NTLMSSP negotiate format in sessetup response...revised

Jim McDonough jmcd at us.ibm.com
Wed Aug 14 08:44:02 GMT 2002

A little too quick last time...the lengths and tags? on the strings are
only one byte:

I think we've got the NTLMSSP negotiate response incorrect.  Here's what I
see in windows:
0000 "NTLMSSP"
0008 2 (challenge)
000c two int16s, containing domain length (number of bytes in unicode)
0010 0x00000030
0014 negotiate flags
0018 8-byte crypt key
0020 8-bytes of 0
0028 two int16s containing remaining legnth, followed by a dword containing
0030 Unicode domain name (not terminated, no length preceding it, since it
was above)
followed by:
int8 0x02 int8 bytelen, Unicode domain name
int8 0x01 int8 bytelen, Unicode server name
int8 0x04 int8 bytelen, unicode dns domain name
int8 0x03 int8 bytelen, unicode full dns server name (including domain)
int32 0

Then the packet is included again...

Jim McDonough
IBM Linux Technology Center
Samba Team
6 Minuteman Drive
Scarborough, ME 04074

jmcd at us.ibm.com
jmcd at samba.org

Phone: (207) 885-5565
IBM tie-line: 776-9984

More information about the samba-technical mailing list