Share via


NTLM V1… no, excuse me… NTLM V2… oh, no, you were right… it’s V1…

… and the discussion goes like that for a couple hours.

Have you been in that situation before?

If the answer is no… then you probably have something better to do than reading this blog. May I suggest Dilbert? I’m a longtime fan.

If the answer is yes, then you will probably like this short tip.

It is easy to understand that NTLM is the authentication method being used between two computers when capturing data over the wire but, how can we distinguish if the version being used is V1 or V2?


Well, the only way to tell is by looking into the following details:

3489 1:50:07 AM 3/19/2010 143.9069739 ENDPOINT01 SUT01 SMB SMB:C; Negotiate, Dialect = NT LM 0.12 {SMBOverTCP:148, TCP:147, IPv4:3}

3490 1:50:07 AM 3/19/2010 143.9077536 SUT01 ENDPOINT01 SMB SMB:R; Negotiate, Dialect is NT LM 0.12 (#0) {SMBOverTCP:148, TCP:147, IPv4:3}

3491 1:50:07 AM 3/19/2010 143.9168036 ENDPOINT01 SUT01 SMB SMB:C; Session Setup Andx, NTLM NEGOTIATE MESSAGE {SMBOverTCP:148, TCP:147, IPv4:3}

3492 1:50:07 AM 3/19/2010 143.9174079 SUT01 ENDPOINT01 SMB SMB:R; Session Setup Andx, NTLM CHALLENGE MESSAGE - NT Status: System - Error, Code = (22) STATUS_MORE_PROCESSING_REQUIRED {SMBOverTCP:148, TCP:147, IPv4:3}

3493 1:50:07 AM 3/19/2010 143.9396336 ENDPOINT01 SUT01 SMB SMB:C; Session Setup Andx, NTLM AUTHENTICATE MESSAGE, Domain: , User: Administrator, Workstation: ENDPOINT01 {SMBOverTCP:148, TCP:147, IPv4:3}

3495 1:50:07 AM 3/19/2010 143.9414495 SUT01 ENDPOINT01 SMB SMB:R; Session Setup Andx {SMBOverTCP:148, TCP:147, IPv4:3}

 

 

 

Looking into the highlighted message:

  Frame: Number = 3493, Captured Frame Length = 282, MediaType = ETHERNET

+ Ethernet: Etype = Internet IP (IPv4),DestinationAddress:[00-15-5D-2E-39-5A],SourceAddress:[00-15-5D-2E-39-5B]

+ Ipv4: Src = 192.168.0.101, Dest = 192.168.0.1, Next Protocol = TCP, Packet ID = 10822, Total IP Length = 268

+ Tcp: Flags=...AP..., SrcPort=1085, DstPort=Microsoft-DS(445), PayloadLen=228, Seq=2086951204 - 2086951432, Ack=2573578059, Win=16308 (scale factor 0x2) = 65232

+ SMBOverTCP: Length = 224

- Smb: C; Session Setup Andx, NTLM AUTHENTICATE MESSAGE, Domain: , User: Administrator, Workstation: ENDPOINT01

    Protocol: SMB

    Command: Session Setup Andx 115(0x73)

  + NTStatus: 0x0, Facility = FACILITY_SYSTEM, Severity = STATUS_SEVERITY_SUCCESS, Code = (0) STATUS_SUCCESS

  + SMBHeader: Command, TID: 0x0000, PID: 0x0000, UID: 0x1000, MID: 0x0001

  - CSessionSetupAndXNTLMESS:

     WordCount: 12 (0xC)

     ANDXCommand: No Secondary Command 255(0xFF)

     AndXReserved: 0 (0x0)

     ANDXOffset: 224 (0xE0)

     MaxBufferSize: 16644 (0x4104)

     MaxMpxCount: 0 (0x0)

     VcNumber: 0 (0x0)

     SessionKey: 0 (0x0)

     SecurityBlobLength: 160 (0xA0)

     Reserved: 0 (0x0)

   + Capabilities: 0x8001E3FC

     ByteCount: 165 (0xA5)

   - SecurityBlob:

    - GSSAPI:

     - Token: NTLM AUTHENTICATE MESSAGE, Domain: , User: Administrator, Workstation: ENDPOINT01

      - NLMP: NTLM AUTHENTICATE MESSAGE, Domain: , User: Administrator, Workstation: ENDPOINT01

         Signature: NTLMSSP

         MessageType: Authenticate Message (0x00000003)

       - LmChallengeResponse: Length: 24, Offset: 112

          Length: 24 (0x18)

          MaximumLength: 24 (0x18)

          BufferOffset: 112 (0x70)

       - NtChallengeResponse: Length: 24, Offset: 136

          Length: 24 (0x18)

          MaximumLength: 24 (0x18)

          BufferOffset: 136 (0x88)

       + DomainName: Length: 1, Offset: 88

       + UserName: Length: 13, Offset: 89

       + Workstation: Length: 10, Offset: 102

       + SessionKey: Length: 0, Offset: 160

       + AuthenticateFlags: 0x0280A206 (NTLM v1No encryption, Always Sign)

       + Version: Windows 6.0 Build 6002 NLMPv15

       + MessageIntegrityCheckNotPresent: 7B17C94546AB0475161B66A23214803D

         DomainNameStringA:

         UserNameStringA: Administrator

         WorkstationStringA: ENDPOINT01

       + LmChallengeResponseString: 3C3EBA89185188ED468BFF010611B4852B6B2BF5A01DA154

       + NTLMV1ChallengeResponse: 84BF3BFBEBA1D5F4CF7171EF716EEF8FF7167E47A0EB4128

   + Align: 1 Bytes

     NativeOS:

     Null: 0 (0x0)

 

The highlighted field is the only one that will clear our doubt.

If its value is 24 bytes long, then the version being used is V1.

If its value is larger than 24 (variable size) then the version being used is V2.

Well, I told you it was a short tip… now you can click on the Dilbert link and laugh at a couple strips.

Disclaimer: it may be addictive so, set a limit up front and be strong!! J

I hope you liked the post!

 

Regards,

 

Sebastian

Comments

  • Anonymous
    October 21, 2010
    seb,  why does my pop mail refuseto authenticate my email ? my btinternet server keeps coming up with error blaming ntlm..   unread messages are building up thanks.  CB      bowls50@btinternet.com

  • Anonymous
    October 21, 2010
    seb,  why does my pop mail refuseto authenticate my email ? my btinternet server keeps coming up with error blaming ntlm..   unread messages are building up thanks.  CB      bowls50@btinternet.com

  • Anonymous
    November 11, 2010
    Hi CB; the Exchange Server 'Clients' forum at the link below would be a good place to start. social.technet.microsoft.com/.../threads

  • Anonymous
    May 26, 2011
    The network captures provided in blog "blogs.msdn.com/.../ntlm-overview.aspx" state they are of NTLM v2, but looking at the "rpc_ntlmv2.cap" shows the same 24bit length for NtChallengeResponse.  So is the capture really of NTLM V1, or is the 24bit length not an absolute indicator? Thanks!