Subject: The NTLM Type 1 Message
Author: authen
In response to: Structure of NTLM Message
Posted on: 06/06/2006 02:23:51 AM
Structure:
--0--NTLMSSP Signature Null-terminated ASCII "NTLMSSP" (0x4e544c4d53535000)
--8--NTLM Message Type long (0x01000000)
12 Flags long
(16) Supplied Domain (Optional) securityBuffer
(24) Supplied Workstation (Optional) securityBuffer
(32) start of data block (if required)
The Type 1 message is sent from the client to the server to initiate NTLM authentication. Its primary purpose is to establish the "ground rules" for authentication by indicating supported options via the flags. Optionally, it can also provide the server with the client's workstation name and the domain in which the client workstation has membership; this information is used by the server to determine whether the client is eligible for local authentication.
Typically, the Type 1 message details one or more of the following:
1. The flags -- the security machanisms supported by client:
Negotiate Unicode (0x00000001) The client sets this flag to indicate that it supports Unicode strings.
Negotiate OEM (0x00000002) This is set to indicate that the client supports OEM strings.
Request Target (0x00000004) This requests that the server send the authentication target with the Type 2 reply.
Negotiate NTLM (0x00000200) Indicates that NTLM authentication is supported.
Negotiate Domain Supplied (0x00001000) When set, the client will send with the message the name of the domain in which the workstation has membership.
Negotiate Workstation Supplied (0x00002000) Indicates that the client is sending its workstation name with the message.
Negotiate Always Sign (0x00008000) Indicates that communication between the client and server after authentication should carry a "dummy" signature.
Negotiate NTLM2 Key (0x00080000) Indicates that this client supports the NTLM2 signing and sealing scheme; if negotiated, this can also affect the response calculations.
Negotiate 128 (0x20000000) Indicates that this client supports strong (128-bit) encryption.
Negotiate 56 (0x80000000) Indicates that this client supports medium (56-bit) encryption.
2. The supplied domain -- the domain in which the client workstation has membership. This is always in OEM format, even if Unicode is supported by the client.
3. The supplied workstation -- the client workstation's name. This, too, is in OEM rather than Unicode.
Note that the supplied domain and workstation are optional fields; they may be empty (security buffer indicating a length of zero), or may not be sent at all (security buffer omitted altogether). If the supplied domain and workstation are omitted, the Type 1 message carries no data block (the message ends after the flags field, and is a fixed-length 16-byte structure).
>
> On 06/06/2006 02:17:25 AM authen wrote:
Structure of NTLM Message
--------------------------------
NTLM Message ::= <signature><messageType><messageBody>
<signature> ::= 'NTLMSSP' '0x00' (Hex 0x4e 0x54 0x4c 0x4d 0x53 0x53 0x50 0x00)
<messageType> ::= CHOICE {
type 1 [0] long (hexadecimal 0x01 0x00 0x00 0x00)
type 2 [1] long (hexadecimal 0x02 0x00 0x00 0x00)
type 3 [2] long (hexadecimal 0x03 0x00 0x00 0x00)
}
<messageBody> ::= SEQUENCE {
securityBuffer SecurityBuffer,
messageFlag MessageFlag,
dataBlock DataBlock
}
References:
