The contents of NTLMSSP blobs
Richard Sharpe
rsharpe at ns.aus.com
Sun Sep 1 16:39:00 GMT 2002
Hi,
The contents of the NTLMSSP blobs looks interesting ... The NTLMSSP
Negotiate blob contains the flags and the Calling workstation and calling
domain in ASCII. This looks very much like NDR encoded stuff.
When it comes to the NTLMSSP challenge, apart from the challenge it self,
it also contains what looks like an NDR encoded top level ref to the
domain, this time in UCS2-LE, and then another NDR encoded top level ref
to what looks like another BLOB. This blob seems to contain:
USHORT: 00 02
USHORT: Length of next string (UCS2-LE)
UCS2-LE string: DOMAIN NAME in upper case
USHORT: 00 01
USHORT: Length of next string (UCS2-LE)
UCS2-LE string: Server name in upper case
ULONG: 00 00 00 04
USHORT: 00 03
USHORT: Length of next string (UCS2-LE)
UCS2-LE string: server name in lower case with period (.) on end
ULONG: 00 00 00 00
Then the NTLMSSP AUTH seems to contain NDR encoded stuff again.
Regards
-----
Richard Sharpe, rsharpe at ns.aus.com, rsharpe at samba.org,
sharpe at ethereal.com
More information about the samba-technical
mailing list