Re: Windows NTLM authenticator

On Tuesday 09 September 2003 12.34, Serassio Guido wrote:

> >Is there any clue in the access.log traces?
>
> I can't see nothing of special.

There is..

Proxy-Authenticate: NTLM
Proxy-Authorization: NTLM
TlRMTVNTUAABAAAAB7IIAAIAAgAkAAAABAAEACAAAABWRUdBU0c=
0000000 4e 54 4c 4d 53 53 50 00 01 00 00 00 07 b2 08 00
0000020 02 00 02 00 24 00 00 00 04 00 04 00 20 00 00 00
0000040 56 45 47 41 53 47
Proxy-Authenticate: NTLM
TlRMTVNTUAACAAAAAAAAADAAAACCggAAch/fuFilVOEAAAAAAAAAAAAAAAAwAAAA
0000000 4e 54 4c 4d 53 53 50 00 02 00 00 00 00 00 00 00
0000020 30 00 00 00 82 82 00 00 72 1f df b8 58 a5 54 e1
0000040 00 00 00 00 00 00 00 00 00 00 00 00 30 00 00 00
Proxy-Authorization: NTLM
TlRMTVNTUAADAAAAGAAYAFMAAAAYABgAawAAAAIAAgBAAAAADQANAEIAAAAEAAQATwAAAAAAAACDAAAAAoIAAFNHQURNSU5JU1RSQVRPUlZFR0GTfPac0Iv+qrxNYN5tOBSuI1jMhmeVlhRTZ2We2FEtdTBp0oNuca2UTCzk04Bkmt8=
0000000 4e 54 4c 4d 53 53 50 00 03 00 00 00 18 00 18 00
0000020 53 00 00 00 18 00 18 00 6b 00 00 00 02 00 02 00
0000040 40 00 00 00 0d 00 0d 00 42 00 00 00 04 00 04 00
0000060 4f 00 00 00 00 00 00 00 83 00 00 00 02 82 00 00
0000100 53 47 41 44 4d 49 4e 49 53 54 52 41 54 4f 52 56
0000120 45 47 41 93 7c f6 9c d0 8b fe aa bc 4d 60 de 6d
0000140 38 14 ae 23 58 cc 86 67 95 96 14 53 67 65 9e d8
0000160 51 2d 75 30 69 d2 83 6e 71 ad 94 4c 2c e4 d3 80
0000200 64 9a df

Proxy-Authenticate: NTLM
Proxy-Authorization: NTLM
TlRMTVNTUAABAAAAB7IIAAIAAgAkAAAABAAEACAAAABWRUdBU0c=
0000000 4e 54 4c 4d 53 53 50 00 01 00 00 00 07 b2 08 00
0000020 02 00 02 00 24 00 00 00 04 00 04 00 20 00 00 00
0000040 56 45 47 41 53 47
0000046
Proxy-Authenticate: NTLM
TlRMTVNTUAACAAAAAAAAADAAAACCggAA1m6Lb5JfneUAAAAAAAAAAAAAAAAwAAAA
0000000 4e 54 4c 4d 53 53 50 00 02 00 00 00 00 00 00 00
0000020 30 00 00 00 82 82 00 00 d6 6e 8b 6f 92 5f 9d e5
0000040 00 00 00 00 00 00 00 00 00 00 00 00 30 00 00 00
Proxy-Authorization: NTLM
TlRMTVNTUAADAAAAGAAYAFMAAAAYABgAawAAAAIAAgBAAAAADQANAEIAAAAEAAQATwAAAAAAAACDAAAAAoIAAFNHQURNSU5JU1RSQVRPUlZFR0F71sKG4mKcibaz7EnSw4NJuFCozm0Q77FElN5mc7VHlgBTHF8h2KFp6dTMV0SdT3w=
0000000 4e 54 4c 4d 53 53 50 00 03 00 00 00 18 00 18 00
0000020 53 00 00 00 18 00 18 00 6b 00 00 00 02 00 02 00
0000040 40 00 00 00 0d 00 0d 00 42 00 00 00 04 00 04 00
0000060 4f 00 00 00 00 00 00 00 83 00 00 00 02 82 00 00
0000100 53 47 41 44 4d 49 4e 49 53 54 52 41 54 4f 52 56
0000120 45 47 41 7b d6 c2 86 e2 62 9c 89 b6 b3 ec 49 d2
0000140 c3 83 49 b8 50 a8 ce 6d 10 ef b1 44 94 de 66 73
0000160 b5 47 96 00 53 1c 5f 21 d8 a1 69 e9 d4 cc 57 44
0000200 9d 4f 7c

Proxy-Authenticate: NTLM
Proxy-Authorization: NTLM
TlRMTVNTUAABAAAAB7IIAAIAAgAkAAAABAAEACAAAABWRUdBU0c=
0000000 4e 54 4c 4d 53 53 50 00 01 00 00 00 07 b2 08 00
0000020 02 00 02 00 24 00 00 00 04 00 04 00 20 00 00 00
0000040 56 45 47 41 53 47
Proxy-Authenticate: NTLM
TlRMTVNTUAACAAAAAAAAADAAAACCggAA1m6Lb5JfneUAAAAAAAAAAAAAAAAwAAAA
0000000 4e 54 4c 4d 53 53 50 00 02 00 00 00 00 00 00 00
0000020 30 00 00 00 82 82 00 00 d6 6e 8b 6f 92 5f 9d e5
0000040 00 00 00 00 00 00 00 00 00 00 00 00 30 00 00 00
Proxy-Authorization: NTLM
TlRMTVNTUAADAAAAGAAYAFMAAAAYABgAawAAAAIAAgBAAAAADQANAEIAAAAEAAQATwAAAAAAAACDAAAAAoIAAFNHQURNSU5JU1RSQVRPUlZFR0F71sKG4mKcibaz7EnSw4NJuFCozm0Q77FElN5mc7VHlgBTHF8h2KFp6dTMV0SdT3w=
0000000 4e 54 4c 4d 53 53 50 00 03 00 00 00 18 00 18 00
0000020 53 00 00 00 18 00 18 00 6b 00 00 00 02 00 02 00
0000040 40 00 00 00 0d 00 0d 00 42 00 00 00 04 00 04 00
0000060 4f 00 00 00 00 00 00 00 83 00 00 00 02 82 00 00
0000100 53 47 41 44 4d 49 4e 49 53 54 52 41 54 4f 52 56
0000120 45 47 41 7b d6 c2 86 e2 62 9c 89 b6 b3 ec 49 d2
0000140 c3 83 49 b8 50 a8 ce 6d 10 ef b1 44 94 de 66 73
0000160 b5 47 96 00 53 1c 5f 21 d8 a1 69 e9 d4 cc 57 44
0000200 9d 4f 7c

As can be seen the third session reused the challenge of the second..
not good and will crash any real NTLMSSP.

Note: The helper traces and your access.log does not seem to match
fully. The helper traces are longer than your access.log trace, and
it seems the helper traces are cut showing an error occuring just
before your access.log trace and not the error in the access.log. If
not there is really odd bugs lurking around here..

Regards
Henrik
Received on Tue Sep 09 2003 - 05:21:23 MDT