Re: Where can I find NTLMSSP Spec?

On Tuesday 14 May 2002 19:08, Yee Man Chan wrote:

> Now I got a question for you NT wizards: how do I
> obtain the 16 bytes LanMan password to calculate the
> response to a NTLM challenge? Is it the same as my
> login password in the format of NULL-terminated ASCII
> string? If not, how can I get it?

The NTLM challenge is not at all dependent on the password. It is
just a random number, and some static information.

The NTLM response is dependent on the challenge, the users NT
password hash (different from the LANMAN hash, but both being 16
bytes). The client calculates the password hashes from the
password entered by the user, and the server verifies using a stored
copy.

This is all described pretty well in the Samba documentation on
encrypted password. There is other sources as well (including RFCs on
MS CHAP and MSCHAPv2, the CIFS specs and others), but the Samba docs
is the most frequently quoted ones..

NTLMSSP includes both NTLM and LANMAN responses, or a NTLMv2 response

Note: NTLMv2 is not supported by Squid at the moment due to
shortcomings in the helper protocol, and lack of understanding of the
NTLMv2 NTLMSSP protocol. I think I have all the needed documentation
now for NTLMv2, but I ran out of time when starting the
implementation.

If you want to use the NT domain then the server don't do any of
this. It simply asks the NT domain controller to verify the NT
response provided by the user. NT domain controllers do not allow you
to access the password store directly, as the password store
(including the NT and LANMAN password hashes) must be protected
rigorously.

The NT domain controller can be queried in many different ways. One
way, utilized by the ntlm_auth helper is to open a SMB connection to
the NT network, and translate the handshakes between NTLMSSP<->SMB.
Currently this is only implemented for LANMAN responses. Another,
utilized by the winbind helper via winbind is to use a NETLOGON RPC
pipe. The latter is the same method as used by a NT domain member
server/workstation.

If you want to look at a helper verifying the NT and LANMAN responses
directly without using a NT network then you could look into my
smbpasswd helper. To work best is also needs a small patch to Squid
to have the client negotiate packet sent to the helper, but until
NTLMv2 support is being added this is not critical. Noticed I had
forgot to document the presence of this branch, now corrected.

Regards
Henrik
Received on Wed May 15 2002 - 03:09:53 MDT