Ethereal-dev: Re: [Ethereal-dev] Fix for NTLMSSP decryption support with DCE/RPC auth padding

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next
From: Tim Potter <tpot@xxxxxxxxx>
Date: Fri, 25 Jul 2003 11:03:07 +1000
On Thu, Jul 24, 2003 at 04:48:59PM -0400, Devin Heitmueller wrote:

> > Perhaps Microsoft "embraced and extended" that field to specify padding
> > to make the stub data a multiple of 16 bytes for NTLMSSP (I think I
> > mentioned that possibility in mail on this topic a while ago), but the
> > DCE RPC 1.1 spec, at least, seems to indicate that it's there to align
> > the fields of an "auth_verifier_co_t" on a 4-byte boundary.
> 
> I don't see any incentive from a design standpoint, but who knows.... 
> My only thought was if they wanted to work with block ciphers that
> operate on 128 bits at a time.  I know you mentioned this previously,
> and I had forgotten.

I think this is correct.  My NETLOGON secure channel decryptor wasn't
decrypting packets properly until I included the padding in the data
stream.  It was one of those 'aha' moments.


Tim.