go to  ForumEasy.com   
JavaPro
Home » Archive » Message


[Email To Friend][View in Live Context][prev topic « prev post | next post » next topic]
  The NTLM Type 2 Message
 
Subject: The NTLM Type 2 Message
Author: authen
In response to: A Example of The NTLM Type 1 Message
Posted on: 06/06/2006 02:40:43 AM


Structure:

--0-- NTLMSSP Signature -- Null-terminated ASCII "NTLMSSP" (0x4e544c4d53535000)
--8-- NTLM Message Type -- long (0x02000000)
-12-- Target Name -- security buffer
-20-- Flags -- long
-24-- Challenge -- 8 bytes
(32) Context (optional) -- 8 bytes (two consecutive longs)
(40) Target Information (optional) -- security buffer
32 (48) start of data block


The Type 2 message is sent by the server to the client in response to the client's Type 1 message. It serves to complete the negotiation of options with the client, and also provides a challenge to the client. It may optionally contain information about the authentication target.

Typically, the Type 2 message details one or more of the following:

1. The target name -- the name of the authentication target. This is typically sent in response to a client requesting the target (via the Request Target flag in the Type 1 message). This can contain a domain, server, or (apparently) a network share. The target type is indicated via the Target Type Domain, Target Type Server, and Target Type Share flags. The target name can be either Unicode or OEM, as indicated by the presence of the appropriate flag in the Type 2 message.

2. The flags -- the security machanisms to be servered by server:

Negotiate Unicode (0x00000001) The server sets this flag to indicate that it will be using Unicode strings. This should only be set if the client indicates (in the Type 1 message) that it supports Unicode. Either this flag or Negotiate OEM should be set, but not both.
Negotiate OEM (0x00000002) This flag is set to indicate that the server will be using OEM strings. This should only be set if the client indicates (in the Type 1 message) that it will support OEM strings. Either this flag or Negotiate Unicode should be set, but not both.
Request Target (0x00000004) This flag is often set in the Type 2 message; while it has a well-defined meaning within the Type 1 message, its semantics here are unclear.
Negotiate NTLM (0x00000200) Indicates that NTLM authentication is supported.
Negotiate Local Call (0x00004000) The server sets this flag to inform the client that the server and client are on the same machine. The server provides a local security context handle with the message.
Negotiate Always Sign (0x00008000) Indicates that communication between the client and server after authentication should carry a "dummy" signature.
Target Type Domain (0x00010000) The server sets this flag to indicate that the authentication target is being sent with the message and represents a domain.
Target Type Server (0x00020000) The server sets this flag to indicate that the authentication target is being sent with the message and represents a server.
Target Type Share (0x00040000) The server apparently sets this flag to indicate that the authentication target is being sent with the message and represents a network share. This has not been confirmed.
Negotiate NTLM2 Key (0x00080000) Indicates that this server supports the NTLM2 signing and sealing scheme; if negotiated, this can also affect the client's response calculations.
Negotiate Target Info (0x00800000) The server sets this flag to indicate that a Target Information block is being sent with the message.
Negotiate 128 (0x20000000) Indicates that this server supports strong (128-bit) encryption.
Negotiate 56 (0x80000000) Indicates that this server supports medium (56-bit) encryption.

3. The challenge -- an 8-byte block of random data. The client will use this to formulate a response.

4. The context field -- typically populated when Negotiate Local Call is set. It contains an SSPI context handle, which allows the client to "short-circuit" authentication and effectively circumvent responding to the challenge. Physically, the context is two long values. This is covered in greater detail later, in the "Local Authentication" section.

5. The target information -- a Target Information block used in calculating the NTLMv2 response. This is composed of a sequence of subblocks, each consisting of:

a).Indicator of the type of data in this subblock:

  • (0x0100): Server name
  • (0x0200): Domain name
  • (0x0300): Fully-qualified DNS host name (i.e., server.domain.com)
  • (0x0400): DNS domain name (i.e., domain.com)
    b). Length in bytes of this subblock's content field; and
    c). Content as indicated by the type field. Always sent in Unicode, even when OEM is indicated by the message flags.

    The sequence is terminated by a terminator subblock; this is a subblock of type "0", of zero length. Subblocks of type "5" have also been encountered, apparently containing the "parent" DNS domain for servers in subdomains; it may be that there are other as-yet-unidentified subblock types as well.


     

    > On 06/06/2006 02:34:39 AM authen wrote:


    A sample Type 1 Message could be as follows:
    
        0x4e544c4d535350000100000007320000060006002b0000000b000b0020000000
        574f524b53544154494f4e444f4d41494e
    


    Broken down:

    0 0x4e 0x54 0x4c 0x4d 0x53 0x53 0x50 0x00
    NTLMSSP Signature

    8 0x01 0x00 0x00 0x00
    Type 1 Indicator

    12 0x07 0x32 0x00 0x00
    Flags:
  • Negotiate Unicode (0x00000001)
  • Negotiate OEM (0x00000002)
  • Request Target (0x00000004)
  • Negotiate NTLM (0x00000200)
  • Negotiate Domain Supplied (0x00001000)
  • Negotiate Workstation Supplied (0x00002000)

    16 0x06 0x00 0x06 0x00 0x2b 0x00 0x00 0x00
    Supplied Domain Security Buffer:
    --Length: 6 bytes (0x0600)
    --Allocated Space: 6 bytes (0x0600)
    --Offset: 43 bytes (0x2b000000)

    24 0x0b 0x00 0x0b 0x00 0x20 0x00 0x00 0x00
    Supplied Workstation Security Buffer:
    --Length: 11 bytes (0x0b00)
    --Allocated Space: 11 bytes (0x0b00)
    --Offset: 32 bytes (0x20000000)

    32 0x57 0x4f 0x52 0x4b 0x53 0x54 0x41 0x54 0x49 0x4f 0x4e
    Supplied Workstation Data ("WORKSTATION")

    43 0x44 0x4f 0x4d 0x41 0x49 0x4e
    Supplied Domain Data ("DOMAIN")


    The above Type 1 message implies:

  • This is an NTLM Type 1 message (from the NTLMSSP Signature and Type 1 Indicator).

  • This client can support either Unicode or OEM strings (the Negotiate Unicode and Negotiate OEM flags are both set).

  • This client supports NTLM authentication (Negotiate NTLM).

  • The client is requesting that the server send information regarding the authentication target (Request Target is set).

  • This client is sending its domain, which is "DOMAIN" (the Negotiate Domain Supplied flag is set, and the domain name is present in the Supplied Domain Security Buffer).

  • The client is sending its workstation name, which is "WORKSTATION" (the Negotiate Workstation Supplied flag is set, and the workstation name is present in the Supplied Workstation Security Buffer).


  • Note that the supplied workstation and domain are in OEM format. Additionally, the order in which the security buffer data blocks are laid out is unimportant; in the example, the workstation data is placed before the domain data.





    References:

     


     
    Powered by ForumEasy © 2002-2022, All Rights Reserved. | Privacy Policy | Terms of Use
     
    Get your own forum today. It's easy and free.