This blog entry is intended for those readers seeking a consolidated reference for high-level aspects of the NTLM Protocol, as well as those who have occasion to analyze network traffic with Wireshark (a registered trademark of the Wireshark Foundation), Microsoft Network Monitor (v3.3 at the initial release of this document), and so on.

A zip file ([NTLM-OVERVIEW].zip) is attached to this entry, containing [NTLM-OVERVIEW].pdf, as well as a handful of short network traces illustrating NTLM authentication on various protocols.

The Open Specification documents, as well as all other cited documents are meant for in-depth reference to the protocol details.

NTLM is a Challenge/Response authentication method used across many network protocols, and originated as a successor to LANMAN (Microsoft LAN Manager) authentication.

The attached documentation is limited to the following protocols:

·         Remote Procedure Call (RPC) [C706]

·         Server Message Block (SMB) Protocol [MS-SMB]

·         Server Message Block (SMB) Version 2 Protocol [MS-SMB2]

·         Session Initiation Protocol (SIP) [RFC3261]

Information concerning additional protocols that use NTLM authentication can be found in the documents listed below. Note that Microsoft Network Monitor 3.3 includes parsers for these.

 

·         [MS-MMSP]: Microsoft Media Server (MMS) Protocol Specification

·         [MS-NNS]: .NET NegotiateStream Protocol Specification

·         [MS-NNTP]: NT LAN Manager (NTLM) Authentication: Network News Transfer Protocol (NNTP) Extension

·         [MS-NTHT]: NTLM Over HTTP Protocol Specification

·         [MS-POP3]: NT LAN Manager (NTLM) Authentication: Post Office Protocol - Version 3 (POP3) Extension

·         [MS-SMTP]: NT LAN Manager (NTLM) Authentication: Simple Mail Transfer Protocol (SMTP) Extension

·         [MS-TDS]: Tabular Data Stream Protocol Specification

 

Additional protocols: HTTP, LDAP, Telnet.

 

Captures:

Capture File

NTLM

Protocol

Client

Server

rpc_ntlmv2.cap

v2

RPC

Windows 2003

Windows 2003

smb_ntlmv2.cap

v2

SMB

obfuscated

Windows 2003

smb_ntlmv2_implicit.cap

v2

SMB

Windows Xp

obfuscated

smb_ntlmv2_spnego.cap

v2

SMB

Windows Xp

Windows 2003

smb2_spnego_ntlmv2.cap

v2

SMB2

Windows 2008

Windows 2008

smtp_ntlmv2.cap

V2

SMTP

Windows Xp

Windows 2000

sip_ntlmv2.cap

v2

SIP

Windows Xp

Windows 2003