The contents of NTLMSSP blobs
Richard Sharpe
rsharpe at ns.aus.com
Mon Sep 2 11:52:01 GMT 2002
On Mon, 2 Sep 2002, Jim McDonough wrote:
>
> >When it comes to the NTLMSSP challenge, apart from the challenge it self,
> >it also contains what looks like an NDR encoded top level ref to the
> >domain, this time in UCS2-LE, and then another NDR encoded top level ref
> >to what looks like another BLOB. This blob seems to contain:
> Richard,
> Please see my previous posting on this:
> http://marc.theaimsgroup.com/?l=samba-technical&m=102942293528502&w=2
> The middle describes the NTLMSSP challenge. The ULONG of zeroes is the end
> of the list (address type 0, length 0).
Yes, thanks. I also noticed the code in head which expresses essentially
the same things.
> It's probably time to gather the info up into one place, so we don't have
> too many people rediscovering the format...you and I are certainly not the
> first ones to do this.
I am interested in whether it look like NDR Encoded stuff as well. I will
probably spend a small amount of time getting the NTLMSSP dissector to
decode it as NDR to see what it looks like.
The list desctription for the BLOB within the BLOB looks spot-on. How did
you figure that one out?
Regards
-----
Richard Sharpe, rsharpe at ns.aus.com, rsharpe at samba.org,
sharpe at ethereal.com
More information about the samba-technical
mailing list