Annoted NTLM Authentication 0000 30 37 a0 03 02 01 02 a1 30 30 2e 30 2c a0 2a 04 07......00.0,.*. 0010 28 4e 54 4c 4d 53 53 50 00 01 00 00 00 b7 82 08 (NTLMSSP........ 0020 e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0030 00 06 01 b0 1d 00 00 00 0f ......... 4e 54 4c 4d 53 53 50 00 Signature (8 bytes) : "NTLMSSP" 01 00 00 00 MessageType (4 bytes) : NEGOTIATE_MESSAGE b7 82 08 e2 NegotiateFlags (4 bytes) 00 00 00 00 00 00 00 00 DomainNameFields (8 bytes) 00 00 00 00 00 00 00 00 WorkstationFields (8 bytes) 06 01 b0 1d 00 00 00 0f Version (8 bytes) 0000 30 82 01 02 a0 03 02 01 02 a1 81 fa 30 81 f7 30 0...........0..0 0010 81 f4 a0 81 f1 04 81 ee 4e 54 4c 4d 53 53 50 00 ........NTLMSSP. 0020 02 00 00 00 1e 00 1e 00 38 00 00 00 35 82 8a e2 ........8...5... 0030 3b 46 60 81 fb 5b 31 61 00 00 00 00 00 00 00 00 ;F`..[1a........ 0040 98 00 98 00 56 00 00 00 06 01 b0 1d 00 00 00 0f ....V........... 0050 57 00 49 00 4e 00 2d 00 30 00 38 00 51 00 39 00 W.I.N.-.0.8.Q.9. 0060 4b 00 51 00 46 00 50 00 50 00 4f 00 36 00 02 00 K.Q.F.P.P.O.6... 0070 1e 00 57 00 49 00 4e 00 2d 00 30 00 38 00 51 00 ..W.I.N.-.0.8.Q. 0080 39 00 4b 00 51 00 46 00 50 00 50 00 4f 00 36 00 9.K.Q.F.P.P.O.6. 0090 01 00 1e 00 57 00 49 00 4e 00 2d 00 30 00 38 00 ....W.I.N.-.0.8. 00a0 51 00 39 00 4b 00 51 00 46 00 50 00 50 00 4f 00 Q.9.K.Q.F.P.P.O. 00b0 36 00 04 00 1e 00 57 00 49 00 4e 00 2d 00 30 00 6.....W.I.N.-.0. 00c0 38 00 51 00 39 00 4b 00 51 00 46 00 50 00 50 00 8.Q.9.K.Q.F.P.P. 00d0 4f 00 36 00 03 00 1e 00 57 00 49 00 4e 00 2d 00 O.6.....W.I.N.-. 00e0 30 00 38 00 51 00 39 00 4b 00 51 00 46 00 50 00 0.8.Q.9.K.Q.F.P. 00f0 50 00 4f 00 36 00 07 00 08 00 ec e8 26 e4 6b cc P.O.6.......&.k. 0100 ca 01 00 00 00 00 ...... 4e 54 4c 4d 53 53 50 00 Signature (8 bytes) : "NTLMSSP" 02 00 00 00 MessageType (4 bytes) : CHALLENGE_MESSAGE 1e 00 1e 00 38 00 00 00 TargetNameFields (8 bytes) : 30, 56 35 82 8a e2 NegotiateFlags (4 bytes) 3b 46 60 81 fb 5b 31 61 ServerChallenge (8 bytes) 00 00 00 00 00 00 00 00 Reserved (8 bytes) 98 00 98 00 56 00 00 00 TargetInfoFields (8 bytes) : 152, 86 06 01 b0 1d 00 00 00 0f Version (8 bytes) Payload: TargetName: 0050 57 00 49 00 4e 00 2d 00 30 00 38 00 51 00 39 00 W.I.N.-.0.8.Q.9. 0060 4b 00 51 00 46 00 50 00 50 00 4f 00 36 00 K.Q.F.P.P.O.6 TargetInfo: 0060 02 00 .. 0070 1e 00 57 00 49 00 4e 00 2d 00 30 00 38 00 51 00 ..W.I.N.-.0.8.Q. 0080 39 00 4b 00 51 00 46 00 50 00 50 00 4f 00 36 00 9.K.Q.F.P.P.O.6. 0090 01 00 1e 00 57 00 49 00 4e 00 2d 00 30 00 38 00 ....W.I.N.-.0.8. 00a0 51 00 39 00 4b 00 51 00 46 00 50 00 50 00 4f 00 Q.9.K.Q.F.P.P.O. 00b0 36 00 04 00 1e 00 57 00 49 00 4e 00 2d 00 30 00 6.....W.I.N.-.0. 00c0 38 00 51 00 39 00 4b 00 51 00 46 00 50 00 50 00 8.Q.9.K.Q.F.P.P. 00d0 4f 00 36 00 03 00 1e 00 57 00 49 00 4e 00 2d 00 O.6.....W.I.N.-. 00e0 30 00 38 00 51 00 39 00 4b 00 51 00 46 00 50 00 0.8.Q.9.K.Q.F.P. 00f0 50 00 4f 00 36 00 07 00 08 00 ec e8 26 e4 6b cc P.O.6.......&.k. 0100 ca 01 00 00 00 00 ...... MsvAvNbDomainName (2), 30: 57 00 49 00 4e 00 2d 00 30 00 38 00 51 00 39 00 4b 00 51 00 46 00 50 00 50 00 4f 00 36 00 W.I.N.-.0.8.Q.9.K.Q.F.P.P.O.6. MsvAvNbComputerName (1), 30: 57 00 49 00 4e 00 2d 00 30 00 38 00 51 00 39 00 4b 00 51 00 46 00 50 00 50 00 4f 00 36 00 W.I.N.-.0.8.Q.9.K.Q.F.P.P.O.6. MsvAvDnsDomainName (4), 30: 57 00 49 00 4e 00 2d 00 30 00 38 00 51 00 39 00 4b 00 51 00 46 00 50 00 50 00 4f 00 36 00 W.I.N.-.0.8.Q.9.K.Q.F.P.P.O.6. MsvAvDnsComputerName (3), 30: 57 00 49 00 4e 00 2d 00 30 00 38 00 51 00 39 00 4b 00 51 00 46 00 50 00 50 00 4f 00 36 00 W.I.N.-.0.8.Q.9.K.Q.F.P.P.O.6. MsvAvTimestamp (7), 8: ec e8 26 e4 6b cc ca 01 MsvAvEOL (0), 0 0000 30 82 03 21 a0 03 02 01 02 a1 82 01 f2 30 82 01 0..!.........0.. 0010 ee 30 82 01 ea a0 82 01 e6 04 82 01 e2 4e 54 4c .0...........NTL 0020 4d 53 53 50 00 03 00 00 00 18 00 18 00 70 00 00 MSSP.........p.. 0030 00 4a 01 4a 01 88 00 00 00 08 00 08 00 58 00 00 .J.J.........X.. 0040 00 08 00 08 00 60 00 00 00 08 00 08 00 68 00 00 .....`.......h.. 0050 00 10 00 10 00 d2 01 00 00 35 82 88 e2 06 01 b0 .........5...... 0060 1d 00 00 00 0f e3 eb a3 eb 64 b2 29 f2 a6 a7 72 .........d.)...r 0070 40 ec ba 3c 44 57 00 69 00 6e 00 37 00 75 00 73 @...... 0240 e7 49 b8 b2 f8 fb bf 83 b0 07 8b b3 1c 0b e8 23 .I.............# 0250 5c 25 d4 1b 2a 97 94 fa 6c cf 96 e9 08 a8 14 0d \%..*...l....... 0260 bd 71 56 c9 d6 22 61 ab 6f b8 c7 e6 3f 0a 81 fc .qV.."a.o...?... 0270 16 cb 9d 1e 87 64 b5 82 75 40 76 ac d0 99 dc fd .....d..u@v..... 0280 ce 2c 9f f8 6f 6c 46 6c d7 f9 91 c6 51 9d 1b 27 .,..olFl....Q..' 0290 9b 83 29 c2 77 d4 6f cb e7 96 a2 76 6b eb ce ad ..).w.o....vk... 02a0 ec 9a b9 2e 43 c5 5f 17 7f 2c f3 8b 27 ce 2e c3 ....C._..,..'... 02b0 9e 7c 5d 2a 6c dd 1b 88 aa df d7 14 c8 34 8a 29 .|]*l........4.) 02c0 9b 7e 39 2a 4b d3 a0 13 cc 85 95 e1 12 5e 6a 0e .~9*K........^j. 02d0 87 31 91 85 86 0e 1b f6 44 06 5c 79 53 a5 7f 38 .1......D.\yS..8 02e0 88 4c f8 9f b1 2d f9 a8 3d cd c7 87 f9 62 71 37 .L...-..=....bq7 02f0 52 f6 c2 ee b3 ac ae 7b 33 6d 7b cb b4 02 0c cb R......{3m{..... 0300 7e da 3a fe b5 91 20 c7 3e 4c 79 64 8a 25 4b 1e ~.:... .>Lyd.%K. 0310 77 c3 d4 18 a4 2c 73 ba c0 b8 3e 61 3b d7 34 eb w....,s...>a;.4. 0320 55 3c 97 eb 7b U<..{ 4e 54 4c 4d 53 53 50 00 Signature (8 bytes) : "NTLMSSP" 03 00 00 00 MessageType (4 bytes) : AUTHENTICATE_MESSAGE 18 00 18 00 70 00 00 00 LmChallengeResponseFields (8 bytes) : 24, 112 4a 01 4a 01 88 00 00 00 NtChallengeResponseFields (8 bytes) : 330, 136 08 00 08 00 58 00 00 00 DomainNameFields (8 bytes) : 8, 88 08 00 08 00 60 00 00 00 UserNameFields (8 bytes) : 8, 96 08 00 08 00 68 00 00 00 WorkstationFields (8 bytes) : 8, 104 10 00 10 00 d2 01 00 00 EncryptedRandomSessionKeyFields (8 bytes) : 16, 466 35 82 88 e2 NegotiateFlags (4 bytes) 06 01 b0 1d 00 00 00 0f Version (8 bytes) e3 eb a3 eb 64 b2 29 f2 a6 a7 72 40 ec ba 3c 44 MIC (16 bytes) Payload: DomainName: 57 00 69 00 6e 00 37 00 W.i.n.7. UserName: 75 00 73 00 65 00 72 00 u.s.e.r. Workstation: 57 00 49 00 4e 00 37 00 W.I.N.7. LmChallengeResponse: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 NtChallengeResponse: 00a0 38 1b b0 74 c5 5a 25 8a 7f 65 ba 8..t.Z%..e. 00b0 23 c4 4a 8a 7a 01 01 00 00 00 00 00 00 ec e8 26 #.J.z..........& 00c0 e4 6b cc ca 01 f3 4b f1 fb 28 99 4d 8d 00 00 00 .k....K..(.M.... 00d0 00 02 00 1e 00 57 00 49 00 4e 00 2d 00 30 00 38 .....W.I.N.-.0.8 00e0 00 51 00 39 00 4b 00 51 00 46 00 50 00 50 00 4f .Q.9.K.Q.F.P.P.O 00f0 00 36 00 01 00 1e 00 57 00 49 00 4e 00 2d 00 30 .6.....W.I.N.-.0 0100 00 38 00 51 00 39 00 4b 00 51 00 46 00 50 00 50 .8.Q.9.K.Q.F.P.P 0110 00 4f 00 36 00 04 00 1e 00 57 00 49 00 4e 00 2d .O.6.....W.I.N.- 0120 00 30 00 38 00 51 00 39 00 4b 00 51 00 46 00 50 .0.8.Q.9.K.Q.F.P 0130 00 50 00 4f 00 36 00 03 00 1e 00 57 00 49 00 4e .P.O.6.....W.I.N 0140 00 2d 00 30 00 38 00 51 00 39 00 4b 00 51 00 46 .-.0.8.Q.9.K.Q.F 0150 00 50 00 50 00 4f 00 36 00 07 00 08 00 ec e8 26 .P.P.O.6.......& 0160 e4 6b cc ca 01 06 00 04 00 02 00 00 00 08 00 30 .k.............0 0170 00 30 00 00 00 00 00 00 00 01 00 00 00 00 20 00 .0............ . 0180 00 ca 32 de 66 8c 9d df a3 77 79 bc 93 61 78 9a ..2.f....wy..ax. 0190 c0 14 73 52 86 26 da 9f 93 42 0c 3c a1 93 82 3a ..sR.&...B.<...: 01a0 01 0a 00 10 00 00 00 00 00 00 00 00 00 00 00 00 ................ 01b0 00 00 00 00 00 09 00 2a 00 54 00 45 00 52 00 4d .......*.T.E.R.M 01c0 00 53 00 52 00 56 00 2f 00 31 00 39 00 32 00 2e .S.R.V./.1.9.2.. 01d0 00 31 00 36 00 38 00 2e 00 31 00 2e 00 31 00 30 .1.6.8...1...1.0 01e0 00 31 00 00 00 00 00 00 00 00 00 00 00 00 00 .1............. Response: 38 1b b0 74 c5 5a 25 8a 7f 65 ba 23 c4 4a 8a 7a NTLMv2_CLIENT_CHALLENGE: RespType: 01 HiRespType: 01 Reserved1: 00 00 Reserved2: 00 00 00 00 TimeStamp: ec e8 26 e4 6b cc ca 01 ChallengeFromClient: f3 4b f1 fb 28 99 4d 8d Reserved3: 00 00 00 00 AvPairs: 00d0 02 00 1e 00 57 00 49 00 4e 00 2d 00 30 00 38 ....W.I.N.-.0.8 00e0 00 51 00 39 00 4b 00 51 00 46 00 50 00 50 00 4f .Q.9.K.Q.F.P.P.O 00f0 00 36 00 01 00 1e 00 57 00 49 00 4e 00 2d 00 30 .6.....W.I.N.-.0 0100 00 38 00 51 00 39 00 4b 00 51 00 46 00 50 00 50 .8.Q.9.K.Q.F.P.P 0110 00 4f 00 36 00 04 00 1e 00 57 00 49 00 4e 00 2d .O.6.....W.I.N.- 0120 00 30 00 38 00 51 00 39 00 4b 00 51 00 46 00 50 .0.8.Q.9.K.Q.F.P 0130 00 50 00 4f 00 36 00 03 00 1e 00 57 00 49 00 4e .P.O.6.....W.I.N 0140 00 2d 00 30 00 38 00 51 00 39 00 4b 00 51 00 46 .-.0.8.Q.9.K.Q.F 0150 00 50 00 50 00 4f 00 36 00 07 00 08 00 ec e8 26 .P.P.O.6.......& 0160 e4 6b cc ca 01 06 00 04 00 02 00 00 00 08 00 30 .k.............0 0170 00 30 00 00 00 00 00 00 00 01 00 00 00 00 20 00 .0............ . 0180 00 ca 32 de 66 8c 9d df a3 77 79 bc 93 61 78 9a ..2.f....wy..ax. 0190 c0 14 73 52 86 26 da 9f 93 42 0c 3c a1 93 82 3a ..sR.&...B.<...: 01a0 01 0a 00 10 00 00 00 00 00 00 00 00 00 00 00 00 ................ 01b0 00 00 00 00 00 09 00 2a 00 54 00 45 00 52 00 4d .......*.T.E.R.M 01c0 00 53 00 52 00 56 00 2f 00 31 00 39 00 32 00 2e .S.R.V./.1.9.2.. 01d0 00 31 00 36 00 38 00 2e 00 31 00 2e 00 31 00 30 .1.6.8...1...1.0 01e0 00 31 00 00 00 00 00 00 00 00 00 00 00 00 00 .1............. MsvAvNbDomainName (2, 30): W.I.N.-.0.8.Q.9.K.Q.F.P.P.O.6 MsvAvNbComputerName (1, 30): W.I.N.-.0.8.Q.9.K.Q.F.P.P.O.6 MsvAvDnsDomainName (4, 30): W.I.N.-.0.8.Q.9.K.Q.F.P.P.O.6 MsvAvDnsComputerName (3, 30): W.I.N.-.0.8.Q.9.K.Q.F.P.P.O.6 MsvAvTimestamp (7, 8): ec e8 26 e4 6b cc ca 01 MsvAvFlags (6, 4): 02 00 00 00 MsvAvRestrictions (8, 48): 30 00 00 00 00 00 00 00 01 00 00 00 00 20 00 00 ca 32 de 66 8c 9d df a3 77 79 bc 93 61 78 9a c0 14 73 52 86 26 da 9f 93 42 0c 3c a1 93 82 3a 01 MsvChannelBindings (10, 16): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 MsvChannelTargetName (9, 42): T.E.R.M.S.R.V./.1.9.2...1.6.8...1...1.0.1 MsvAvEOL EncryptedRandomSessionKey: 2b eb c2 83 0b 82 85 6a 37 a3 7b aa 0c 39 e2 83 Unknown: 01f0 a3 . 0200 82 01 22 04 82 01 1e 01 00 00 00 2f 2e e5 d3 b3 .."......../.... 0210 11 34 1c 00 00 00 00 9e 94 9b 76 d8 42 31 65 0a .4........v.B1e. 0220 0d ab b8 37 b0 32 9e 0d e1 7c 48 a6 20 8b f2 49 ...7.2...|H. ..I 0230 6b 20 b6 00 ef 94 0c 78 46 4a 5a 3e c4 a3 15 94 k .....xFJZ>.... 0240 e7 49 b8 b2 f8 fb bf 83 b0 07 8b b3 1c 0b e8 23 .I.............# 0250 5c 25 d4 1b 2a 97 94 fa 6c cf 96 e9 08 a8 14 0d \%..*...l....... 0260 bd 71 56 c9 d6 22 61 ab 6f b8 c7 e6 3f 0a 81 fc .qV.."a.o...?... 0270 16 cb 9d 1e 87 64 b5 82 75 40 76 ac d0 99 dc fd .....d..u@v..... 0280 ce 2c 9f f8 6f 6c 46 6c d7 f9 91 c6 51 9d 1b 27 .,..olFl....Q..' 0290 9b 83 29 c2 77 d4 6f cb e7 96 a2 76 6b eb ce ad ..).w.o....vk... 02a0 ec 9a b9 2e 43 c5 5f 17 7f 2c f3 8b 27 ce 2e c3 ....C._..,..'... 02b0 9e 7c 5d 2a 6c dd 1b 88 aa df d7 14 c8 34 8a 29 .|]*l........4.) 02c0 9b 7e 39 2a 4b d3 a0 13 cc 85 95 e1 12 5e 6a 0e .~9*K........^j. 02d0 87 31 91 85 86 0e 1b f6 44 06 5c 79 53 a5 7f 38 .1......D.\yS..8 02e0 88 4c f8 9f b1 2d f9 a8 3d cd c7 87 f9 62 71 37 .L...-..=....bq7 02f0 52 f6 c2 ee b3 ac ae 7b 33 6d 7b cb b4 02 0c cb R......{3m{..... 0300 7e da 3a fe b5 91 20 c7 3e 4c 79 64 8a 25 4b 1e ~.:... .>Lyd.%K. 0310 77 c3 d4 18 a4 2c 73 ba c0 b8 3e 61 3b d7 34 eb w....,s...>a;.4. 0320 55 3c 97 eb 7b U<..{