Tuesday, May 04, 2010

NTLM V1… no, excuse me… NTLM V2… oh, no, you were right… it’s V1…

… and the discussion goes like that for a couple hours.

Have you been in that situation before?

If the answer is no… then you probably have something better to do than reading this blog. May I suggest Dilbert? I’m a longtime fan.

If the answer is yes, then you will probably like this short tip.

It is easy to understand that NTLM is the authentication method being used between two computers when capturing data over the wire but, how can we distinguish if the version being used is V1 or V2?


Well, the only way to tell is by looking into the following details:

3489       1:50:07 AM 3/19/2010    143.9069739                       ENDPOINT01      SUT01   SMB       SMB:C; Negotiate, Dialect = NT LM 0.12        {SMBOverTCP:148, TCP:147, IPv4:3}

3490       1:50:07 AM 3/19/2010    143.9077536                       SUT01   ENDPOINT01      SMB       SMB:R; Negotiate, Dialect is NT LM 0.12 (#0)              {SMBOverTCP:148, TCP:147, IPv4:3}

3491       1:50:07 AM 3/19/2010    143.9168036                       ENDPOINT01      SUT01   SMB       SMB:C; Session Setup Andx, NTLM NEGOTIATE MESSAGE   {SMBOverTCP:148, TCP:147, IPv4:3}

3492       1:50:07 AM 3/19/2010    143.9174079                       SUT01   ENDPOINT01      SMB       SMB:R; Session Setup Andx, NTLM CHALLENGE MESSAGE - NT Status: System - Error, Code = (22) STATUS_MORE_PROCESSING_REQUIRED                {SMBOverTCP:148, TCP:147, IPv4:3}

3493       1:50:07 AM 3/19/2010    143.9396336                       ENDPOINT01      SUT01   SMB       SMB:C; Session Setup Andx, NTLM AUTHENTICATE MESSAGE, Domain:  , User: Administrator, Workstation: ENDPOINT01    {SMBOverTCP:148, TCP:147, IPv4:3}

3495       1:50:07 AM 3/19/2010    143.9414495                       SUT01   ENDPOINT01      SMB       SMB:R; Session Setup Andx                {SMBOverTCP:148, TCP:147, IPv4:3}

Looking into the highlighted message:


Read more: Microsoft Open Specification Blog

Posted via email from jasper22's posterous