NTLM Overview


This blog entry is intended for those readers seeking a consolidated reference for high-level aspects of the NTLM Protocol, as well as those who have occasion to analyze network traffic with Wireshark (a registered trademark of the Wireshark Foundation), Microsoft Network Monitor (v3.3 at the initial release of this document), and so on.


A zip file ([NTLM-OVERVIEW].zip) is attached to this entry, containing [NTLM-OVERVIEW].pdf, as well as a handful of short network traces illustrating NTLM authentication on various protocols.


The Open Specification documents, as well as all other cited documents are meant for in-depth reference to the protocol details.


NTLM is a Challenge/Response authentication method used across many network protocols, and originated as a successor to LANMAN (Microsoft LAN Manager) authentication.


The attached documentation is limited to the following protocols:


·         Remote Procedure Call (RPC) [C706]


·         Server Message Block (SMB) Protocol [MS-SMB]


·         Server Message Block (SMB) Version 2 Protocol [MS-SMB2]


·         Session Initiation Protocol (SIP) [RFC3261]


Information concerning additional protocols that use NTLM authentication can be found in the documents listed below. Note that Microsoft Network Monitor 3.3 includes parsers for these.


 


·         [MS-MMSP]: Microsoft Media Server (MMS) Protocol Specification


·         [MS-NNS]: .NET NegotiateStream Protocol Specification


·         [MS-NNTP]: NT LAN Manager (NTLM) Authentication: Network News Transfer Protocol (NNTP) Extension


·         [MS-NTHT]: NTLM Over HTTP Protocol Specification


·         [MS-POP3]: NT LAN Manager (NTLM) Authentication: Post Office Protocol – Version 3 (POP3) Extension


·         [MS-SMTP]: NT LAN Manager (NTLM) Authentication: Simple Mail Transfer Protocol (SMTP) Extension


·         [MS-TDS]: Tabular Data Stream Protocol Specification


 


Additional protocols: HTTP, LDAP, Telnet.


 


Captures:





















































Capture File


NTLM


Protocol


Client


Server


rpc_ntlmv2.cap


v2


RPC


Windows 2003


Windows 2003


smb_ntlmv2.cap


v2


SMB


obfuscated


Windows 2003


smb_ntlmv2_implicit.cap


v2


SMB


Windows Xp


obfuscated


smb_ntlmv2_spnego.cap


v2


SMB


Windows Xp


Windows 2003


smb2_spnego_ntlmv2.cap


v2


SMB2


Windows 2008


Windows 2008


smtp_ntlmv2.cap


V2


SMTP


Windows Xp


Windows 2000


sip_ntlmv2.cap


v2


SIP


Windows Xp


Windows 2003


 

[NTLM-OVERVIEW].zip