Ethereal-dev: Re: [Ethereal-dev] NTLMSSP has problems in the challenge decode

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next
From: Todd Sabin <tsabin@xxxxxxxxxxxxx>
Date: 01 Sep 2002 14:36:31 -0400
Richard Sharpe <rsharpe@xxxxxxxxxx> writes:

> Hi,
> 
> I was looking at the NTLMSSP dissector and running it over some data now 
> that SPNEGO is working OK, and I noticed two things:
> 
> 1. We know that the NTLMSSP blob is NDR encoded, so rather than breaking 
> it out by hand, it would be a lot more useful if the support in 
> packet-dcerpc.c et al was used.

Though they look like NDR, and are quite similar, they're not.  I'm
pretty sure they don't pay attention to the data representation, even
when they're used with DCERPC.  I.e., they're always little endian.
Also, for uni strings that are "empty", the pointer is non-null and
indicates the offset where the data would have occurred, if there were
any.  In NDR, if you did that, there'd be a max, offset, and count
(what samba calls a uni_ldr(?), I think) in the deferred data.  There
isn't any in the NTLMSSP blobs.

> 2. The challenge field has a top level ref pointer to a string. That is 
> what those unknown1 and unknown2 uint32s are. The first one contains the 
> actual and max len for the string and the second is a buffer ref.

Haven't looked at that...


Todd