Puzzled with NTLM dissector for wireshark

Sun Mar 22 21:47:27 GMT 2009

Dear all,

I've been working last month on NTLM dissector and have been successful 
using the documentation of
[MS-NLMP].pdf and the existing code.
I needed this because if kerberos is not available (ie. ports blocked on 
the firewall) then AD or samba4 fall back on NTLM as an authentification 
methods (for LDAP at least).
So my code works in the case of NTLMv1 but using NTLMv2 security 
(NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY flag), which was not covered 
by the dissector. As this kind of authentification is also used in 
Microsoft SPA mode in Outlook I definitly think it's worth including it 
wireshark so I'm trying to integrate my stuff in the existing.

But I'm lost at several points.

First the create_ntlmssp_v1_key function contains this code:

crypt_des_ecb(lm_password_hash, lmhash_key, lm_password_upper, 1);
crypt_des_ecb(lm_password_hash+8, lmhash_key, lm_password_upper+7, 1);
ntlmssp_generate_challenge_response(lm_challenge_response,
               lm_password_hash, serverchallenge);

  /* Generate the LanMan Challenge Response */

  /* Generate the NTLMSSP-v1 RC4 Key.
    * The RC4 key is derived from the Lan Manager Hash.
    * See lkcl "DCE/RPC over SMB" page 254 for the algorithm.
    */
    memset(pw21, 0xBD, sizeof(pw21));
    memcpy(pw21, lm_password_hash, sizeof(lm_password_hash));

But when I read the spec from Microsoft and the code of samba (
SMBsesskeygen_lm_sess_key of "source4/libcli/auth/smbencrypt.c" )
I understand that only the first 8 bytes of the lm_password_hash are 
used and the rest is filled with 0xBD.

So basically I've the impression that password decode of the NTLM decode 
should never work and therefor I should replace it with something more 
likely to work. But at the other hand it seems to me so strange that 
someone commited something that obviously can't work. Did I miss something ?

Then there is information from the NLMP documentation that seems partial 
and sometimes wrong (how can someone who wrote the programs not being 
able to document correctly ?).

My main concern is how to generate the base key for the RC4 encryption 
in case of session key based on LM hash and LM response.

In 3.4.5.1 it's stated that it's the session key that is used as a key 
for the DES encryption (and LM_reponse as data) when the flag 
NEGOTIATE_LM_KEY is activated
It's fairly similar to this following code of 
source4/auth/ntlmssp/ntlmssp_client.c
       SMBsesskeygen_lm_sess_key(lm_session_key.data, lm_response.data,
               new_session_key.data);

If I make the the assumption that the session key in this case is the lm 
hash which is written nowhere that's pretty much sensible

But in the NON_NT_SESSION_KEY and no NEGOTIATE_LM_KEY it's stated that 
the session key should be a concat of first eight bytes of lm_hash and 8 
null bytes.

And in samba code I guess the code associated with this case (because 
it's not explicitly tested against this flag)
is the following:
       static const uint8_t zeros[24];
       SMBsesskeygen_lm_sess_key(lm_session_key.data, zeros,
               new_session_key.data);

Which basically do a DES with lm_session_key (that is lm_hash) as a key 
and zeros as data and is quite different from NLMP proposal.

To sum up, I'm a bit lost because I can't be sure that the MS spec is 
good, nor samba3/4 implementation and I have the strange feeling that 
wireshark dissector isn't dissecting much.

Can some one light my way ?

Matthieu.