Ethereal-dev: Re: [Ethereal-dev] Patch for NTLMSSP support

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next
From: Tim Potter <tpot@xxxxxxxxx>
Date: Wed, 10 Jul 2002 08:56:34 -0700
On Wed, Jul 10, 2002 at 11:10:00AM -0400, Devin Heitmueller wrote:

> In packet-dcerpc.c (line 1349), we send three different request types to
> the packet-ntlmssp dissector: DCERPC Bind DCERPC Bind Ack and DCERPC
> AUTH3.  For the AUTH3 message, we dissect the ntlmssp constant and the
> message type, but we do not dissect further, as we do with the negotiate
> and request message types.
> 
> If someone wanted to add support for the AUTH3 message, he/she would add
> a function called dissect_ntlmssp_auth() to the if statement on line 392
> of packet-ntlmssp.c.
> 
> I have a valid trace that does the Auth3, and I think I have found the
> appropriate references in Samba and TNG relating to the structure of the
> packet.  I just have not yet had the time to write the Auth3 dissector
> code.

There's also some relatively independent information about NTLMSSP
at http://www.innovation.ch/java/ntlm.html which you might be interested
in reading.  It's all about the NTLM over HTTP protocol that IE uses to
authenticate web connections.  It would be nice to get ethereal to
decode this.  (-:

It basically describes NTLMSSP without calling it such.  I'm not sure
who is correct about the exact structure of the packets.  For example
the URL refers to the reserved bytes as byte zero[3], short flags, and
byte zero[2].

I guess the ultimate reference is netmon if it decodes the NTLMSSP
stuff.


Tim.