This blog entry is intended for those readers seeking a consolidated reference for high-level aspects of the NTLM Protocol, as well as those who have occasion to analyze network traffic with Wireshark (a registered trademark of the Wireshark Foundation), Microsoft Network Monitor (v3.3 at the initial release of this document), and so on.

A zip file ([NTLM-OVERVIEW].zip) is attached to this entry, containing [NTLM-OVERVIEW].pdf, as well as a handful of short network traces illustrating NTLM authentication on various protocols.

The Open Specification documents, as well as all other cited documents are meant for in-depth reference to the protocol details.

NTLM is a Challenge/Response authentication method used across many network protocols, and originated as a successor to LANMAN (Microsoft LAN Manager) authentication.

The attached documentation is limited to the following protocols:

·         Remote Procedure Call (RPC) [C706]

·         Server Message Block (SMB) Protocol [MS-SMB]

·         Server Message Block (SMB) Version 2 Protocol [MS-SMB2]

·         Session Initiation Protocol (SIP) [RFC3261]

Information concerning additional protocols that use NTLM authentication can be found in the documents listed below. Note that Microsoft Network Monitor 3.3 includes parsers for these.

·         [MS-MMSP]: Microsoft Media Server (MMS) Protocol Specification

·         [MS-NNS]: .NET NegotiateStream Protocol Specification

·         [MS-NNTP]: NT LAN Manager (NTLM) Authentication: Network News Transfer Protocol (NNTP) Extension

·         [MS-NTHT]: NTLM Over HTTP Protocol Specification

·         [MS-POP3]: NT LAN Manager (NTLM) Authentication: Post Office Protocol - Version 3 (POP3) Extension

·         [MS-SMTP]: NT LAN Manager (NTLM) Authentication: Simple Mail Transfer Protocol (SMTP) Extension

·         [MS-TDS]: Tabular Data Stream Protocol Specification

Additional protocols: HTTP, LDAP, Telnet.

Captures: