MS04-011 question

Andrew Bartlett abartlet at
Fri May 7 23:21:12 GMT 2004

On Sat, 2004-05-08 at 05:19, Xyster ! wrote:
> I've read quite a bit about MS04-011 NTLMv2 problems but no one has really 
> spelled out what the problem actually is.
> >From looking at traces it appears a patched Windows box generates broken 
> NTLMv2 authentication blobs. Instead of sending, as part of the blob, the 
> full NetBIOS domain name and NetBIOS host name, it sends the first two 
> letters of the domain name; one letter as the domain name and the second 
> letter as the host name.
> Some experimentation has shown that Windows servers will reject these broken 
> blobs. In other words, a Windows client using NTLMv2 will be rejected by a 
> Windows server.

Ouch!  Samba doesn't try and decode the blob, and intermediate windows
servers (domain members) will not, so this is not as much of an issue on
Samba networks ;-)

> Of course, this is not normally a problem since Windows will usually use 
> NTLMSSP when authenticating and imagine it is a different code path in 
> Windows.

When using NTLMSSP, it does not need to 'make up' the blob of names, it
can just copy it from what the server provided.

> Does anyone else see this or is my Windows client playing games with me?

I've not seen this myself, but I've honestly not been looking at the
NTLMv2 side of things.  

Andrew Bartlett

Andrew Bartlett                                 abartlet at
Manager, Authentication Subsystems, Samba Team  abartlet at
Student Network Administrator, Hawker College   abartlet at
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :

More information about the samba-technical mailing list