Type3 message: the client receives the proxy's 407 containing type2
The message returned during the message request is placed in proxy-authentication after the base64 scrambling code. The following describes its structure.
0-7 bytes: Char Protocol [8] Indicates that it belongs to the NtLmSsp protocol, and the bitwise 'n', 't', 'l', 'M', 's', 's', 'P', '/0' |
8-11 bytes unsigned int type 0x03000000 (little-Endian mode, that is, 0x00000003), that is, 3, indicating type3 message |
12-19 bytes LM response information 12-13 Bytes: LM response Length 14-15 bytes: LM response allocation Length 16-19 Bytes: Offset of LM response placement |
20-27 bytes NTLM response information 20-21 Bytes: NT response Length 22-23 Bytes: The length allocated by NT response 24-27 Bytes: offset of the Offset placed by NT response |
28-35 bytes target Name Information 28-29 Bytes: Target Name Length 30-31 Bytes: Target name allocation Length 32-35 bytes: Offset placed by Target name |
36-43 Bytes: User Name Information 36-37 Bytes: length of user name 38-39 Bytes: length allocated by user name 40-43 Bytes: Offset placed by user name |
44-51 Bytes: Host Name information, that is, workstation Information 44-45 Bytes: Host Name Length -47 bytes: length allocated by host name 48-51 Bytes: Offset placed by host name |
52-59 Bytes: Session Key Information (optional) 52-53 Bytes: Length 54-55 Bytes: allocated length 56-59 Bytes: offset of the position We can set-55 bytes to-59 bytes to the length of type3 message, that is, no session Key Information |
60-63 Bytes: flags See http://blog.sina.com.cn/s/blog_5cf79a900100c1b6.html for details About type1 Flags in message |
64-71 Bytes: OS information (optional) The simplest way is not to place this information. |
Place LM response and ntlmp Response, domain, user, host, session key, and other information |
Note that host, domain, and user names are in unicode format.
Related Links: My network communication articles
NTLM implementation:
- Proxy traversal (16): NTLM proxy Traversal
- Proxy traversal (15): NTLM Session Security
- Implement proxy traversal (14): NTLM type3 message
- Implement proxy traversal (13): NTLM type2 message
- Implement proxy traversal (12): NTLM type1 message
- Proxy traversal (11): NTLMv2 session response
- Implement proxy traversal (10): NTLMv2 response
- Implement proxy traversal (9): ntlmv1 response
- Implement proxy traversal (8): NT-Hash implementation
- Proxy traversal (7): md4 and MD5
- Implement proxy traversal (6): LM-Hash implementation
- Implement proxy traversal (5): DES algorithm 3
- Implement proxy traversal (4): DES algorithm 2
- Implement proxy traversal (3): One of the des Algorithms
- Proxy traversal (2): base64 Algorithm
- Proxy traversal (1): process and NTLM Algorithm