Attached is a patch to better decode the NTLMSSP address list found in the challenge packet. It fleshes out the decoding of the individual items to show how the type and lengths are determined.
Also, regarding the inclusion of the Address list, I found the following comment in the source:
/*
* The presence or absence of this field is not obviously correlated
* with any flags in the previous NEGOTIATE message or in this
* message (other than the "Workstation Supplied" and "Domain
* Supplied" flags in the NEGOTIATE message, at least in the capture
* I've seen - but those also correlate with the presence of workstation
* and domain name fields, so it doesn't seem to make sense that they
* actually *indicate* whether the subsequent CHALLENGE has an
* address list).
*/
Eric Glass's paper on NTLMSSP seems to suggest that this block is only present when the Negotiate Target Info (0x00800000) flag is set. So far, I haven't seen anything to the contrary. Has anyone seen any cases where the flag was set and the address list was missing? Or has anyone seen a case where the flag was not set and the address list was present? If not, then I will commit a change to alter the comment accordingly and use the NEGOTIATE_TARGET flag to determine whether to dissect the list.
The paper in question can be found at: http://davenport.sourceforge.net/ntlm.html#theType2Message
Also, does anyone have any objection to me renaming all the references from "address list" to "target info block"? Is the term "address list" arbitrary, or did it come from some spec?
Thanks,
Devin
Attachment:
packet-ntlmssp.c.diff.gz
Description: packet-ntlmssp.c.diff.gz