… and the discussion goes like that for a couple hours.

Have you been in that situation before?

If the answer is no… then you probably have something better to do than reading this blog. May I suggest Dilbert? I’m a longtime fan.

If the answer is yes, then you will probably like this short tip.

It is easy to understand that NTLM is the authentication method being used between two computers when capturing data over the wire but, how can we distinguish if the version being used is V1 or V2?

 

Well, the only way to tell is by looking into the following details:

3489       1:50:07 AM 3/19/2010    143.9069739                       ENDPOINT01      SUT01   SMB       SMB:C; Negotiate, Dialect = NT LM 0.12        {SMBOverTCP:148, TCP:147, IPv4:3}

3490       1:50:07 AM 3/19/2010    143.9077536                       SUT01   ENDPOINT01      SMB       SMB:R; Negotiate, Dialect is NT LM 0.12 (#0)              {SMBOverTCP:148, TCP:147, IPv4:3}

3491       1:50:07 AM 3/19/2010    143.9168036                       ENDPOINT01      SUT01   SMB       SMB:C; Session Setup Andx, NTLM NEGOTIATE MESSAGE   {SMBOverTCP:148, TCP:147, IPv4:3}

3492       1:50:07 AM 3/19/2010    143.9174079                       SUT01   ENDPOINT01      SMB       SMB:R; Session Setup Andx, NTLM CHALLENGE MESSAGE - NT Status: System - Error, Code = (22) STATUS_MORE_PROCESSING_REQUIRED                {SMBOverTCP:148, TCP:147, IPv4:3}

3493       1:50:07 AM 3/19/2010    143.9396336                       ENDPOINT01      SUT01   SMB       SMB:C; Session Setup Andx, NTLM AUTHENTICATE MESSAGE, Domain:  , User: Administrator, Workstation: ENDPOINT01    {SMBOverTCP:148, TCP:147, IPv4:3}

3495       1:50:07 AM 3/19/2010    143.9414495                       SUT01   ENDPOINT01      SMB       SMB:R; Session Setup Andx                {SMBOverTCP:148, TCP:147, IPv4:3}

 

 

 

Looking into the highlighted message:

 

  Frame: Number = 3493, Captured Frame Length = 282, MediaType = ETHERNET

+ Ethernet: Etype = Internet IP (IPv4),DestinationAddress:[00-15-5D-2E-39-5A],SourceAddress:[00-15-5D-2E-39-5B]

+ Ipv4: Src = 192.168.0.101, Dest = 192.168.0.1, Next Protocol = TCP, Packet ID = 10822, Total IP Length = 268

+ Tcp: Flags=...AP..., SrcPort=1085, DstPort=Microsoft-DS(445), PayloadLen=228, Seq=2086951204 - 2086951432, Ack=2573578059, Win=16308 (scale factor 0x2) = 65232

+ SMBOverTCP: Length = 224

- Smb: C; Session Setup Andx, NTLM AUTHENTICATE MESSAGE, Domain:  , User: Administrator, Workstation: ENDPOINT01

    Protocol: SMB

    Command: Session Setup Andx 115(0x73)

  + NTStatus: 0x0, Facility = FACILITY_SYSTEM, Severity = STATUS_SEVERITY_SUCCESS, Code = (0) STATUS_SUCCESS

  + SMBHeader: Command, TID: 0x0000, PID: 0x0000, UID: 0x1000, MID: 0x0001

  - CSessionSetupAndXNTLMESS:

     WordCount: 12 (0xC)

     ANDXCommand: No Secondary Command 255(0xFF)

     AndXReserved: 0 (0x0)

     ANDXOffset: 224 (0xE0)

     MaxBufferSize: 16644 (0x4104)

     MaxMpxCount: 0 (0x0)

     VcNumber: 0 (0x0)

     SessionKey: 0 (0x0)

     SecurityBlobLength: 160 (0xA0)

     Reserved: 0 (0x0)

   + Capabilities: 0x8001E3FC

     ByteCount: 165 (0xA5)

   - SecurityBlob:

    - GSSAPI:

     - Token: NTLM AUTHENTICATE MESSAGE, Domain:  , User: Administrator, Workstation: ENDPOINT01

      - NLMP: NTLM AUTHENTICATE MESSAGE, Domain:  , User: Administrator, Workstation: ENDPOINT01

         Signature: NTLMSSP

         MessageType: Authenticate Message (0x00000003)

       - LmChallengeResponse: Length: 24, Offset: 112

          Length: 24 (0x18)

          MaximumLength: 24 (0x18)

          BufferOffset: 112 (0x70)

       - NtChallengeResponse: Length: 24, Offset: 136

          Length: 24 (0x18)

          MaximumLength: 24 (0x18)

          BufferOffset: 136 (0x88)

       + DomainName: Length: 1, Offset: 88

       + UserName: Length: 13, Offset: 89

       + Workstation: Length: 10, Offset: 102

       + SessionKey: Length: 0, Offset: 160

       + AuthenticateFlags: 0x0280A206 (NTLM v1No encryption, Always Sign)

       + Version: Windows 6.0 Build 6002 NLMPv15

       + MessageIntegrityCheckNotPresent: 7B17C94546AB0475161B66A23214803D

         DomainNameStringA: 

         UserNameStringA: Administrator

         WorkstationStringA: ENDPOINT01

       + LmChallengeResponseString: 3C3EBA89185188ED468BFF010611B4852B6B2BF5A01DA154

       + NTLMV1ChallengeResponse: 84BF3BFBEBA1D5F4CF7171EF716EEF8FF7167E47A0EB4128

   + Align: 1 Bytes

     NativeOS:

     Null: 0 (0x0)

 

The highlighted field is the only one that will clear our doubt.

If its value is 24 bytes long, then the version being used is V1.

If its value is larger than 24 (variable size) then the version being used is V2.

Well, I told you it was a short tip… now you can click on the Dilbert link and laugh at a couple strips.

Disclaimer: it may be addictive so, set a limit up front and be strong!! J

I hope you liked the post!

 

Regards,

 

Sebastian