Jaa


How LMCompatibilityLevel really works

A while ago I once again got frustrated by LMCompatibilityLevel and the amount of confusion that is out there about it. There was also an intriguing thing in the SAMBA documentation that they (incorrectly) called "NTLM2 Session Response" that needed figured out. The results are in the latest issue of TechNet Magazine.

One additional thing deserves mention. Roger Grimes contacted me after he saw the article and asked why the Cain tool shows an MD4 hash and an NT hash, when I claim the NT hash is actually an MD4 hash. He then proceeded to answer his own question because I couldn't think of why. What Cain calls an MD4 hash appears to be an MD4 hash of the entire string, including the NULL terminator. The NT hash that is used in Windows is, as I mention somewhat obscurely in the article, a hash of the Unicode password string (in fact, it is even called the UnicodePwd in Active Directory, as I pointed out in the book among other places), but it does not include the NULL terminator. It just never occurred to me that Cain might display an MD4 hash that does. Thanks Roger for figuring that out.

Comments

  • Anonymous
    January 01, 2003
    PingBack from http://www.petri.co.il/save-your-exchange-password-in-microsoft-outlook-2003-or-2007.htm

  • Anonymous
    January 01, 2003
    PingBack from http://www.secure-software-engineering.com/2008/03/02/how-lmcompatibilitylevel-really-works/

  • Anonymous
    July 27, 2006
    Finally an accurate and definitive description of LMCompatibilityLevel and NTLMv2 Session Security from a trusted Microsoft source!

  • Anonymous
    July 28, 2006
    Ever the burden of the network developer, and particularly the crypto network developer, to get agreement between sender and recipient as to what the binary representation of an object is.  You have no idea (but can probably guess) how often this sort of error pops up in badly written software to poorly documented standards, as people disagree on padding, termination, delimiters, size counts, and connection durations.
    A good protocol document would define these terms explicitly.

  • Anonymous
    August 01, 2006
    The comment has been removed