go to  ForumEasy.com   
JavaPro
Home » Archive » Message


[Email To Friend][View in Live Context][prev topic « prev post | next post » next topic]
  A Example of The NTLM Type 1 Message
 
Subject: A Example of The NTLM Type 1 Message
Author: authen
In response to: The Minimium of NTML Type 1 Message
Posted on: 06/06/2006 02:34:39 AM


A sample Type 1 Message could be as follows: 


    0x4e544c4d535350000100000007320000060006002b0000000b000b0020000000
    574f524b53544154494f4e444f4d41494e


Broken down:

0 0x4e 0x54 0x4c 0x4d 0x53 0x53 0x50 0x00
NTLMSSP Signature

8 0x01 0x00 0x00 0x00
Type 1 Indicator

12 0x07 0x32 0x00 0x00
Flags:
  • Negotiate Unicode (0x00000001)
  • Negotiate OEM (0x00000002)
  • Request Target (0x00000004)
  • Negotiate NTLM (0x00000200)
  • Negotiate Domain Supplied (0x00001000)
  • Negotiate Workstation Supplied (0x00002000)

    16 0x06 0x00 0x06 0x00 0x2b 0x00 0x00 0x00
    Supplied Domain Security Buffer:
    --Length: 6 bytes (0x0600)
    --Allocated Space: 6 bytes (0x0600)
    --Offset: 43 bytes (0x2b000000)

    24 0x0b 0x00 0x0b 0x00 0x20 0x00 0x00 0x00
    Supplied Workstation Security Buffer:
    --Length: 11 bytes (0x0b00)
    --Allocated Space: 11 bytes (0x0b00)
    --Offset: 32 bytes (0x20000000)

    32 0x57 0x4f 0x52 0x4b 0x53 0x54 0x41 0x54 0x49 0x4f 0x4e
    Supplied Workstation Data ("WORKSTATION")

    43 0x44 0x4f 0x4d 0x41 0x49 0x4e
    Supplied Domain Data ("DOMAIN")


    The above Type 1 message implies:

  • This is an NTLM Type 1 message (from the NTLMSSP Signature and Type 1 Indicator).

  • This client can support either Unicode or OEM strings (the Negotiate Unicode and Negotiate OEM flags are both set).

  • This client supports NTLM authentication (Negotiate NTLM).

  • The client is requesting that the server send information regarding the authentication target (Request Target is set).

  • This client is sending its domain, which is "DOMAIN" (the Negotiate Domain Supplied flag is set, and the domain name is present in the Supplied Domain Security Buffer).

  • The client is sending its workstation name, which is "WORKSTATION" (the Negotiate Workstation Supplied flag is set, and the workstation name is present in the Supplied Workstation Security Buffer).


    • Note that the supplied workstation and domain are in OEM format. Additionally, the order in which the security buffer data blocks are laid out is unimportant; in the example, the workstation data is placed before the domain data.


     

    > On 06/06/2006 02:29:08 AM authen wrote:
    The "most-minimal" well-formed Type 1 message, therefore, would be: 
    
    0x4e544c4d535350000100000002020000

    This message contains only
  • the NTLMSSP signature,

  • the NTLM message type, and

  • the minimal set of flags (Negotiate NTLM and Negotiate OEM).





    • References:

    		 


     
    Powered by ForumEasy © 2002-2022, All Rights Reserved. | Privacy Policy | Terms of Use
     
    Get your own forum today. It's easy and free.