Subject: A Example of The NTLM Type 2 Message
Author: authen
In response to: Minimium of The NTLM Type 2 Message
Posted on: 06/06/2006 02:49:13 AM

---

A sample Type 1 Message could be as follows:

Broken down:

0 0x4e 0x54 0x4c 0x4d 0x53 0x53 0x50 0x00
NTLMSSP Signature

8 0x02 0x00 0x00 0x00
Type 2 Indicator

12 0x0c 0x00 0x0c 0x00 0x30 0x00 0x00 0x00
Target Name:
--Length: 12 bytes (0x0c00)
--Allocated Space: 12 bytes (0x0c00)
--Offset: 48 bytes (0x30000000)

20 0x01 0x02 0x81 0x00
Flags:
--Negotiate Unicode (0x00000001)
--Negotiate NTLM (0x00000200)
--Target Type Domain (0x00010000)
--Negotiate Target Info (0x00800000)

24 0x01 0x23 0x45 0x67 0x89 0xab 0xcd 0xef
Challenge

32 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
Context

40 0x62 0x00 0x62 0x00 0x3c 0x00 0x00 0x00
Target Information:
--Length: 98 bytes (0x6200)
--Allocated Space: 98 bytes (0x6200)
--Offset: 60 bytes (0x3c000000)

48 0x44 0x00 0x4f 0x00 0x4d 0x00 0x41 0x00 0x49 0x00 0x4e 0x00
Target Name Data ("DOMAIN")

60 <data-block>0x02...
0x02 0x00 0x0c 0x00 0x44 0x00 0x4f 0x00 0x4d 0x00 0x41 0x00 0x49 0x00 0x4e 0x00
Domain name subblock:
--Type: 2 (Domain name, 0x0200)
--Length: 12 bytes (0x0c00)
--Data: "DOMAIN"

0x01 0x00 0x0c 0x00 0x53 0x00 0x45 0x00 0x52 0x00 0x56 0x00 0x45 0x00 0x52 0x00
Server name subblock:
--Type: 1 (Server name, 0x0100)
--Length: 12 bytes (0x0c00)
--Data: "SERVER"

0x04 0x00 0x14 0x00 0x64 0x00 0x6f 0x00 0x6d 0x00 0x61 0x00 0x69 0x00 0x6e 0x00
0x2e 0x00 0x63 0x00 0x6f 0x00 0x6d 0x00
DNS domain name subblock:
--Type: 4 (DNS domain name, 0x0400)
--Length: 20 bytes (0x1400)
--Data: "domain.com"

0x03 0x00 0x22 0x00 0x73 0x00 0x65 0x00 0x72 0x00 0x76 0x00 0x65 0x00 0x72 0x00
0x2e 0x00 0x64 0x00 0x6f 0x00 0x6d 0x00 0x61 0x00 0x69 0x00 0x6e 0x00 0x2e 0x00
0x63 0x00 0x6f 0x00 0x6d 0x00
DNS server name subblock:
--Type: 3 (DNS server name, 0x0300)
--Length: 34 bytes (0x2200)
--Data: "server.domain.com"

0x00 0x00 0x00 0x00
Terminator subblock:
--Type: 0 (terminator, 0x0000)
--Length: 0 bytes (0x0000)


An analysis of this message shows:

This is an NTLM Type 2 message (from the NTLMSSP Signature and Type 2 Indicator).

The server has indicated that strings will be encoded using Unicode (the Negotiate Unicode flag is set).

The server supports NTLM authentication (Negotiate NTLM).

The Target Name provided by the server is populated and represents a domain (the Target Type Domain flag is set and the domain name is present in the Target Name Security Buffer).

The server is providing a Target Information structure (Negotiate Target Info is set). This structure is present in the Target Information Security Buffer (domain name "DOMAIN", server name "SERVER", DNS domain name "domain.com", and DNS server name "server.domain.com").

The challenge generated by the server is "0x0123456789abcdef".

An empty context has been sent.

Note that the target name is in Unicode format (as specified by the Negotiate Unicode flag).

 
> 
> On 06/06/2006 02:47:14 AM authen wrote:

---

The context and target information may be omitted, in which case the data block begins at offset 32 (immediately following the challenge). A minimal Type 2 message would look something like this:

    0x4e544c4d53535000020000000000000000000000020200000123456789abcdef

This message contains only:

the NTLMSSP signature, 0x4e544c4d53535000

the NTLM message type, 0x02000000

an empty target name, 0x0000000000000000

minimal flags, 02020000 (Negotiate NTLM and Negotiate OEM), and

the challenge, 0x0123456789abcdef

---

References:

• Next Post: The NTLM Type 3 Message  authen  06/06/2006 03:02:52 AM
• Previous Post: Minimium of The NTLM Type 2 Message  authen  06/06/2006 02:47:14 AM
• Next Topic: NTLM HTTP Authentication  authen  06/08/2006 01:14:44 AM
• Previous Topic: Forwardable Ticket vs Proxiable Ticket  Alex_Raj  05/20/2006 03:38:33 PM
• Index: by Date
• Index: by Topic