go to  ForumEasy.com   
JavaPro
Home » Archive » Message


[Email To Friend][View in Live Context][prev topic « prev post | next post » next topic]
  The NTLM Type 3 Message
 
Subject: The NTLM Type 3 Message
Author: authen
In response to: A Example of The NTLM Type 2 Message
Posted on: 06/06/2006 03:02:52 AM


Structure:

--0- NTLMSSP Signature -- Null-terminated ASCII "NTLMSSP" (0x4e544c4d53535000)
--8- NTLM Message Type -- long (0x03000000)
-12- LM/LMv2 Response -- security buffer
-20- NTLM/NTLMv2 Response -- security buffer
-28- Domain Name -- security buffer
-36- User Name -- security buffer
-44- Workstation Name -- security buffer
(52) Session Key (optional) -- security buffer
(60) Flags (optional) -- long
-52 (64) start of data block

The Type 3 message is the final step in authentication. This message contains the client's responses to the Type 2 challenge, which demonstrate that the client has knowledge of the account password without sending the password directly. The Type 3 message also indicates the domain and username of the authenticating account, as well as the client workstation name.

Typically, the Type 3 message details one or more of the following:

1. The LM/LMv2 response -- reply created from the user's password in response to the Type 2 challenge.

2. The NTLM/NTLMv2 response -- NT based reply created from the user's password in response to the Type 2 challenge.

3. The domain name -- the authentication realm in which the authenticating account has membership. This is either Unicode or OEM, depending on the negotiated encoding.

4. The user name -- the authenticating account name. This is either Unicode or OEM, depending on the negotiated encoding.

5. The workstation name -- the client workstation's name. This is either Unicode or OEM, depending on the negotiated encoding.

6. The session key -- is often empty when included; it is apparently relevant in newer signing and sealing mechanisms. The Open Group documentation states that it additionally plays a role in datagram-style authentication.

7. The flags

When "Negotiate Local Call" has been established in the Type 2 message, the security buffers in the Type 3 message are typically all empty (zero length). The client "adopts" the SSPI context sent in the Type 2 message, effectively circumventing the need to calculate an appropriate response.

It should be noted that the flags in the Type 3 message are optional; older clients include neither the session key nor the flags in the message. In this case, the data block begins at offset 52, immediately following the workstation name security buffer. It has been determined experimentally that the Type 3 flags (when included) do not carry any additional semantics in connection-oriented authentication; they do not appear to have any discernable effect on either authentication or the establishment of session security. Clients sending flags typically mirror the established Type 2 settings fairly closely. It is possible that the flags are sent as a "reminder" of established options, to allow the server to avoid caching the negotiated settings. The Type 3 flags are relevant during datagram-style authentication, however.

 

> On 06/06/2006 02:49:13 AM authen wrote:


A sample Type 1 Message could be as follows:

    0x4e544c4d53535000020000000c000c003000000001028100
    0123456789abcdef0000000000000000620062003c000000
    44004f004d00410049004e0002000c0044004f004d004100
    49004e0001000c0053004500520056004500520004001400
    64006f006d00610069006e002e0063006f006d0003002200
    7300650072007600650072002e0064006f006d0061006900
    6e002e0063006f006d0000000000


Broken down:

0 0x4e 0x54 0x4c 0x4d 0x53 0x53 0x50 0x00
NTLMSSP Signature

8 0x02 0x00 0x00 0x00
Type 2 Indicator

12 0x0c 0x00 0x0c 0x00 0x30 0x00 0x00 0x00
Target Name:
--Length: 12 bytes (0x0c00)
--Allocated Space: 12 bytes (0x0c00)
--Offset: 48 bytes (0x30000000)

20 0x01 0x02 0x81 0x00
Flags:
--Negotiate Unicode (0x00000001)
--Negotiate NTLM (0x00000200)
--Target Type Domain (0x00010000)
--Negotiate Target Info (0x00800000)

24 0x01 0x23 0x45 0x67 0x89 0xab 0xcd 0xef
Challenge

32 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
Context

40 0x62 0x00 0x62 0x00 0x3c 0x00 0x00 0x00
Target Information:
--Length: 98 bytes (0x6200)
--Allocated Space: 98 bytes (0x6200)
--Offset: 60 bytes (0x3c000000)

48 0x44 0x00 0x4f 0x00 0x4d 0x00 0x41 0x00 0x49 0x00 0x4e 0x00
Target Name Data ("DOMAIN")

60 <data-block>0x02...
0x02 0x00 0x0c 0x00 0x44 0x00 0x4f 0x00 0x4d 0x00 0x41 0x00 0x49 0x00 0x4e 0x00
Domain name subblock:
--Type: 2 (Domain name, 0x0200)
--Length: 12 bytes (0x0c00)
--Data: "DOMAIN"

0x01 0x00 0x0c 0x00 0x53 0x00 0x45 0x00 0x52 0x00 0x56 0x00 0x45 0x00 0x52 0x00
Server name subblock:
--Type: 1 (Server name, 0x0100)
--Length: 12 bytes (0x0c00)
--Data: "SERVER"

0x04 0x00 0x14 0x00 0x64 0x00 0x6f 0x00 0x6d 0x00 0x61 0x00 0x69 0x00 0x6e 0x00
0x2e 0x00 0x63 0x00 0x6f 0x00 0x6d 0x00
DNS domain name subblock:
--Type: 4 (DNS domain name, 0x0400)
--Length: 20 bytes (0x1400)
--Data: "domain.com"

0x03 0x00 0x22 0x00 0x73 0x00 0x65 0x00 0x72 0x00 0x76 0x00 0x65 0x00 0x72 0x00
0x2e 0x00 0x64 0x00 0x6f 0x00 0x6d 0x00 0x61 0x00 0x69 0x00 0x6e 0x00 0x2e 0x00
0x63 0x00 0x6f 0x00 0x6d 0x00
DNS server name subblock:
--Type: 3 (DNS server name, 0x0300)
--Length: 34 bytes (0x2200)
--Data: "server.domain.com"

0x00 0x00 0x00 0x00
Terminator subblock:
--Type: 0 (terminator, 0x0000)
--Length: 0 bytes (0x0000)


An analysis of this message shows:

  • This is an NTLM Type 2 message (from the NTLMSSP Signature and Type 2 Indicator).

  • The server has indicated that strings will be encoded using Unicode (the Negotiate Unicode flag is set).

  • The server supports NTLM authentication (Negotiate NTLM).

  • The Target Name provided by the server is populated and represents a domain (the Target Type Domain flag is set and the domain name is present in the Target Name Security Buffer).

  • The server is providing a Target Information structure (Negotiate Target Info is set). This structure is present in the Target Information Security Buffer (domain name "DOMAIN", server name "SERVER", DNS domain name "domain.com", and DNS server name "server.domain.com").

  • The challenge generated by the server is "0x0123456789abcdef".

  • An empty context has been sent.


  • Note that the target name is in Unicode format (as specified by the Negotiate Unicode flag).




    References:

     


     
    Powered by ForumEasy © 2002-2022, All Rights Reserved. | Privacy Policy | Terms of Use
     
    Get your own forum today. It's easy and free.