"NTLMv2 Response (Only)" yields Unicode password length of 78
Christopher R. Hertel
crh at ubiqx.mn.org
Thu Jan 30 03:55:50 GMT 2003
On Tue, Jan 28, 2003 at 08:11:54PM -0700, Vance Lankhaar wrote:
> Check out Chris' book - http://www.ubiqx.org/cifs/SMB.html#SMB.8.5
>
> He's got a great explanation of what we observed while looking at a few
> captures.
>
> Also, if you would have a capture of it of the response, I'd love to
> take a look at it - there's a few bytes that are still unknown.
Thanks, Vance. :) I'm interested too, of course.
More below...
> On Wed, 2003-01-29 at 19:57, Joey Collins wrote:
> > Good evening folks,
> >
> > I have a WIN2K system and I am failing to authenticate to a Samba 2.2
> > installation, which I suspect is due to the weird length of Unicode
> > password length in the SessionSetupAndX message. Here is my
> > circumstance.
> >
> > On my W2K machine:
> > -Run the secpol.msc management plug-in thingie.
> > -Click "Local Policies"
> > -Click "Security Options"
> > -In the right pain, look for "LAN Manager Authentication Level"
> > -Double click on this.
> > -In the pull-down, set it to "Send NTLMv2 response only"
> > -Commit that change.
> > -Now, connect to the Samba machine.
> >
> > The ANSI password length in the SessionSetupAndX is 24, but in my case
> > the Unicode Password Length is 78 (this is according to the latest &
> > greatest ethereal built from sources yesterday).
Yes, that would be correct. The 24-byte "ANSI" password is, in fact, an
LMv2 response. It is a simpler version of the NTLMv2 response. The
NTLMv2 response is the hash of some known data and a blob of garblage.
The garblage is typically around 64 bytes, give or take a few. In your
case, it appears that the blob is 62 bytes.
> > When I change the setting in LAN Manager Authentication Level" back to
> > the default, I can connect to Samba 2.2 using the same creds.
We have had LMv2 code available for a while (thanks to the TNG folk) but
there was little impetus to push ahead with it. Few people have asked.
You're one of the few. :)
> > I tried this on a W2K -> W2K setup (not active directory) and the same
> > trace occurs, but this time, the Unicode password length was 66 (it was
> > a different account/password)!
Makes sense. See the link Vance provided above. That'll explain it.
> > Anyone else see this? Does anyone know how the binary response of 78
> > bytes is created? Lots of zeros, it does not appear to be ASN.1
It's probably not ASN.1 but, once you know what's in there (or what
*might* be in there) then it will probably make you think of NDR. I would
not have recognized it, but others on the Team know this stuff so well
that it's second nature.
> > Have a great night,
I'll do my best. :)
You too.
Chridz -)-----
--
Samba Team -- http://www.samba.org/ -)----- Christopher R. Hertel
jCIFS Team -- http://jcifs.samba.org/ -)----- ubiqx development, uninq.
ubiqx Team -- http://www.ubiqx.org/ -)----- crh at ubiqx.mn.org
OnLineBook -- http://ubiqx.org/cifs/ -)----- crh at ubiqx.org
More information about the samba-technical
mailing list