While we're talking about sources of information, I noticed the Squid
project had some stuff, as well as opengroup has a spec.
Here are the respective urls:
http://squid.sourceforge.net/ntlm/client_proxy_protocol.html
http://www.opengroup.org/comsource/techref2/NCH1222X.HTM
I haven't looked at NetMon to see if it decodes the protocol (frankly, I
would have to do some digging to see if I even have a copy).
Does anyone know if MS Network Monitor dissects NTLMSSP?
-Devin
On Wed, 2002-07-10 at 11:56, Tim Potter wrote:
> On Wed, Jul 10, 2002 at 11:10:00AM -0400, Devin Heitmueller wrote:
>
> > In packet-dcerpc.c (line 1349), we send three different request types to
> > the packet-ntlmssp dissector: DCERPC Bind DCERPC Bind Ack and DCERPC
> > AUTH3. For the AUTH3 message, we dissect the ntlmssp constant and the
> > message type, but we do not dissect further, as we do with the negotiate
> > and request message types.
> >
> > If someone wanted to add support for the AUTH3 message, he/she would add
> > a function called dissect_ntlmssp_auth() to the if statement on line 392
> > of packet-ntlmssp.c.
> >
> > I have a valid trace that does the Auth3, and I think I have found the
> > appropriate references in Samba and TNG relating to the structure of the
> > packet. I just have not yet had the time to write the Auth3 dissector
> > code.
>
> There's also some relatively independent information about NTLMSSP
> at http://www.innovation.ch/java/ntlm.html which you might be interested
> in reading. It's all about the NTLM over HTTP protocol that IE uses to
> authenticate web connections. It would be nice to get ethereal to
> decode this. (-:
>
> It basically describes NTLMSSP without calling it such. I'm not sure
> who is correct about the exact structure of the packets. For example
> the URL refers to the reserved bytes as byte zero[3], short flags, and
> byte zero[2].
>
> I guess the ultimate reference is netmon if it decodes the NTLMSSP
> stuff.
>
>
> Tim.
--
Devin Heitmueller
Senior Software Engineer
Netilla Networks Inc
