"NTLMv2 Response (Only)" yields Unicode password length of 78

Christopher R. Hertel crh at ubiqx.mn.org
Thu Jan 30 03:55:50 GMT 2003

On Tue, Jan 28, 2003 at 08:11:54PM -0700, Vance Lankhaar wrote:
> Check out Chris' book - http://www.ubiqx.org/cifs/SMB.html#SMB.8.5
> He's got a great explanation of what we observed while looking at a few
> captures.
> Also, if you would have a capture of it of the response, I'd love to
> take a look at it - there's a few bytes that are still unknown.

Thanks, Vance.  :)  I'm interested too, of course.

More below...

> On Wed, 2003-01-29 at 19:57, Joey Collins wrote:
> > Good evening folks,
> > 
> > I have a WIN2K system and I am failing to authenticate to a Samba 2.2
> > installation, which I suspect is due to the weird length of Unicode
> > password length in the SessionSetupAndX message.  Here is my
> > circumstance.
> > 
> > On my W2K machine:
> > -Run the secpol.msc management plug-in thingie.
> > -Click "Local Policies"
> > -Click "Security Options"
> > -In the right pain, look for "LAN Manager Authentication Level"
> > -Double click on this.
> > -In the pull-down, set it to "Send NTLMv2 response only"
> > -Commit that change.
> > -Now, connect to the Samba machine.
> > 
> > The ANSI password length in the SessionSetupAndX is 24, but in my case
> > the Unicode Password Length is 78 (this is according to the latest &
> > greatest ethereal built from sources yesterday).

Yes, that would be correct.  The 24-byte "ANSI" password is, in fact, an
LMv2 response.  It is a simpler version of the NTLMv2 response.  The 
NTLMv2 response is the hash of some known data and a blob of garblage.  
The garblage is typically around 64 bytes, give or take a few.  In your 
case, it appears that the blob is 62 bytes.

> > When I change the setting in LAN Manager Authentication Level" back to
> > the default, I can connect to Samba 2.2 using the same creds.

We have had LMv2 code available for a while (thanks to the TNG folk) but 
there was little impetus to push ahead with it.  Few people have asked.  
You're one of the few.  :)

> > I tried this on a W2K -> W2K setup (not active directory) and the same
> > trace occurs, but this time, the Unicode password length was 66 (it was
> > a different account/password)!

Makes sense.  See the link Vance provided above.  That'll explain it.

> > Anyone else see this?  Does anyone know how the binary response of 78
> > bytes is created?  Lots of zeros, it does not appear to be ASN.1

It's probably not ASN.1 but, once you know what's in there (or what 
*might* be in there) then it will probably make you think of NDR.  I would 
not have recognized it, but others on the Team know this stuff so well 
that it's second nature.

> > Have a great night,

I'll do my best.  :)

You too.

Chridz -)-----

Samba Team -- http://www.samba.org/     -)-----   Christopher R. Hertel
jCIFS Team -- http://jcifs.samba.org/   -)-----   ubiqx development, uninq.
ubiqx Team -- http://www.ubiqx.org/     -)-----   crh at ubiqx.mn.org
OnLineBook -- http://ubiqx.org/cifs/    -)-----   crh at ubiqx.org

More information about the samba-technical mailing list