Type2 message: the proxy receives the client containing type1
The message returned during the message request is placed in proxy-authentication after the base64 scrambling code. The following describes its structure.
0-7 bytes: Char Protocol [8] Indicates that it belongs to the NtLmSsp protocol, and the bitwise 'n', 't', 'l', 'M', 's', 's', 'P', '/0' |
8-11 bytes unsigned int type 0x02000000 (little-Endian mode), that is, 2, indicating type2 message |
12-19 bytes, indicating the target Name Information 12-13: Target Name Length 14-15: Target name allocated length 16-19: Offset of Target name Storage |
20-23 bytes, flags For details, see http://blog.sina.com.cn/s/blog_5cf79a900100c1b6.html#on type1. Flags in message |
Random number given by the 24-31 byte Server The challenge value, that is, the server's 8-byte Nonce |
32-39 bytes Context Optional. It can be set to 0. |
40-47 bytes, indicating the target info Information 40-41: length of target info 42-43: target info allocation Length 44-47: storage offset of target info |
48-55 Bytes: Optional OS information, so troublesome, simply do not use |
Target name |
Target info |
Related Links: My network communication articles
NTLM implementation:
- Proxy traversal (16): NTLM proxy Traversal
- Proxy traversal (15): NTLM Session Security
- Implement proxy traversal (14): NTLM type3 message
- Implement proxy traversal (13): NTLM type2 message
- Implement proxy traversal (12): NTLM type1 message
- Proxy traversal (11): NTLMv2 session response
- Implement proxy traversal (10): NTLMv2 response
- Implement proxy traversal (9): ntlmv1 response
- Implement proxy traversal (8): NT-Hash implementation
- Proxy traversal (7): md4 and MD5
- Implement proxy traversal (6): LM-Hash implementation
- Implement proxy traversal (5): DES algorithm 3
- Implement proxy traversal (4): DES algorithm 2
- Implement proxy traversal (3): One of the des Algorithms
- Proxy traversal (2): base64 Algorithm
- Proxy traversal (1): process and NTLM Algorithm