NTLMSSP negotiate format in sessetup response...revised again...and join success!

Jim McDonough jmcd at us.ibm.com
Thu Aug 15 05:49:00 GMT 2002 

Ok, I've filled out a little more of this exchange:
Arriving in the first session setup:
0000 "NTLMSSP" (in ascii, null-terminated)
0008 int32 command  1 (negotiate) (1=neg 2=chal 3=auth)
000c int32 Negotiate flags
0010 header info for ascii netbios domain name (int16 len, int16 len, int32
offset)
0018 header info for ascii netbios client machine name (int16 len, int16
len, int32 offset)
end of header, followed by:
ascii machine and domain names (no null termination)

The ascii machine and domain names can be empty (leaving 16 bytes of zeroes
in the header, and no data following)

And the response is:
0000 "NTLMSSP"
0008 int 32 command 2 (challenge)
000c header info for Unicode netbios domain name (int16 len, int16 len,
int32 offset)
0014 int32 negotiate flags
0018 8 byte crypt key
0020 8 bytes of zero
0028 header info for ntlmssp domain/server info (int16 len, int16 len,
int32 offset)
end of header
0030 unicode netbios domain name (header info at 000c above)
ntlmssp domain/server info array, containing items of the format:
int16 type (1=netbios server name, 2=netbios domain name, 3=dns server name
(including domain), 4= dns domain name)
int16 len
unicode string (no null termination)
This array is terminated by a uint32 of zeroes (probably type 0, length 0).
.....can someone with a netbiosless setup send me a capture of this
packet?...

Next, from the client, comes:
0000 "NTLMSSP"
0008 int32 command 3 (auth)
000c header info for 24-byte lm hash (int16 len, int16 len, int32 offset)
0014 header info for 24-byte nt hash  (int16 len, int16 len, int32 offset)
001c header info for unicode domain name (int16 len, int16 len, int32
offset)
0024 header info for unicode user name (int16 len, int16 len, int32 offset)
002c header info for unicode client machine name (int16 len, int16 len,
int32 offset)
0034 header info for session key (int16 len, int16 len, int32 offset)
003c int32 negotiate flags
followed by the info pointed to in the header items

The response is not in NTLMSSP, but the asn.1 syntax is:
context[1](sequence[0](context[0](enumerated(0)))
Or a107 3005, a003, 0a0100

Without this last response, it won't work...


Now, after responding with this, the AD join from a 2k client works (no
kerberos, no ldap).  I don't yet have the parsing of the ascii machine and
domain names on the first packet, so after the join (before which these are
empty), we can't logon (I'll work on this next).  But the join works, and
the client thinks we are an AD DC!


----------------------------
Jim McDonough
IBM Linux Technology Center
Samba Team
6 Minuteman Drive
Scarborough, ME 04074
USA

jmcd at us.ibm.com
jmcd at samba.org

Phone: (207) 885-5565
IBM tie-line: 776-9984

More information about the samba-technical mailing list