NTLMSSP in Extended security negotiation...

Mayers, Philip J p.mayers at ic.ac.uk
Sun Nov 5 15:49:44 GMT 2000 

More info - after discovering that none of the Win2K computer labs are open
here in work over the weekend (WTF is all that about?!) I changed the name
of my machine and rebooted:

Expecting extended-security Sesssetup
Security blob in session setup:
[000] 4E 54 4C 4D 53 53 50 00  01 00 00 00 97 B2 08 E0  NTLMSSP. ........
[010] 03 00 03 00 28 00 00 00  08 00 08 00 20 00 00 00  ....(... .... ...
[020] 57 49 4C 44 46 49 52 45  4E 45 54                 WILDFIRE NET
Strings in session setup:
[000] 57 69 6E 64 6F 77 73 20  32 30 30 30 20 32 31 39  Windows  2000 219
[010] 35 00 57 69 6E 64 6F 77  73 20 32 30 30 30 20 35  5.Window s 2000 5
[020] 2E 30 00 00                                       .0..
NTLM negotiation from security blob

Expecting extended-security Sesssetup
Security blob in session setup:
[000] 4E 54 4C 4D 53 53 50 00  01 00 00 00 97 B2 08 E0  NTLMSSP. ........
[010] 03 00 03 00 29 00 00 00  09 00 09 00 20 00 00 00  ....)... .... ...
[020] 57 49 4C 44 46 49 52 45  32 4E 45 54              WILDFIRE 2NET
Strings in session setup:
[000] 57 69 6E 64 6F 77 73 20  32 30 30 30 20 32 31 39  Windows  2000 219
[010] 35 00 57 69 6E 64 6F 77  73 20 32 30 30 30 20 35  5.Window s 2000 5
[020] 2E 30 00 00                                       .0..
NTLM negotiation from security blob


Ok, so I'm guessing there's a SHORT at 010 telling you the length of the
calling domain, this seems to be repeated at 012, and then a short (possibly
a long) telling you the offset into the data blob. Then the same thing for
the calling workstation. These look like UNICODE-type
length/maxlength/offset data.

That would also mean that (logically) the NTLMSSP is actually NTLMSSP<NUL>,
then 8 bytes of flags info (it's not the cryptkey, it's the same every time)
then the strings. Do we think that's correct?

Can anyone point me as to what the FLAGS are likely to be?


Regards,
Phil

+----------------------------------+
| Phil Mayers, Network Support     |
| Centre for Computing Services    |
| Imperial College                 |
+----------------------------------+  

-----Original Message-----
From: Mayers, Philip J [mailto:p.mayers at ic.ac.uk]
Sent: 05 November 2000 14:00
To: 'samba-technical at samba.org'
Subject: NTLMSSP in Extended security negotiation...


Ok, I need some outside input:

I am working on the extended security support - I've got the Flags2 and
Capabilities and NegProt working, but I'm stumbling at the Session setup. I
decided the best thing to do was implement NTLMSSP first, so the current
code goes like this:

NegProt request from Win2K - Flags2 has 0x0800 set)

NegProt reply from Samba - Flags2 has 0x0800 set, Capabilities has
0x80000000 set, and there's a 16-byte GUID where the 8byte cryptkey & domain
strings normally go.

SesssetupAndX from Win2K, with:

Expecting extended-security Sesssetup
Security blob in session setup:
[000] 4E 54 4C 4D 53 53 50 00  01 00 00 00 97 B2 08 E0  NTLMSSP. ........
[010] 03 00 03 00 28 00 00 00  08 00 08 00 20 00 00 00  ....(... .... ...
[020] 57 49 4C 44 46 49 52 45  4E 45 54                 WILDFIRE NET
Strings in session setup:
[000] 57 69 6E 64 6F 77 73 20  32 30 30 30 20 32 31 39  Windows  2000 219
[010] 35 00 57 69 6E 64 6F 77  73 20 32 30 30 30 20 35  5.Window s 2000 5
[020] 2E 30 00 00                                       .0..
NTLM negotiation from security blob

Now what? As Craig Russ pointed out in his presentation as CIFS2000, all
NTLMSSP blobs begin "NTLMSSP" - is that 7 bytes, or 8 and a null-terminator?
Anyway, WILDFIRE is the name of my machine, and NET is the NetBIOS name of
the workgroup it's on (actually an MIT K5 domain NET.IC.AC.UK...) - those
values aren't null terminated, so I can't quite figure out how this blob
works...

Anyway, I can't really interpret the contents of the data following the
string. Quite why Microsoft couldn't have just used standard SNEGO/ASN.1 and
a real OID I don't know - they must have monkeys programming for them..

I've a packet trace if anyone thinks they can help... For now, I'm going to
hardcode these values into libsmb and get the next step out.

Regards,
Phil

+----------------------------------+
| Phil Mayers, Network Support     |
| Centre for Computing Services    |
| Imperial College                 |
+----------------------------------+

More information about the samba-technical mailing list