Proxy traversal (11): NTLMv2 session response

Analysis of ntlmv2session
Response. To solve this problem, we will write the NTLM Algorithm related to proxy authentication. We can enter the proxy authentication exchange process to implement our network programming. A few clicks, this problem can be almost half a month, mainly on the DES algorithm, on the Internet also saw someone desperately shouting why different tools calculate different results. And I have never made up my mind to write one by myself. I originally wanted to find a ready-made code on the Internet, such as OpenSSL. But I dug a radish with a frame and used the DES algorithm. I have already imported more than a dozen OpenSSL source codes into the project, and I found that it is not enough, there are also functions not imported, so the source code is messy. It seems that I still figured it out, so that I started NTLM's big learning. Now NTLM is finished.
The Calculation of V2 session response can be completed in the algorithm phase. As for Kerberos, I want to consider it again after NTLM authentication is passed.

NTLMv2 session is simpler than NTLMv2. The input parameter is:

• The password of the client. In order to cooperate with the verification, we provide an example: secret01
• Challenge value from server: chanllenge, for example, 0x01 23 45 67 89 AB CD ef
• The 8-byte nonce generated by the client is recorded as client_nonce, for example, 0xff FF 00 11 22 33.
  44

There are two outputs: NTLM
Response and LM response, with a length of 24 bytes. The function is defined:

Void ntlmv2_session_response (in
Char * passwd, in unsigned char * chanllenge,

 


In unsigned
Char * client_nonce,

Out unsigned char * ntlm_response, out int *
Ntlm_response_len,

Out unsigned char *
Lm_response, out int * lm_response_len );

Step 1: LM
Response acquisition

This step is simpler than the LM response value of ntlmv1. After the 8-byte client_nonce, add 16 0 bytes as pad to generate a 24-byte data, that is, the request.

Memset (lm_response, 0, 24 );

Memcpy (lm_response, client_nonce, 8 );

If (lm_response_len! = NULL)

*
Lm_response_len = 24;

That is, 0xff FF
Ff 00 11 22 33 44

00 00 00 00 00 00 00

00 00 00 00 00 00 00

Step 2: NTLM
Response acquisition

Step 1: Calculate NTLMv2
Hash Value of the session, MD5 (chanllenge + client_nonce)

Combine the server's 8-bit challenge value with the client's own 8-bit nonce value into a 16-byte data, and generate a new 16-byte data through MD5, the first 8 bytes are intercepted, that is, NTLMv2.
The hash value of the session. Stored in hash [16.

Memcpy (BUF, chanllenge, 8 );

Memcpy (BUF + 8, client_nonce, 8 );

Md5string (char *) BUF, 16, hash );

That is, 0xbe AC 9A 1B C5 A9 86 7c. The data of the next 8 bytes is not involved in subsequent operations.

Step 2: encrypt the password

Convert password to Unicode, and then perform md4 processing. The 16-byte data obtained is required and stored in Buf [21 ].

Len =
Strlen (passwd );

C =
(Unsigned char *) malloc (LEN * 2 );

Unicode (passwd, Len, (char *) C, null );

Memset (BUF, 0, 21 );

Md4string (char *) C, 2 * Len, Buf );

Free (C );

That is: 0xcd 06 ca 7C 7E 10 C9 9B 1D 33 B7 48 5A 2E D8 08

Step 3: Calculate the response value using des

This step is similar to ntlmv1 calculation. in step 2, we obtained 16 bytes of data based on passwd and placed it in the Buf. We added 5 null pads to obtain 21 bytes of data. We have processed these items in step 2. The 21-byte data is divided into three parts, each of which is 7 bytes 56 bits. As the key in DES encryption, the distribution encrypts the first 8 bytes of hash data calculated by step 1, then, the final NTLMv2
Response value.

Algorithm_des_56key (hash, Buf, ntlm_response );

Algorithm_des_56key (hash, BUF + 7, ntlm_response + 8 );

Algorithm_des_56key (hash, BUF + 14
, Ntlm_response + 16 );

If (ntlm_response_len! = NULL)

*
Ntlm_response_len = 24;

0x10 D5 50 83 2D 12 B2
CC

B7 9d 5A d1
F4 EE D3 DF

82 AC A4 C3
68 1D D4 55

Related Links: My network communication articles

NTLM implementation:

• Proxy traversal (16): NTLM proxy Traversal

• Proxy traversal (15): NTLM Session Security

• Implement proxy traversal (14): NTLM type3 message
• Implement proxy traversal (13): NTLM type2 message
• Implement proxy traversal (12): NTLM type1 message
• Proxy traversal (11): NTLMv2 session response
• Implement proxy traversal (10): NTLMv2 response
• Implement proxy traversal (9): ntlmv1 response
• Implement proxy traversal (8): NT-Hash implementation
• Proxy traversal (7): md4 and MD5
• Implement proxy traversal (6): LM-Hash implementation
• Implement proxy traversal (5): DES algorithm 3
• Implement proxy traversal (4): DES algorithm 2
• Implement proxy traversal (3): One of the des Algorithms
• Proxy traversal (2): base64 Algorithm
• Proxy traversal (1): process and NTLM Algorithm