MS04-011 question

Xyster ! xyster_ at
Fri May 7 19:19:12 GMT 2004

I've read quite a bit about MS04-011 NTLMv2 problems but no one has really 
spelled out what the problem actually is.

>From looking at traces it appears a patched Windows box generates broken 
NTLMv2 authentication blobs. Instead of sending, as part of the blob, the 
full NetBIOS domain name and NetBIOS host name, it sends the first two 
letters of the domain name; one letter as the domain name and the second 
letter as the host name.
Some experimentation has shown that Windows servers will reject these broken 
blobs. In other words, a Windows client using NTLMv2 will be rejected by a 
Windows server.
Of course, this is not normally a problem since Windows will usually use 
NTLMSSP when authenticating and imagine it is a different code path in 

Does anyone else see this or is my Windows client playing games with me?



MSN 8 helps eliminate e-mail viruses. Get 2 months FREE*.

More information about the samba-technical mailing list