSP_REQUEST_TARGET: 00000000|00000000|00000000|00000100
NTLMSSP_NEGOTIATE_SIGN:
NTLMSSP_NEGOTIATE_SEAL:
NTLMSSP_NEGOTIATE_DATAGRAM_STYLE:
NTLMSSP_NEGOTIATE_LM_KEY:
NTLMSSP_NEGOTIATE_NETWARE:
NTLMSSP_NEGOTIATE_NTLM: 00000000|00000000|00000010|00000000
NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED:
NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED:
NTLMSSP_NEGOTIATE_LOCAL_CALL:
NTLMSSP_NEGOTIATE_ALWAYS_SIGN: 00000000|00000000|10000000|00000000
NTLMSSP_TARGET_TYPE_DOMAIN:
NTLMSSP_TARGET_TYPE_SERVER:
NTLMSSP_TARGET_TYPE_SHARE:
NTLMSSP_NEGOTIATE_NTLM2:
NTLMSSP_REQUEST_INIT_RESPONSE:
NTLMSSP_REQUEST_ACCEPT_RESPONSE:
NTLMSSP_REQUEST_NON_NT_SESSION_KEY:
NTLMSSP_NEGOTIATE_TARGET_INFO: 00000000|10000000|00000000|00000000
NTLMSSP_NEGOTIATE_128:
NTLMSSP_NEGOTIATE_KEY_EXCH:
Unknown: 10000000|00000000|00000000|00000000
This is a conformant Type 3 message.
LanManager Response:
Maximum Length: 24
Length: 24
Offset: 104
Buffer: 0xdf176d36b57b62ec3a2784ee4c364e47e2a1fa23514d96ce
NT Response:
Maximum Length: 24
Length: 24
Offset: 128
Buffer: 0xb49799eca27dbc1af29ae6df885b350c612717701849ea2a
DomainName: NTTEST
Maximum Length: 12
Length: 12
Offset: 64
Buffer: 0x4e0054005400450053005400
UserName: eglass
Maximum Length: 12
Length: 12
Offset: 76
Buffer: 0x650067006c00610073007300
Workstation: WIN2KPRO
Maximum Length: 16
Length: 16
Offset: 88
Buffer: 0x570049004e0032004b00500052004f00
SessionKey:
Maximum Length: 0
Length: 0
Offset: 152
Buffer:
Message Body:
__+0___+1___+2___+3__ __+0___+1___+2___+3__
000| 4e 54 4c 4d | | N T L M |
004| 53 53 50 00 | | S S P |
008| 03 00 00 00 | | |
012| 18 00 18 00 | | |
016| 68 00 00 00 | | h |
020| 18 00 18 00 | | |
024| 80 00 00 00 | | ? |
028| 0c 00 0c 00 | | |
032| 40 00 00 00 | | @ |
036| 0c 00 0c 00 | | |
040| 4c 00 00 00 | | L |
044| 10 00 10 00 | | |
048| 58 00 00 00 | | X |
052| 00 00 00 00 | | |
056| 98 00 00 00 | | ? |
060| 05 82 80 80 | | ? ? ? |
064| 4e 00 54 00 | | N T |
068| 54 00 45 00 | | T E |
072| 53 00 54 00 | | S T |
076| 65 00 67 00 | | e g |
080| 6c 00 61 00 | | l a |
084| 73 00 73 00 | | s s |
088| 57 00 49 00 | | W I |
092| 4e 00 32 00 | | N 2 |
096| 4b 00 50 00 | | K P |
100| 52 00 4f 00 | | R O |
104| df 17 6d 36 | | ? m 6 |
108| b5 7b 62 ec | | ? { b ? |
112| 3a 27 84 ee | | : ' ? ? |
116| 4c 36 4e 47 | | L 6 N G |
120| e2 a1 fa 23 | | ? ? ? # |
124| 51 4d 96 ce | | Q M ? ? |
128| b4 97 99 ec | | ? ? ? ? |
132| a2 7d bc 1a | | ? } ? |
136| f2 9a e6 df | | ? ? ? ? |
140| 88 5b 35 0c | | ? [ 5 |
144| 61 27 17 70 | | a ' p |
148| 18 49 ea 2a | | I ? * |
--------------------- ---------------------
2. Manual NTLM authentication of a Windows 2000 client against an IIS 5.0 server
This is what is seen when "Prompt for user name and password" is selected from the IE options to disable automatic authentication. The most significant difference is the absence of the supplied domain and workstation fields.
-------------------------- Type 1 (Negotiate) Message --------------------------
Timestamp: 11:50:56.679 March 25, 2003
From Client: 192.168.49.133 (192.168.49.133)
To Server: nttest (192.168.49.7)
Flags: 0x80008207 (10000000|00000000|10000010|00000111)
NTLMSSP_NEGOTIATE_UNICODE: 00000000|00000000|00000000|00000001
NTLMSSP_NEGOTIATE_OEM: 00000000|00000000|00000000|00000010
NTLMSSP_REQUEST_TARGET: 00000000|00000000|00000000|00000100
NTLMSSP_NEGOTIATE_SIGN:
NTLMSSP_NEGOTIATE_SEAL:
NTLMSSP_NEGOTIATE_DATAGRAM_STYLE:
NTLMSSP_NEGOTIATE_LM_KEY:
NTLMSSP_NEGOTIATE_NETWARE:
NTLMSSP_NEGOTIATE_NTLM: 00000000|00000000|00000010|00000000
NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED:
NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED:
NTLMSSP_NEGOTIATE_LOCAL_CALL:
NTLMSSP_NEGOTIATE_ALWAYS_SIGN: 00000000|00000000|10000000|00000000
NTLMSSP_TARGET_TYPE_DOMAIN:
NTLMSSP_TARGET_TYPE_SERVER:
NTLMSSP_TARGET_TYPE_SHARE:
NTLMSSP_NEGOTIATE_NTLM2:
NTLMSSP_REQUEST_INIT_RESPONSE:
NTLMSSP_REQUEST_ACCEPT_RESPONSE:
NTLMSSP_REQUEST_NON_NT_SESSION_KEY:
NTLMSSP_NEGOTIATE_TARGET_INFO:
NTLMSSP_NEGOTIATE_128:
NTLMSSP_NEGOTIATE_KEY_EXCH:
Unknown: 10000000|00000000|00000000|00000000
This is a conformant Type 1 message.
Message Body:
__+0___+1___+2___+3__ __+0___+1___+2___+3__
000| 4e 54 4c 4d | | N T L M |
004| 53 53 50 00 | | S S P |
008| 01 00 00 00 | | |
012| 07 82 00 80 | | ? ? |
016| 00 00 00 00 | | |
020| 00 00 00 00 | | |
024| 00 00 00 00 | | |
028| 00 00 00 00 | | |
--------------------- ---------------------
-------------------------- Type 2 (Challenge) Message --------------------------
Timestamp: 11:50:56.699 March 25, 2003
From Server: nttest (192.168.49.7)
To Client: 192.168.49.133 (192.168.49.133)
Flags: 0x80818205 (10000000|10000001|10000010|00000101)
NTLMSSP_NEGOTIATE_UNICODE: 00000000|00000000|00000000|00000001
NTLMSSP_NEGOTIATE_OEM:
NTLMSSP_REQUEST_TARGET: 00000000|00000000|00000000|00000100
NTLMSSP_NEGOTIATE_SIGN:
NTLMSSP_NEGOTIATE_SEAL:
NTLMSSP_NEGOTIATE_DATAGRAM_STYLE:
NTLMSSP_NEGOTIATE_LM_KEY:
NTLMSSP_NEGOTIATE_NETWARE:
NTLMSSP_NEGOTIATE_NTLM: 00000000|00000000|00000010|00000000
NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED:
NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED:
NTLMSSP_NEGOTIATE_LOCAL_CALL:
NTLMSSP_NEGOTIATE_ALWAYS_SIGN: 00000000|00000000|10000000|00000000
NTLMSSP_TARGET_TYPE_DOMAIN: 00000000|00000001|00000000|00000000
NTLMSSP_TARGET_TYPE_SERVER:
NTLMSSP_TARGET_TYPE_SHARE:
NTLMSSP_NEGOTIATE_NTLM2:
NTLMSSP_REQUEST_INIT_RESPONSE:
NTLMSSP_REQUEST_ACCEPT_RESPONSE:
NTLMSSP_REQUEST_NON_NT_SESSION_KEY:
NTLMSSP_NEGOTIATE_TARGET_INFO: 00000000|10000000|00000000|00000000
NTLMSSP_NEGOTIATE_128:
NTLMSSP_NEGOTIATE_KEY_EXCH:
Unknown: 10000000|00000000|00000000|00000000
TargetName: NTTEST
Maximum Length: 12
Length: 12
Offset: 48
Buffer: 0x4e0054005400450053005400
Challenge: 0x7a077a964df8fb12
This is an extended Type 2 message:
Context?: 0x0000000000000000
ServerInfo:
Maximum Length: 82
Length: 82
Offset: 60
Buffer: 0x02000c004e00540054004500530054000100080054004500530054000400100074006500730074002e0063006f006d0003001a0074006500730074002e0074006500730074002e0063006f006d0000000000
NT Domain: NTTEST
NT Server: TEST
DNS Domain: test.com
DNS FQDN: test.test.com
Message Body:
__+0___+1___+2___+3__ __+0___+1___+2___+3__
000| 4e 54 4c 4d | | N T L M |
004| 53 53 50 00 | | S S P |
008| 02 00 00 00 | | |
012| 0c 00 0c 00 | | |
016| 30 00 00 00 | | 0 |
020| 05 82 81 80 | | ? ? ? |
024| 7a 07 7a 96 | | z z ? |
028| 4d f8 fb 12 | | M ? ? |
032| 00 00 00 00 | | |
036| 00 00 00 00 | | |
040| 52 00 52 00 | | R R |
044| 3c 00 00 00 | | < |
048| 4e 00 54 00 | | N T |
052| 54 00 45 00 | | T E |
056| 53 00 54 00 | | S T |
060| 02 00 0c 00 | | |
064| 4e 00 54 00 | | N T |
068| 54 00 45 00 | | T E |
072| 53 00 54 00 | | S T |
076| 01 00 08 00 | | |
080| 54 00 45 00 | | T E |
084| 53 00 54 00 | | S T |
088| 04 00 10 00 | | |
092| 74 00 65 00 | | t e |
096| 73 00 74 00 | | s t |
100| 2e 00 63 00 | | . c |
104| 6f 00 6d 00 | | o m |
108| 03 00 1a 00 | | |
112| 74 00 65 00 | | t e |
116| 73 00 74 00 | | s t |
120| 2e 00 74 00 | | . t |
124| 65 00 73 00 | | e s |
128| 74 00 2e 00 | | t . |
132| 63 00 6f 00 | | c o |
136| 6d 00 00 00 | | m |
140| 00 00 | | |
--------------------- ---------------------
-------------------------- Type 3 (Authenticate) Message -----------------------
Timestamp: 11:50:56.739 March 25, 2003
From Client: 192.168.49.133 (192.168.49.133)
To Server: nttest (192.168.49.7)
Flags: 0x80808205 (10000000|10000000|10000010|00000101)
NTLMSSP_NEGOTIATE_UNICODE: 00000000|00000000|00000000|00000001
NTLMSSP_NEGOTIATE_OEM:
NTLMSSP_REQUEST_TARGET: 00000000|00000000|00000000|00000100
NTLMSSP_NEGOTIATE_SIGN:
NTLMSSP_NEGOTIATE_SEAL:
NTLMSSP_NEGOTIATE_DATAGRAM_STYLE:
NTLMSSP_NEGOTIATE_LM_KEY:
NTLMSSP_NEGOTIATE_NETWARE:
NTLMSSP_NEGOTIATE_NTLM: 00000000|00000000|00000010|00000000
NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED:
NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED:
NTLMSSP_NEGOTIATE_LOCAL_CALL:
NTLMSSP_NEGOTIATE_ALWAYS_SIGN: 00000000|00000000|10000000|00000000
NTLMSSP_TARGET_TYPE_DOMAIN:
NTLMSSP_TARGET_TYPE_SERVER:
NTLMSSP_TARGET_TYPE_SHARE:
NTLMSSP_NEGOTIATE_NTLM2:
NTLMSSP_REQUEST_INIT_RESPONSE:
NTLMSSP_REQUEST_ACCEPT_RESPONSE:
NTLMSSP_REQUEST_NON_NT_SESSION_KEY:
NTLMSSP_NEGOTIATE_TARGET_INFO: 00000000|10000000|00000000|00000000
NTLMSSP_NEGOTIATE_128:
NTLMSSP_NEGOTIATE_KEY_EXCH:
Unknown: 10000000|00000000|00000000|00000000
This is a conformant Type 3 message.
LanManager Response:
Maximum Length: 24
Length: 24
Offset: 104
Buffer: 0x5bcb12d1e0b981b401d1f8b445224796e14ba751e95a27fd
NT Response:
Maximum Length: 24
Length: 24
Offset: 128
Buffer: 0x6a0d9df3c959859de8e3ef26ca10fd5757789c2241fd2608
DomainName: NTTEST
Maximum Length: 12
Length: 12
Offset: 64
Buffer: 0x4e0054005400450053005400
UserName: eglass
Maximum Length: 12
Length: 12
Offset: 76
Buffer: 0x650067006c00610073007300
Workstation: WIN2KPRO
Maximum Length: 16
Length: 16
Offset: 88
Buffer: 0x570049004e0032004b00500052004f00
SessionKey:
Maximum Length: 0
Length: 0
Offset: 152
Buffer:
Message Body:
__+0___+1___+2___+3__ __+0___+1___+2___+3__
000| 4e 54 4c 4d | | N T L M |
004| 53 53 50 00 | | S S P |
008| 03 00 00 00 | | |
012| 18 00 18 00 | | |
016| 68 00 00 00 | | h |
020| 18 00 18 00 | | |
024| 80 00 00 00 | | ? |
028| 0c 00 0c 00 | | |
032| 40 00 00 00 | | @ |
036| 0c 00 0c 00 | | |
040| 4c 00 00 00 | | L |
044| 10 00 10 00 | | |
048| 58 00 00 00 | | X |
052| 00 00 00 00 | | |
056| 98 00 00 00 | | ? |
060| 05 82 80 80 | | ? ? ? |
064| 4e 00 54 00 | | N T |
068| 54 00 45 00 | | T E |
072| 53 00 54 00 | | S T |
076| 65 00 67 00 | | e g |
080| 6c 00 61 00 | | l a |
084| 73 00 73 00 | | s s |
088| 57 00 49 00 | | W I |
092| 4e 00 32 00 | | N 2 |
096| 4b 00 50 00 | | K P |
100| 52 00 4f 00 | | R O |
104| 5b cb 12 d1 | | [ ? ? |
108| e0 b9 81 b4 | | ? ? ? ? |
112| 01 d1 f8 b4 | | ? ? ? |
116| 45 22 47 96 | | E " G ? |
120| e1 4b a7 51 | | ? K ? Q |
124| e9 5a 27 fd | | ? Z ' ? |
128| 6a 0d 9d f3 | | j ? ? |
132| c9 59 85 9d | | ? Y ? ? |
136| e8 e3 ef 26 | | ? ? ? & |
140| ca 10 fd 57 | | ? ? W |
144| 57 78 9c 22 | | W x ? " |
148| 41 fd 26 08 | | A ? & |
--------------------- ---------------------
3. Automatic NTLM authentication of a Windows 2000 client against an IIS 5.0 server on the same machine
I found this interesting; when accessing a web server running on the same box, two things happen during automatic NTLM authentication. First, the server sets the NTLMSSP_NEGOTIATE_LOCAL_CALL flag in the Type 2 message. Second, the client sends a completely empty Type 3 message in response. It's unclear to me how the username is established; my gut feeling is that IIS just uses the identity of the person currently logged on. I have no idea what this would do when accessed over terminal services or Citrix (or another such multiuser environment).
-------------------------- Type 1 (Negotiate) Message --------------------------
Timestamp: 10:52:13.664 March 25, 2003
From Client: nttest (192.168.49.7)
To Server: nttest (192.168.49.7)
Flags: 0x8000b207 (10000000|00000000|10110010|00000111)
NTLMSSP_NEGOTIATE_UNICODE: 00000000|00000000|00000000|00000001
NTLMSSP_NEGOTIATE_OEM: 00000000|00000000|00000000|00000010
NTLMSSP_REQUEST_TARGET: 00000000|00000000|00000000|00000100
NTLMSSP_NEGOTIATE_SIGN:
NTLMSSP_NEGOTIATE_SEAL:
NTLMSSP_NEGOTIATE_DATAGRAM_STYLE:
NTLMSSP_NEGOTIATE_LM_KEY:
NTLMSSP_NEGOTIATE_NETWARE:
NTLMSSP_NEGOTIATE_NTLM: 00000000|00000000|00000010|00000000
NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED: 00000000|00000000|00010000|00000000
NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED: 00000000|00000000|00100000|00000000
NTLMSSP_NEGOTIATE_LOCAL_CALL:
NTLMSSP_NEGOTIATE_ALWAYS_SIGN: 00000000|00000000|10000000|00000000
NTLMSSP_TARGET_TYPE_DOMAIN:
NTLMSSP_TARGET_TYPE_SERVER:
NTLMSSP_TARGET_TYPE_SHARE:
NTLMSSP_NEGOTIATE_NTLM2:
NTLMSSP_REQUEST_INIT_RESPONSE:
NTLMSSP_REQUEST_ACCEPT_RESPONSE:
NTLMSSP_REQUEST_NON_NT_SESSION_KEY:
NTLMSSP_NEGOTIATE_TARGET_INFO:
NTLMSSP_NEGOTIATE_128:
NTLMSSP_NEGOTIATE_KEY_EXCH:
Unknown: 10000000|00000000|00000000|00000000
This is an extended Type 1 message.
Supplied Domain: NTTEST
Maximum Length: 6
Length: 6
Offset: 36
Buffer: 0x4e5454455354
Supplied Workstation: TEST
Maximum Length: 4
Length: 4
Offset: 32
Buffer: 0x54455354
Message Body:
__+0___+1___+2___+3__ __+0___+1___+2___+3__
000| 4e 54 4c 4d | | N T L M |
004| 53 53 50 00 | | S S P |
008| 01 00 00 00 | | |
012| 07 b2 00 80 | | ? ? |
016| 06 00 06 00 | | |
020| 24 00 00 00 | | $ |
024| 04 00 04 00 | | |
028| 20 00 00 00 | | |
032| 54 45 53 54 | | T E S T |
036| 4e 54 54 45 | | N T T E |
040| 53 54 | | S T |
--------------------- ---------------------
-------------------------- Type 2 (Challenge) Message --------------------------
Timestamp: 10:52:13.824 March 25, 2003
From Server: nttest (192.168.49.7)
To Client: nttest (192.168.49.7)
Flags: 0x8081c205 (10000000|10000001|11000010|00000101)
NTLMSSP_NEGOTIATE_UNICODE: 00000000|00000000|00000000|00000001
NTLMSSP_NEGOTIATE_OEM:
NTLMSSP_REQUEST_TARGET: 00000000|00000000|00000000|00000100
NTLMSSP_NEGOTIATE_SIGN:
NTLMSSP_NEGOTIATE_SEAL:
NTLMSSP_NEGOTIATE_DATAGRAM_STYLE:
NTLMSSP_NEGOTIATE_LM_KEY:
NTLMSSP_NEGOTIATE_NETWARE:
NTLMSSP_NEGOTIATE_NTLM: 00000000|00000000|00000010|00000000
NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED:
NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED:
NTLMSSP_NEGOTIATE_LOCAL_CALL: 00000000|00000000|01000000|00000000
NTLMSSP_NEGOTIATE_ALWAYS_SIGN: 00000000|00000000|10000000|00000000
NTLMSSP_TARGET_TYPE_DOMAIN: 00000000|00000001|00000000|00000000
NTLMSSP_TARGET_TYPE_SERVER:
NTLMSSP_TARGET_TYPE_SHARE:
NTLMSSP_NEGOTIATE_NTLM2:
NTLMSSP_REQUEST_INIT_RESPONSE:
NTLMSSP_REQUEST_ACCEPT_RESPONSE:
NTLMSSP_REQUEST_NON_NT_SESSION_KEY:
NTLMSSP_NEGOTIATE_TARGET_INFO: 00000000|10000000|00000000|00000000
NTLMSSP_NEGOTIATE_128:
NTLMSSP_NEGOTIATE_KEY_EXCH:
Unknown: 10000000|00000000|00000000|00000000
TargetName: NTTEST
Maximum Length: 12
Length: 12
Offset: 48
Buffer: 0x4e0054005400450053005400
Challenge: 0xd37266fc47e4fdaf
This is an extended Type 2 message:
Context?: 0x48420f0000000000
ServerInfo:
Maximum Length: 82
Length: 82
Offset: 60
Buffer: 0x02000c004e00540054004500530054000100080054004500530054000400100074006500730074002e0063006f006d0003001a0074006500730074002e0074006500730074002e0063006f006d0000000000
NT Domain: NTTEST
NT Server: TEST
DNS Domain: test.com
DNS FQDN: test.test.com
Message Body:
__+0___+1___+2___+3__ __+0___+1___+2___+3__
000| 4e 54 4c 4d | | N T L M |
004| 53 53 50 00 | | S S P |
008| 02 00 00 00 | | |
012| 0c 00 0c 00 | | |
016| 30 00 00 00 | | 0 |
020| 05 c2 81 80 | | ? ? ? |
024| d3 72 66 fc | | ? r f ? |
028| 47 e4 fd af | | G ? ? ? |
032| 48 42 0f 00 | | H B |
036| 00 00 00 00 | | |
040| 52 00 52 00 | | R R |
044| 3c 00 00 00 | | < |
048| 4e 00 54 00 | | N T |
052| 54 00 45 00 | | T E |
056| 53 00 54 00 | | S T |
060| 02 00 0c 00 | | |
064| 4e 00 54 00 | | N T |
068| 54 00 45 00 | | T E |
072| 53 00 54 00 | | S T |
076| 01 00 08 00 | | |
080| 54 00 45 00 | | T E |
084| 53 00 54 00 | | S T |
088| 04 00 10 00 | | |
092| 74 00 65 00 | | t e |
096| 73 00 74 00 | | s t |
100| 2e 00 63 00 | | . c |
104| 6f 00 6d 00 | | o m |
108| 03 00 1a 00 | | |
112| 74 00 65 00 | | t e |
116| 73 00 74 00 | | s t |
120| 2e 00 74 00 | | . t |
124| 65 00 73 00 | | e s |
128| 74 00 2e 00 | | t . |
132| 63 00 6f 00 | | c o |
136| 6d 00 00 00 | | m |
140| 00 00 | | |
--------------------- ---------------------
-------------------------- Type 3 (Authenticate) Message -----------------------
Timestamp: 10:52:13.924 March 25, 2003
From Client: nttest (192.168.49.7)
To Server: nttest (192.168.49.7)
Flags: 0x8080c205 (10000000|10000000|11000010|00000101)
NTLMSSP_NEGOTIATE_UNICODE: 00000000|00000000|00000000|00000001
NTLMSSP_NEGOTIATE_OEM:
NTLMSSP_REQUEST_TARGET: 00000000|00000000|00000000|00000100
NTLMSSP_NEGOTIATE_SIGN:
NTLMSSP_NEGOTIATE_SEAL:
NTLMSSP_NEGOTIATE_DATAGRAM_STYLE:
NTLMSSP_NEGOTIATE_LM_KEY:
NTLMSSP_NEGOTIATE_NETWARE:
NTLMSSP_NEGOTIATE_NTLM: 00000000|00000000|00000010|00000000
NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED:
NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED:
NTLMSSP_NEGOTIATE_LOCAL_CALL: 00000000|00000000|01000000|00000000
NTLMSSP_NEGOTIATE_ALWAYS_SIGN: 00000000|00000000|10000000|00000000
NTLMSSP_TARGET_TYPE_DOMAIN:
NTLMSSP_TARGET_TYPE_SERVER:
NTLMSSP_TARGET_TYPE_SHARE:
NTLMSSP_NEGOTIATE_NTLM2:
NTLMSSP_REQUEST_INIT_RESPONSE:
NTLMSSP_REQUEST_ACCEPT_RESPONSE:
NTLMSSP_REQUEST_NON_NT_SESSION_KEY:
NTLMSSP_NEGOTIATE_TARGET_INFO: 00000000|10000000|00000000|00000000
NTLMSSP_NEGOTIATE_128:
NTLMSSP_NEGOTIATE_KEY_EXCH:
Unknown: 10000000|00000000|00000000|00000000
This is a conformant Type 3 message.
LanManager Response:
Maximum Length: 0
Length: 0
Offset: 64
Buffer:
NT Response:
Maximum Length: 0
Length: 0
Offset: 64
Buffer:
DomainName:
Maximum Length: 0
Length: 0
Offset: 64
Buffer:
UserName:
Maximum Length: 0
Length: 0
Offset: 64
Buffer:
Workstation:
Maximum Length: 0
Length: 0
Offset: 64
Buffer:
SessionKey:
Maximum Length: 0
Length: 0
Offset: 64
Buffer:
Message Body:
__+0___+1___+2___+3__ __+0___+1___+2___+3__
000| 4e 54 4c 4d | | N T L M |
004| 53 53 50 00 | | S S P |
008| 03 00 00 00 | | |
012| 00 00 00 00 | | |
016| 40 00 00 00 | | @ |
020| 00 00 00 00 | | |
024| 40 00 00 00 | | @ |
028| 00 00 00 00 | | |
032| 40 00 00 00 | | @ |
036| 00 00 00 00 | | |
040| 40 00 00 00 | | @ |
044| 00 00 00 00 | | |
048| 40 00 00 00 | | @ |
052| 00 00 00 00 | | |
056| 40 00 00 00 | | @ |
060| 05 c2 80 80 | | ? ? ? |
--------------------- ---------------------
4. Automatic NTLM authentication of a Windows 2000 client against the jCIFS filter
This is what the current incarnation of jCIFS looks like. The Type 2 message is of particular interest (since that's what we generate). Note that the NTLMSSP_NEGOTIATE_UNICODE flag is hardcoded; this is what causes the Win9x clients to give up after receiving the Type 2. Note also that the NTLMSSP_NEGOTIATE_TARGET_INFO and "unknown" flags are not set in the jCIFS Type 2 message; the corresponding Type 3 message has these flags cleared as well. It seems that IE uses the received Type 2 flags as a starting point, and masks off relevant options before sending back the Type 3.
-------------------------- Type 1 (Negotiate) Message --------------------------
Timestamp: 21:59:42.062 March 25, 2003
From Client: 192.168.49.134 (192.168.49.134)
To Server: nttest (192.168.49.7)
Flags: 0x8000b207 (10000000|00000000|10110010|00000111)
NTLMSSP_NEGOTIATE_UNICODE: 00000000|00000000|00000000|00000001
NTLMSSP_NEGOTIATE_OEM: 00000000|00000000|00000000|00000010
NTLMSSP_REQUEST_TARGET: 00000000|00000000|00000000|00000100
NTLMSSP_NEGOTIATE_SIGN:
NTLMSSP_NEGOTIATE_SEAL:
NTLMSSP_NEGOTIATE_DATAGRAM_STYLE:
NTLMSSP_NEGOTIATE_LM_KEY:
NTLMSSP_NEGOTIATE_NETWARE:
NTLMSSP_NEGOTIATE_NTLM: 00000000|00000000|00000010|00000000
NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED: 00000000|00000000|00010000|00000000
NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED: 00000000|00000000|00100000|00000000
NTLMSSP_NEGOTIATE_LOCAL_CALL:
NTLMSSP_NEGOTIATE_ALWAYS_SIGN: 00000000|00000000|10000000|00000000
NTLMSSP_TARGET_TYPE_DOMAIN:
NTLMSSP_TARGET_TYPE_SERVER:
NTLMSSP_TARGET_TYPE_SHARE:
NTLMSSP_NEGOTIATE_NTLM2:
NTLMSSP_REQUEST_INIT_RESPONSE:
NTLMSSP_REQUEST_ACCEPT_RESPONSE:
NTLMSSP_REQUEST_NON_NT_SESSION_KEY:
NTLMSSP_NEGOTIATE_TARGET_INFO:
NTLMSSP_NEGOTIATE_128:
NTLMSSP_NEGOTIATE_KEY_EXCH:
Unknown: 10000000|00000000|00000000|00000000
This is an extended Type 1 message.
Supplied Domain: NTTEST
Maximum Length: 6
Length: 6
Offset: 40
Buffer: 0x4e5454455354
Supplied Workstation: WIN2KPRO
Maximum Length: 8
Length: 8
Offset: 32
Buffer: 0x57494e324b50524f
Message Body:
__+0___+1___+2___+3__ __+0___+1___+2___+3__
000| 4e 54 4c 4d | | N T L M |
004| 53 53 50 00 | | S S P |
008| 01 00 00 00 | | |
012| 07 b2 00 80 | | ? ? |
016| 06 00 06 00 | | |
020| 28 00 00 00 | | ( |
024| 08 00 08 00 | | |
028| 20 00 00 00 | | |
032| 57 49 4e 32 | | W I N 2 |
036| 4b 50 52 4f | | K P R O |
040| 4e 54 54 45 | | N T T E |
044| 53 54 | | S T |
--------------------- ---------------------
-------------------------- Type 2 (Challenge) Message --------------------------
Timestamp: 21:59:44.255 March 25, 2003
From Server: nttest (192.168.49.7)
To Client: 192.168.49.134 (192.168.49.134)
Flags: 0x00008201 (00000000|00000000|10000010|00000001)
NTLMSSP_NEGOTIATE_UNICODE: 00000000|00000000|00000000|00000001
NTLMSSP_NEGOTIATE_OEM:
NTLMSSP_REQUEST_TARGET:
NTLMSSP_NEGOTIATE_SIGN:
NTLMSSP_NEGOTIATE_SEAL:
NTLMSSP_NEGOTIATE_DATAGRAM_STYLE:
NTLMSSP_NEGOTIATE_LM_KEY:
NTLMSSP_NEGOTIATE_NETWARE:
NTLMSSP_NEGOTIATE_NTLM: 00000000|00000000|00000010|00000000
NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED:
NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED:
NTLMSSP_NEGOTIATE_LOCAL_CALL:
NTLMSSP_NEGOTIATE_ALWAYS_SIGN: 00000000|00000000|10000000|00000000
NTLMSSP_TARGET_TYPE_DOMAIN:
NTLMSSP_TARGET_TYPE_SERVER:
NTLMSSP_TARGET_TYPE_SHARE:
NTLMSSP_NEGOTIATE_NTLM2:
NTLMSSP_REQUEST_INIT_RESPONSE:
NTLMSSP_REQUEST_ACCEPT_RESPONSE:
NTLMSSP_REQUEST_NON_NT_SESSION_KEY:
NTLMSSP_NEGOTIATE_TARGET_INFO:
NTLMSSP_NEGOTIATE_128:
NTLMSSP_NEGOTIATE_KEY_EXCH:
TargetName:
Maximum Length: 0
Length: 0
Offset: 40
Buffer:
Challenge: 0x933eeee507e53bab
This is a jCIFS Type 2 message:
Context?: 0x0000000000000000
Message Body:
__+0___+1___+2___+3__ __+0___+1___+2___+3__
000| 4e 54 4c 4d | | N T L M |
004| 53 53 50 00 | | S S P |
008| 02 00 00 00 | | |
012| 00 00 00 00 | | |
016| 28 00 00 00 | | ( |
020| 01 82 00 00 | | ? |
024| 93 3e ee e5 | | ? > ? ? |
028| 07 e5 3b ab | | ? ; ? |
032| 00 00 00 00 | | |
036| 00 00 00 00 | | |
--------------------- ---------------------
-------------------------- Type 3 (Authenticate) Message -----------------------
Timestamp: 21:59:44.345 March 25, 2003
From Client: 192.168.49.134 (192.168.49.134)
To Server: nttest (192.168.49.7)
Flags: 0x00008205 (00000000|00000000|10000010|00000101)
NTLMSSP_NEGOTIATE_UNICODE: 00000000|00000000|00000000|00000001
NTLMSSP_NEGOTIATE_OEM:
NTLMSSP_REQUEST_TARGET: 00000000|00000000|00000000|00000100
NTLMSSP_NEGOTIATE_SIGN:
NTLMSSP_NEGOTIATE_SEAL:
NTLMSSP_NEGOTIATE_DATAGRAM_STYLE:
NTLMSSP_NEGOTIATE_LM_KEY:
NTLMSSP_NEGOTIATE_NETWARE:
NTLMSSP_NEGOTIATE_NTLM: 00000000|00000000|00000010|00000000
NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED:
NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED:
NTLMSSP_NEGOTIATE_LOCAL_CALL:
NTLMSSP_NEGOTIATE_ALWAYS_SIGN: 00000000|00000000|10000000|00000000
NTLMSSP_TARGET_TYPE_DOMAIN:
NTLMSSP_TARGET_TYPE_SERVER:
NTLMSSP_TARGET_TYPE_SHARE:
NTLMSSP_NEGOTIATE_NTLM2:
NTLMSSP_REQUEST_INIT_RESPONSE:
NTLMSSP_REQUEST_ACCEPT_RESPONSE:
NTLMSSP_REQUEST_NON_NT_SESSION_KEY:
NTLMSSP_NEGOTIATE_TARGET_INFO:
NTLMSSP_NEGOTIATE_128:
NTLMSSP_NEGOTIATE_KEY_EXCH:
This is a conformant Type 3 message.
LanManager Response:
Maximum Length: 24
Length: 24
Offset: 104
Buffer: 0x9679721c4fb3ee1c439bcf476dc2ea36002afcb31560759d
NT Response:
Maximum Length: 24
Length: 24
Offset: 128
Buffer: 0x0fd328a5a95b82a316ea219f5a5e26ca7b2582df281c6a02
DomainName: NTTEST
Maximum Length: 12
Length: 12
Offset: 64
Buffer: 0x4e0054005400450053005400
UserName: eglass
Maximum Length: 12
Length: 12
Offset: 76
Buffer: 0x650067006c00610073007300
Workstation: WIN2KPRO
Maximum Length: 16
Length: 16
Offset: 88
Buffer: 0x570049004e0032004b00500052004f00
SessionKey:
Maximum Length: 0
Length: 0
Offset: 152
Buffer:
Message Body:
__+0___+1___+2___+3__ __+0___+1___+2___+3__
000| 4e 54 4c 4d | | N T L M |
004| 53 53 50 00 | | S S P |
008| 03 00 00 00 | | |
012| 18 00 18 00 | | |
016| 68 00 00 00 | | h |
020| 18 00 18 00 | | |
024| 80 00 00 00 | | ? |
028| 0c 00 0c 00 | | |
032| 40 00 00 00 | | @ |
036| 0c 00 0c 00 | | |
040| 4c 00 00 00 | | L |
044| 10 00 10 00 | | |
048| 58 00 00 00 | | X |
052| 00 00 00 00 | | |
056| 98 00 00 00 | | ? |
060| 05 82 00 00 | | ? |
064| 4e 00 54 00 | | N T |
068| 54 00 45 00 | | T E |
072| 53 00 54 00 | | S T |
076| 65 00 67 00 | | e g |
080| 6c 00 61 00 | | l a |
084| 73 00 73 00 | | s s |
088| 57 00 49 00 | | W I |
092| 4e 00 32 00 | | N 2 |
096| 4b 00 50 00 | | K P |
100| 52 00 4f 00 | | R O |
104| 96 79 72 1c | | ? y r |
108| 4f b3 ee 1c | | O ? ? |
112| 43 9b cf 47 | | C ? ? G |
116| 6d c2 ea 36 | | m ? ? 6 |
120| 00 2a fc b3 | | * ? ? |
124| 15 60 75 9d | | ` u ? |
128| 0f d3 28 a5 | | ? ( ? |
132| a9 5b 82 a3 | | ? [ ? ? |
136| 16 ea 21 9f | | ? ! ? |
140| 5a 5e 26 ca | | Z ^ & ? |
144| 7b 25 82 df | | { % ? ? |
148| 28 1c 6a 02 | | ( j |
--------------------- ---------------------
5. Automatic authentication of a Windows 98 client against an IIS 5.0 server
This is a good representation of a Win9x client (Windows 95 is virtually identical). As seen in the Type 1 message, the NTLMSSP_NEGOTIATE_UNICODE flag is not set. Also, note that the supplied domain and workstation are not present. Whatever the unidentified flag from the 2000 clients was is also not present. Automatic and manual NTLM authentication are effectively identical for these clients, since neither send the supplied domain and workstation.
The Type 2 message sets OEM rather than Unicode, which is reflected in the TargetName security buffer. The ServerInfo field is still sent in Unicode, however, which is interesting. This was probably introduced with Windows 2000/Active Directory, so my guess is the Win9x clients just ignore it.
The Type 3 message is interesting for two reasons. First, all the fields are in OEM (which is expected). Second, there is no NT hash, only a LanManager response. This causes another problem with jCIFS; once the Unicode issue is resolved, an exception is thrown during the logon process due to the empty field.
-------------------------- Type 1 (Negotiate) Message --------------------------
Timestamp: 11:27:59.779 March 25, 2003
From Client: 192.168.49.130 (192.168.49.130)
To Server: nttest (192.168.49.7)
Flags: 0x00008206 (00000000|00000000|10000010|00000110)
NTLMSSP_NEGOTIATE_UNICODE:
NTLMSSP_NEGOTIATE_OEM: 00000000|00000000|00000000|00000010
NTLMSSP_REQUEST_TARGET: 00000000|00000000|00000000|00000100
NTLMSSP_NEGOTIATE_SIGN:
NTLMSSP_NEGOTIATE_SEAL:
NTLMSSP_NEGOTIATE_DATAGRAM_STYLE:
NTLMSSP_NEGOTIATE_LM_KEY:
NTLMSSP_NEGOTIATE_NETWARE:
NTLMSSP_NEGOTIATE_NTLM: 00000000|00000000|00000010|00000000
NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED:
NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED:
NTLMSSP_NEGOTIATE_LOCAL_CALL:
NTLMSSP_NEGOTIATE_ALWAYS_SIGN: 00000000|00000000|10000000|00000000
NTLMSSP_TARGET_TYPE_DOMAIN:
NTLMSSP_TARGET_TYPE_SERVER:
NTLMSSP_TARGET_TYPE_SHARE:
NTLMSSP_NEGOTIATE_NTLM2:
NTLMSSP_REQUEST_INIT_RESPONSE:
NTLMSSP_REQUEST_ACCEPT_RESPONSE:
NTLMSSP_REQUEST_NON_NT_SESSION_KEY:
NTLMSSP_NEGOTIATE_TARGET_INFO:
NTLMSSP_NEGOTIATE_128:
NTLMSSP_NEGOTIATE_KEY_EXCH:
This is a conformant Type 1 message.
Message Body:
__+0___+1___+2___+3__ __+0___+1___+2___+3__
000| 4e 54 4c 4d | | N T L M |
004| 53 53 50 00 | | S S P |
008| 01 00 00 00 | | |
012| 06 82 00 00 | | ? |
016| 00 00 00 00 | | |
020| 00 00 00 00 | | |
024| 00 00 00 00 | | |
028| 00 00 00 00 | | |
032| 00 00 00 00 | | |
036| 30 00 00 00 | | 0 |
040| 00 00 00 00 | | |
044| 30 00 00 00 | | 0 |
--------------------- ---------------------
-------------------------- Type 2 (Challenge) Message --------------------------
Timestamp: 11:27:59.820 March 25, 2003
From Server: nttest (192.168.49.7)
To Client: 192.168.49.130 (192.168.49.130)
Flags: 0x00818206 (00000000|10000001|10000010|00000110)
NTLMSSP_NEGOTIATE_UNICODE:
NTLMSSP_NEGOTIATE_OEM: 00000000|00000000|00000000|00000010
NTLMSSP_REQUEST_TARGET: 00000000|00000000|00000000|00000100
NTLMSSP_NEGOTIATE_SIGN:
NTLMSSP_NEGOTIATE_SEAL:
NTLMSSP_NEGOTIATE_DATAGRAM_STYLE:
NTLMSSP_NEGOTIATE_LM_KEY:
NTLMSSP_NEGOTIATE_NETWARE:
NTLMSSP_NEGOTIATE_NTLM: 00000000|00000000|00000010|00000000
NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED:
NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED:
NTLMSSP_NEGOTIATE_LOCAL_CALL:
NTLMSSP_NEGOTIATE_ALWAYS_SIGN: 00000000|00000000|10000000|00000000
NTLMSSP_TARGET_TYPE_DOMAIN: 00000000|00000001|00000000|00000000
NTLMSSP_TARGET_TYPE_SERVER:
NTLMSSP_TARGET_TYPE_SHARE:
NTLMSSP_NEGOTIATE_NTLM2:
NTLMSSP_REQUEST_INIT_RESPONSE:
NTLMSSP_REQUEST_ACCEPT_RESPONSE:
NTLMSSP_REQUEST_NON_NT_SESSION_KEY:
NTLMSSP_NEGOTIATE_TARGET_INFO: 00000000|10000000|00000000|00000000
NTLMSSP_NEGOTIATE_128:
NTLMSSP_NEGOTIATE_KEY_EXCH:
TargetName: NTTEST
Maximum Length: 6
Length: 6
Offset: 48
Buffer: 0x4e5454455354
Challenge: 0xc1a1f821fa7972cc
This is an extended Type 2 message:
Context?: 0x0000000000000000
ServerInfo:
Maximum Length: 82
Length: 82
Offset: 54
Buffer: 0x02000c004e00540054004500530054000100080054004500530054000400100074006500730074002e0063006f006d0003001a0074006500730074002e0074006500730074002e0063006f006d0000000000
NT Domain: NTTEST
NT Server: TEST
DNS Domain: test.com
DNS FQDN: test.test.com
Message Body:
__+0___+1___+2___+3__ __+0___+1___+2___+3__
000| 4e 54 4c 4d | | N T L M |
004| 53 53 50 00 | | S S P |
008| 02 00 00 00 | | |
012| 06 00 06 00 | | |
016| 30 00 00 00 | | 0 |
020| 06 82 81 00 | | ? ? |
024| c1 a1 f8 21 | | ? ? ? ! |
028| fa 79 72 cc | | ? y r ? |
032| 00 00 00 00 | | |
036| 00 00 00 00 | | |
040| 52 00 52 00 | | R R |
044| 36 00 00 00 | | 6 |
048| 4e 54 54 45 | | N T T E |
052| 53 54 02 00 | | S T |
056| 0c 00 4e 00 | | N |
060| 54 00 54 00 | | T T |
064| 45 00 53 00 | | E S |
068| 54 00 01 00 | | T |
072| 08 00 54 00 | | T |
076| 45 00 53 00 | | E S |
080| 54 00 04 00 | | T |
084| 10 00 74 00 | | t |
088| 65 00 73 00 | | e s |
092| 74 00 2e 00 | | t . |
096| 63 00 6f 00 | | c o |
100| 6d 00 03 00 | | m |
104| 1a 00 74 00 | | t |
108| 65 00 73 00 | | e s |
112| 74 00 2e 00 | | t . |
116| 74 00 65 00 | | t e |
120| 73 00 74 00 | | s t |
124| 2e 00 63 00 | | . c |
128| 6f 00 6d 00 | | o m |
132| 00 00 00 00 | | |
--------------------- ---------------------
-------------------------- Type 3 (Authenticate) Message -----------------------
Timestamp: 11:27:59.990 March 25, 2003
From Client: 192.168.49.130 (192.168.49.130)
To Server: nttest (192.168.49.7)
This is a non-conformant Type 3 message.
LanManager Response:
Maximum Length: 24
Length: 24
Offset: 69
Buffer: 0xcea370301c1aad467565de763974fccd565934f18b9462cf
NT Response:
Maximum Length: 0
Length: 0
Offset: 93
Buffer:
DomainName: NTTEST
Maximum Length: 6
Length: 6
Offset: 52
Buffer: 0x4e5454455354
UserName: EGLASS
Maximum Length: 6
Length: 6
Offset: 58
Buffer: 0x45474c415353
Workstation: WIN98
Maximum Length: 5
Length: 5
Offset: 64
Buffer: 0x57494e3938
Message Body:
__+0___+1___+2___+3__ __+0___+1___+2___+3__
000| 4e 54 4c 4d | | N T L M |
004| 53 53 50 00 | | S S P |
008| 03 00 00 00 | | |
012| 18 00 18 00 | | |
016| 45 00 00 00 | | E |
020| 00 00 00 00 | | |
024| 5d 00 00 00 | | ] |
028| 06 00 06 00 | | |
032| 34 00 00 00 | | 4 |
036| 06 00 06 00 | | |
040| 3a 00 00 00 | | : |
044| 05 00 05 00 | | |
048| 40 00 00 00 | | @ |
052| 4e 54 54 45 | | N T T E |
056| 53 54 45 47 | | S T E G |
060| 4c 41 53 53 | | L A S S |
064| 57 49 4e 39 | | W I N 9 |
068| 38 ce a3 70 | | 8 ? ? p |
072| 30 1c 1a ad | | 0 ? |
076| 46 75 65 de | | F u e ? |
080| 76 39 74 fc | | v 9 t ? |
084| cd 56 59 34 | | ? V Y 4 |
088| f1 8b 94 62 | | ? ? ? b |
092| cf | | ? |
--------------------- ---------------------
6. Automatic authentication of a Windows 2000 client against a patched jCIFS filter
This is what the Windows 2000 authentication looks like when jCIFS has been patched. Note that the Type 2 message is conformant. This is effectively the simplest possible Type 2 message.
-------------------------- Type 1 (Negotiate) Message --------------------------
Timestamp: 20:52:11.818 March 25, 2003
From Client: 192.168.49.134 (192.168.49.134)
To Server: nttest (192.168.49.7)
Flags: 0x8000b207 (10000000|00000000|10110010|00000111)
NTLMSSP_NEGOTIATE_UNICODE: 00000000|00000000|00000000|00000001
NTLMSSP_NEGOTIATE_OEM: 00000000|00000000|00000000|00000010
NTLMSSP_REQUEST_TARGET: 00000000|00000000|00000000|00000100
NTLMSSP_NEGOTIATE_SIGN:
NTLMSSP_NEGOTIATE_SEAL:
NTLMSSP_NEGOTIATE_DATAGRAM_STYLE:
NTLMSSP_NEGOTIATE_LM_KEY:
NTLMSSP_NEGOTIATE_NETWARE:
NTLMSSP_NEGOTIATE_NTLM: 00000000|00000000|00000010|00000000
NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED: 00000000|00000000|00010000|00000000
NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED: 00000000|00000000|00100000|00000000
NTLMSSP_NEGOTIATE_LOCAL_CALL:
NTLMSSP_NEGOTIATE_ALWAYS_SIGN: 00000000|00000000|10000000|00000000
NTLMSSP_TARGET_TYPE_DOMAIN:
NTLMSSP_TARGET_TYPE_SERVER:
NTLMSSP_TARGET_TYPE_SHARE:
NTLMSSP_NEGOTIATE_NTLM2:
NTLMSSP_REQUEST_INIT_RESPONSE:
NTLMSSP_REQUEST_ACCEPT_RESPONSE:
NTLMSSP_REQUEST_NON_NT_SESSION_KEY:
NTLMSSP_NEGOTIATE_TARGET_INFO:
NTLMSSP_NEGOTIATE_128:
NTLMSSP_NEGOTIATE_KEY_EXCH:
Unknown: 10000000|00000000|00000000|00000000
This is an extended Type 1 message.
Supplied Domain: NTTEST
Maximum Length: 6
Length: 6
Offset: 40
Buffer: 0x4e5454455354
Supplied Workstation: WIN2KPRO
Maximum Length: 8
Length: 8
Offset: 32
Buffer: 0x57494e324b50524f
Message Body:
__+0___+1___+2___+3__ __+0___+1___+2___+3__
000| 4e 54 4c 4d | | N T L M |
004| 53 53 50 00 | | S S P |
008| 01 00 00 00 | | |
012| 07 b2 00 80 | | ? ? |
016| 06 00 06 00 | | |
020| 28 00 00 00 | | ( |
024| 08 00 08 00 | | |
028| 20 00 00 00 | | |
032| 57 49 4e 32 | | W I N 2 |
036| 4b 50 52 4f | | K P R O |
040| 4e 54 54 45 | | N T T E |
044| 53 54 | | S T |
--------------------- ---------------------
-------------------------- Type 2 (Challenge) Message --------------------------
Timestamp: 20:52:13.801 March 25, 2003
From Server: nttest (192.168.49.7)
To Client: 192.168.49.134 (192.168.49.134)
Flags: 0x00000201 (00000000|00000000|00000010|00000001)
NTLMSSP_NEGOTIATE_UNICODE: 00000000|00000000|00000000|00000001
NTLMSSP_NEGOTIATE_OEM:
NTLMSSP_REQUEST_TARGET:
NTLMSSP_NEGOTIATE_SIGN:
NTLMSSP_NEGOTIATE_SEAL:
NTLMSSP_NEGOTIATE_DATAGRAM_STYLE:
NTLMSSP_NEGOTIATE_LM_KEY:
NTLMSSP_NEGOTIATE_NETWARE:
NTLMSSP_NEGOTIATE_NTLM: 00000000|00000000|00000010|00000000
NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED:
NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED:
NTLMSSP_NEGOTIATE_LOCAL_CALL:
NTLMSSP_NEGOTIATE_ALWAYS_SIGN:
NTLMSSP_TARGET_TYPE_DOMAIN:
NTLMSSP_TARGET_TYPE_SERVER:
NTLMSSP_TARGET_TYPE_SHARE:
NTLMSSP_NEGOTIATE_NTLM2:
NTLMSSP_REQUEST_INIT_RESPONSE:
NTLMSSP_REQUEST_ACCEPT_RESPONSE:
NTLMSSP_REQUEST_NON_NT_SESSION_KEY:
NTLMSSP_NEGOTIATE_TARGET_INFO:
NTLMSSP_NEGOTIATE_128:
NTLMSSP_NEGOTIATE_KEY_EXCH:
TargetName:
Maximum Length: 0
Length: 0
Offset: 0
Buffer:
Challenge: 0x8177d9744d64492e
This is a conformant Type 2 message.
Message Body:
__+0___+1___+2___+3__ __+0___+1___+2___+3__
000| 4e 54 4c 4d | | N T L M |
004| 53 53 50 00 | | S S P |
008| 02 00 00 00 | | |
012| 00 00 00 00 | | |
016| 00 00 00 00 | | |
020| 01 02 00 00 | | |
024| 81 77 d9 74 | | ? w ? t |
028| 4d 64 49 2e | | M d I . |
--------------------- ---------------------
-------------------------- Type 3 (Authenticate) Message -----------------------
Timestamp: 20:52:13.921 March 25, 2003
From Client: 192.168.49.134 (192.168.49.134)
To Server: nttest (192.168.49.7)
Flags: 0x00000205 (00000000|00000000|00000010|00000101)
NTLMSSP_NEGOTIATE_UNICODE: 00000000|00000000|00000000|00000001
NTLMSSP_NEGOTIATE_OEM:
NTLMSSP_REQUEST_TARGET: 00000000|00000000|00000000|00000100
NTLMSSP_NEGOTIATE_SIGN:
NTLMSSP_NEGOTIATE_SEAL:
NTLMSSP_NEGOTIATE_DATAGRAM_STYLE:
NTLMSSP_NEGOTIATE_LM_KEY:
NTLMSSP_NEGOTIATE_NETWARE:
NTLMSSP_NEGOTIATE_NTLM: 00000000|00000000|00000010|00000000
NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED:
NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED:
NTLMSSP_NEGOTIATE_LOCAL_CALL:
NTLMSSP_NEGOTIATE_ALWAYS_SIGN:
NTLMSSP_TARGET_TYPE_DOMAIN:
NTLMSSP_TARGET_TYPE_SERVER:
NTLMSSP_TARGET_TYPE_SHARE:
NTLMSSP_NEGOTIATE_NTLM2:
NTLMSSP_REQUEST_INIT_RESPONSE:
NTLMSSP_REQUEST_ACCEPT_RESPONSE:
NTLMSSP_REQUEST_NON_NT_SESSION_KEY:
NTLMSSP_NEGOTIATE_TARGET_INFO:
NTLMSSP_NEGOTIATE_128:
NTLMSSP_NEGOTIATE_KEY_EXCH:
This is a conformant Type 3 message.
LanManager Response:
Maximum Length: 24
Length: 24
Offset: 104
Buffer: 0xcdab3c8c4d4ccfca54e704ae08e17eba394f1b6c90458803
NT Response:
Maximum Length: 24
Length: 24
Offset: 128
Buffer: 0xa40df194cd513de502d4e49d388776e589053b9d6dc21879
DomainName: NTTEST
Maximum Length: 12
Length: 12
Offset: 64
Buffer: 0x4e0054005400450053005400
UserName: eglass
Maximum Length: 12
Length: 12
Offset: 76
Buffer: 0x650067006c00610073007300
Workstation: WIN2KPRO
Maximum Length: 16
Length: 16
Offset: 88
Buffer: 0x570049004e0032004b00500052004f00
SessionKey:
Maximum Length: 0
Length: 0
Offset: 152
Buffer:
Message Body:
__+0___+1___+2___+3__ __+0___+1___+2___+3__
000| 4e 54 4c 4d | | N T L M |
004| 53 53 50 00 | | S S P |
008| 03 00 00 00 | | |
012| 18 00 18 00 | | |
016| 68 00 00 00 | | h |
020| 18 00 18 00 | | |
024| 80 00 00 00 | | ? |
028| 0c 00 0c 00 | | |
032| 40 00 00 00 | | @ |
036| 0c 00 0c 00 | | |
040| 4c 00 00 00 | | L |
044| 10 00 10 00 | | |
048| 58 00 00 00 | | X |
052| 00 00 00 00 | | |
056| 98 00 00 00 | | ? |
060| 05 02 00 00 | | |
064| 4e 00 54 00 | | N T |
068| 54 00 45 00 | | T E |
072| 53 00 54 00 | | S T |
076| 65 00 67 00 | | e g |
080| 6c 00 61 00 | | l a |
084| 73 00 73 00 | | s s |
088| 57 00 49 00 | | W I |
092| 4e 00 32 00 | | N 2 |
096| 4b 00 50 00 | | K P |
100| 52 00 4f 00 | | R O |
104| cd ab 3c 8c | | ? ? < ? |
108| 4d 4c cf ca | | M L ? ? |
112| 54 e7 04 ae | | T ? ? |
116| 08 e1 7e ba | | ? ~ ? |
120| 39 4f 1b 6c | | 9 O l |
124| 90 45 88 03 | | ? E ? |
128| a4 0d f1 94 | | ? ? ? |
132| cd 51 3d e5 | | ? Q = ? |
136| 02 d4 e4 9d | | ? ? ? |
140| 38 87 76 e5 | | 8 ? v ? |
144| 89 05 3b 9d | | ? ; ? |
148| 6d c2 18 79 | | m ? y |
--------------------- ---------------------
6. Automatic authentication of a Windows 98 client against a patched jCIFS filter
This is what the Windows 98 authentication looks like when jCIFS has been patched.
-------------------------- Type 1 (Negotiate) Message --------------------------
Timestamp: 21:28:28.858 March 25, 2003
From Client: 192.168.49.135 (192.168.49.135)
To Server: nttest (192.168.49.7)
Flags: 0x00008206 (00000000|00000000|10000010|00000110)
NTLMSSP_NEGOTIATE_UNICODE:
NTLMSSP_NEGOTIATE_OEM: 00000000|00000000|00000000|00000010
NTLMSSP_REQUEST_TARGET: 00000000|00000000|00000000|00000100
NTLMSSP_NEGOTIATE_SIGN:
NTLMSSP_NEGOTIATE_SEAL:
NTLMSSP_NEGOTIATE_DATAGRAM_STYLE:
NTLMSSP_NEGOTIATE_LM_KEY:
NTLMSSP_NEGOTIATE_NETWARE:
NTLMSSP_NEGOTIATE_NTLM: 00000000|00000000|00000010|00000000
NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED:
NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED:
NTLMSSP_NEGOTIATE_LOCAL_CALL:
NTLMSSP_NEGOTIATE_ALWAYS_SIGN: 00000000|00000000|10000000|00000000
NTLMSSP_TARGET_TYPE_DOMAIN:
NTLMSSP_TARGET_TYPE_SERVER:
NTLMSSP_TARGET_TYPE_SHARE:
NTLMSSP_NEGOTIATE_NTLM2:
NTLMSSP_REQUEST_INIT_RESPONSE:
NTLMSSP_REQUEST_ACCEPT_RESPONSE:
NTLMSSP_REQUEST_NON_NT_SESSION_KEY:
NTLMSSP_NEGOTIATE_TARGET_INFO:
NTLMSSP_NEGOTIATE_128:
NTLMSSP_NEGOTIATE_KEY_EXCH:
This is a conformant Type 1 message.
Message Body:
__+0___+1___+2___+3__ __+0___+1___+2___+3__
000| 4e 54 4c 4d | | N T L M |
004| 53 53 50 00 | | S S P |
008| 01 00 00 00 | | |
012| 06 82 00 00 | | ? |
016| 00 00 00 00 | | |
020| 00 00 00 00 | | |
024| 00 00 00 00 | | |
028| 00 00 00 00 | | |
032| 00 00 00 00 | | |
036| 30 00 00 00 | | 0 |
040| 00 00 00 00 | | |
044| 30 00 00 00 | | 0 |
--------------------- ---------------------
-------------------------- Type 2 (Challenge) Message --------------------------
Timestamp: 21:28:29.209 March 25, 2003
From Server: nttest (192.168.49.7)
To Client: 192.168.49.135 (192.168.49.135)
Flags: 0x00000202 (00000000|00000000|00000010|00000010)
NTLMSSP_NEGOTIATE_UNICODE:
NTLMSSP_NEGOTIATE_OEM: 00000000|00000000|00000000|00000010
NTLMSSP_REQUEST_TARGET:
NTLMSSP_NEGOTIATE_SIGN:
NTLMSSP_NEGOTIATE_SEAL:
NTLMSSP_NEGOTIATE_DATAGRAM_STYLE:
NTLMSSP_NEGOTIATE_LM_KEY:
NTLMSSP_NEGOTIATE_NETWARE:
NTLMSSP_NEGOTIATE_NTLM: 00000000|00000000|00000010|00000000
NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED:
NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED:
NTLMSSP_NEGOTIATE_LOCAL_CALL:
NTLMSSP_NEGOTIATE_ALWAYS_SIGN:
NTLMSSP_TARGET_TYPE_DOMAIN:
NTLMSSP_TARGET_TYPE_SERVER:
NTLMSSP_TARGET_TYPE_SHARE:
NTLMSSP_NEGOTIATE_NTLM2:
NTLMSSP_REQUEST_INIT_RESPONSE:
NTLMSSP_REQUEST_ACCEPT_RESPONSE:
NTLMSSP_REQUEST_NON_NT_SESSION_KEY:
NTLMSSP_NEGOTIATE_TARGET_INFO:
NTLMSSP_NEGOTIATE_128:
NTLMSSP_NEGOTIATE_KEY_EXCH:
TargetName:
Maximum Length: 0
Length: 0
Offset: 0
Buffer:
Challenge: 0x669576b10db13840
This is a conformant Type 2 message.
Message Body:
__+0___+1___+2___+3__ __+0___+1___+2___+3__
000| 4e 54 4c 4d | | N T L M |
004| 53 53 50 00 | | S S P |
008| 02 00 00 00 | | |
012| 00 00 00 00 | | |
016| 00 00 00 00 | | |
020| 02 02 00 00 | | |
024| 66 95 76 b1 | | f ? v ? |
028| 0d b1 38 40 | | ? 8 @ |
--------------------- ---------------------
-------------------------- Type 3 (Authenticate) Message -----------------------
Timestamp: 21:28:29.249 March 25, 2003
From Client: 192.168.49.135 (192.168.49.135)
To Server: nttest (192.168.49.7)
This is a non-conformant Type 3 message.
LanManager Response:
Maximum Length: 24
Length: 24
Offset: 69
Buffer: 0x403ce08f3fc780a4ca4a6d588d4650d843904822a4f79272
NT Response:
Maximum Length: 0
Length: 0
Offset: 93
Buffer:
DomainName: NTTEST
Maximum Length: 6
Length: 6
Offset: 52
Buffer: 0x4e5454455354
UserName: EGLASS
Maximum Length: 6
Length: 6
Offset: 58
Buffer: 0x45474c415353
Workstation: WIN98
Maximum Length: 5
Length: 5
Offset: 64
Buffer: 0x57494e3938
Message Body:
__+0___+1___+2___+3__ __+0___+1___+2___+3__
000| 4e 54 4c 4d | | N T L M |
004| 53 53 50 00 | | S S P |
008| 03 00 00 00 | | |
012| 18 00 18 00 | | |
016| 45 00 00 00 | | E |
020| 00 00 00 00 | | |
024| 5d 00 00 00 | | ] |
028| 06 00 06 00 | | |
032| 34 00 00 00 | | 4 |
036| 06 00 06 00 | | |
040| 3a 00 00 00 | | : |
044| 05 00 05 00 | | |
048| 40 00 00 00 | | @ |
052| 4e 54 54 45 | | N T T E |
056| 53 54 45 47 | | S T E G |
060| 4c 41 53 53 | | L A S S |
064| 57 49 4e 39 | | W I N 9 |
068| 38 40 3c e0 | | 8 @ < ? |
072| 8f 3f c7 80 | | ? ? ? ? |
076| a4 ca 4a 6d | | ? ? J m |
080| 58 8d 46 50 | | X ? F P |
084| d8 43 90 48 | | ? C ? H |
088| 22 a4 f7 92 | | " ? ? ? |
092| 72 | | r |
--------------------- ---------------------
More information about the jcifs
mailing list