Extended security - new NTLMSSP structure?

Mayers, Philip J p.mayers at ic.ac.uk
Thu Mar 15 15:00:02 GMT 2001 

I've come up against a problem when trying to get the extended security
working (again).

Win2K sends a NTLMSSP neg packet like this:

[000] 4E 54 4C 4D 53 53 50 00  01 00 00 00 97 B2 08 E0  NTLMSSP. ........
[010] 03 00 03 00 28 00 00 00  08 00 08 00 20 00 00 00  ....(... .... ...
[020] 57 49 4C 44 46 49 52 45  4E 45 54 57 00 69 00 6E  WILDFIRE NETW.i.n
[030] 00 64 00 6F 00 77 00 73  00 20 00 32 00 30 00 30  .d.o.w.s . .2.0.0
[040] 00 30 00 20 00 32 00 31  00 39 00 35 00 00 00 57  .0. .2.1 .9.5...W
[050] 00 69 00 6E 00 64 00 6F  00 77 00 73 00 20 00 32  .i.n.d.o .w.s. .2
[060] 00 30 00 30 00 30 00 20  00 35 00 2E 00 30 00 00  .0.0.0.  .5...0..
[070] 00 00 00                                          ...

Decoding to:

000000 smb_io_rpc_auth_verifier ntlmssp_verifier
[000] 4E 54 4C 4D 53 53 50                              NTLMSSP
    0008 msg_type : 00000001
Maybe unencapsulated NTLMSSP
00000c smb_io_rpc_auth_ntlmssp_neg ntlmssp_neg
    000c neg_flgs : e008b297
  NEGOTIATE_UNICODE = yes
  NEGOTIATE_OEM = yes
  REQUEST_TARGET = yes
  NEGOTIATE_SIGN = yes
  NEGOTIATE_SEAL = no
  NEGOTIATE_DATAGRAM = no
  NEGOTIATE_LM_KEY = yes
  NEGOTIATE_NETWARE = no
  NEGOTIATE_NTLM = yes
  NEGOTIATE_OEM_DOMAIN_SUPPLIED = yes
  NEGOTIATE_OEM_WORKSTATION_SUPPLIED = yes
  NEGOTIATE_LOCAL_CALL = no
  NEGOTIATE_ALWAYS_SIGN = yes
  TARGET_TYPE_DOMAIN = no
  TARGET_TYPE_SERVER = no
  TARGET_TYPE_SHARE = no
  NEGOTIATE_NTLM2 = yes
  REQUEST_INIT_RESPONSE = no
  REQUEST_ACCEPT_RESPONSE = no
  REQUEST_NON_NT_SESSION_KEY = no
  NEGOTIATE_TARGET_INFO = no
  NEGOTIATE_128 = yes
  NEGOTIATE_KEY_EXCH = yes
    000010 smb_io_strhdr hdr_domain
        0010 str_str_len: 0003
        0012 str_max_len: 0003
        0014 buffer     : 00000028
    000018 smb_io_strhdr hdr_myname
        0018 str_str_len: 0008
        001a str_max_len: 0008
        001c buffer     : 00000020
    0020 myname: WILDFIRE
    0028 domain: NET

Note the "REQUEST_TARGET = yes" function. Now, Win2K's response to such a
function is like this:

[000] 4E 54 4C 4D 53 53 50 00  02 00 00 00 10 00 10 00  NTLMSSP. ........
[010] 30 00 00 00 B5 82 82 00  16 4A 5A 5D E6 DF 06 12  0....... .JZ]....
[020] 00 00 00 00 00 00 00 00  88 00 88 00 40 00 00 00  ........ .... at ...
[030] 57 00 49 00 4C 00 44 00  46 00 49 00 52 00 45 00  W.I.L.D. F.I.R.E.
[040] 02 00 10 00 57 00 49 00  4C 00 44 00 46 00 49 00  ....W.I. L.D.F.I.
[050] 52 00 45 00 01 00 10 00  57 00 49 00 4C 00 44 00  R.E..... W.I.L.D.
[060] 46 00 49 00 52 00 45 00  04 00 2A 00 77 00 69 00  F.I.R.E. ..*.w.i.
[070] 6C 00 64 00 66 00 69 00  72 00 65 00 2E 00 4E 00  l.d.f.i. r.e...N.
[080] 45 00 54 00 2E 00 49 00  43 00 2E 00 41 00 43 00  E.T...I. C...A.C.
[090] 2E 00 55 00 4B 00 03 00  2A 00 77 00 69 00 6C 00  ..U.K... *.w.i.l.
[0A0] 64 00 66 00 69 00 72 00  65 00 2E 00 4E 00 45 00  d.f.i.r. e...N.E.
[0B0] 54 00 2E 00 49 00 43 00  2E 00 41 00 43 00 2E 00  T...I.C. ..A.C...
[0C0] 55 00 4B 00 00 00 00 00  00 57 00 69 00 6E 00 64  U.K..... .W.i.n.d
[0D0] 00 6F 00 77 00 73 00 20  00 35 00 2E 00 30 00 00  .o.w.s.  .5...0..
[0E0] 00 57 00 69 00 6E 00 64  00 6F 00 77 00 73 00 20  .W.i.n.d .o.w.s.
[0F0] 00 32 00 30 00 30 00 30  00 20 00 4C 00 41 00 4E  .2.0.0.0 . .L.A.N
[100] 00 20 00 4D 00 61 00 6E  00 61 00 67 00 65 00 72  . .M.a.n .a.g.e.r
[110] 00 00                                             ..

Which decodes to:

000000 smb_io_rpc_auth_verifier NTLMSSP authv
[000] 4E 54 4C 4D 53 53 50                              NTLMSSP
    0008 msg_type : 00000002
00000c smb_io_rpc_auth_ntlmssp_chal NTLMSSP challenge
    00000c smb_io_strhdr hdr_target
        000c str_str_len: 0010
        000e str_max_len: 0010
        0010 buffer     : 00000030
    0014 neg_flags: 008282b5
  NEGOTIATE_UNICODE = yes
  NEGOTIATE_OEM = no
  REQUEST_TARGET = yes
  NEGOTIATE_SIGN = yes
  NEGOTIATE_SEAL = yes
  NEGOTIATE_DATAGRAM = no
  NEGOTIATE_LM_KEY = yes
  NEGOTIATE_NETWARE = no
  NEGOTIATE_NTLM = yes
  NEGOTIATE_OEM_DOMAIN_SUPPLIED = no
  NEGOTIATE_OEM_WORKSTATION_SUPPLIED = no
  NEGOTIATE_LOCAL_CALL = no
  NEGOTIATE_ALWAYS_SIGN = yes
  TARGET_TYPE_DOMAIN = no
  TARGET_TYPE_SERVER = yes
  TARGET_TYPE_SHARE = no
  NEGOTIATE_NTLM2 = no
  REQUEST_INIT_RESPONSE = yes
  REQUEST_ACCEPT_RESPONSE = yes
  REQUEST_NON_NT_SESSION_KEY = yes
  NEGOTIATE_TARGET_INFO = yes
  NEGOTIATE_128 = no
  NEGOTIATE_KEY_EXCH = no
    0018 challenge: 16 4a 5a 5d e6 df 06 12
    0020 reserved : 00 00 00 00 00 00 00 00
Got a server-side context (8 bytes), reading it
    0028 ctxt_lower: 00880088
    002c ctxt_upper: 00000040
    0030 target: W.I.L.D.F.I.R.E.


The server-side context is clearly a STRHDR-like object, and the data it
points to looks like this:

[040] 02 00 10 00 57 00 49 00  4C 00 44 00 46 00 49 00  ....W.I. L.D.F.I.
[050] 52 00 45 00 01 00 10 00  57 00 49 00 4C 00 44 00  R.E..... W.I.L.D.
[060] 46 00 49 00 52 00 45 00  04 00 2A 00 77 00 69 00  F.I.R.E. ..*.w.i.
[070] 6C 00 64 00 66 00 69 00  72 00 65 00 2E 00 4E 00  l.d.f.i. r.e...N.
[080] 45 00 54 00 2E 00 49 00  43 00 2E 00 41 00 43 00  E.T...I. C...A.C.
[090] 2E 00 55 00 4B 00 03 00  2A 00 77 00 69 00 6C 00  ..U.K... *.w.i.l.
[0A0] 64 00 66 00 69 00 72 00  65 00 2E 00 4E 00 45 00  d.f.i.r. e...N.E.
[0B0] 54 00 2E 00 49 00 43 00  2E 00 41 00 43 00 2E 00  T...I.C. ..A.C...
[0C0] 55 00 4B 00 00 00 00 00

I need to return just such a structure by the looks of it. Any ideas?

Regards,
Phil

+----------------------------------+
| Phil Mayers, Network Support     |
| Centre for Computing Services    |
| Imperial College                 |
+----------------------------------+

More information about the samba-technical mailing list