Networking Forums
Home Register Members Search Links
Member Login:

Networking Forums > Computer Networking > Linux Networking > NTLMSSP in ethereal

Reply
Thread Tools Display Modes

NTLMSSP in ethereal

 
 
Mike - EMAIL IGNORED
Guest
Posts: n/a

 
      06-17-2005, 10:34 PM
On RH, I have been capturing http packets with tethereal
and examining them with ethereal. In one obvious buffer
overflow attack I found:

Frame size = 1506
IP total length = 1492
NTLMSSP data size = 1044

What is the NTLMSSP? The hex dump shows be in >addition<
to the ethernet frame size, which to me, does not make
sense.

Thanks for your help,
Mike.
 
Reply With Quote
 
 
 
 
Menno Duursma
Guest
Posts: n/a

 
      06-18-2005, 10:41 AM
On Fri, 17 Jun 2005 18:34:15 -0400, Mike - EMAIL IGNORED wrote:

> On RH, I have been capturing http packets with tethereal
> and examining them with ethereal. In one obvious buffer
> overflow attack I found:
>
> Frame size = 1506

Ethernet frame.

> IP total length = 1492

Internet Protocal packet.

> NTLMSSP data size = 1044

Payload.

> What is the NTLMSSP?

New Technology LAN (local area network) Manager, Security Support Provider

Basically it is an NTLM autentication request message for/from the SSP
service on an MS-Windows NT machine to verify. But ofcource any Unix box
can have support for this by way of either Samba, Cyrus SASL, or both.

> The hex dump shows be in >addition< to the ethernet frame size, which to
> me, does not make sense.

Well, that surely wouldn't make sense to me either. As the authentication
messages are payload in TCP or UDP packets. However the messages maybe so
large they don't fit in a single packet, thus it might get split-up.

--
-Menno.
 
Reply With Quote
 
Mike - EMAIL IGNORED
Guest
Posts: n/a

 
      06-18-2005, 01:03 PM
Menno Duursma wrote:
>
> On Fri, 17 Jun 2005 18:34:15 -0400, Mike - EMAIL IGNORED wrote:
>
> > On RH, I have been capturing http packets with tethereal
> > and examining them with ethereal. In one obvious buffer
> > overflow attack I found:
> >
> > Frame size = 1506
>
> Ethernet frame.
>
> > IP total length = 1492
>
> Internet Protocal packet.
>
> > NTLMSSP data size = 1044
>
> Payload.
>
> > What is the NTLMSSP?
>
> New Technology LAN (local area network) Manager, Security Support Provider
>
> Basically it is an NTLM autentication request message for/from the SSP
> service on an MS-Windows NT machine to verify. But ofcource any Unix box
> can have support for this by way of either Samba, Cyrus SASL, or both.
>
> > The hex dump shows be in >addition< to the ethernet frame size, which to
> > me, does not make sense.
>
> Well, that surely wouldn't make sense to me either. As the authentication
> messages are payload in TCP or UDP packets. However the messages maybe so
> large they don't fit in a single packet, thus it might get split-up.
>
> --
> -Menno.

The ethereal dump is pasted below with some identifying info x'ed out.
There are confinuation packets, but none contain anything like
"AAAAAAAA...". I note that my tethereal filter is:
tcp port 80

Mike.

--
No. Time Source Destination Protocol
Info
620 14104.441227 68.249.92.101 192.168.1.20
HTTP GET / HTTP/1.0, Unknown message type

Frame 620 (1506 bytes on wire, 1506 bytes captured)
Arrival Time: Jun 16, 2005 11:29:10.878750000
Time delta from previous packet: 0.029777000 seconds
Time since reference or first frame: 14104.441227000 seconds
Frame Number: 620
Packet Length: 1506 bytes
Capture Length: 1506 bytes
Ethernet II, Src: xx:xx:xx:xx:xx:xx, Dst: xx:xx:xx:xx:xx:xx
Destination: xx:xx:xx:xx:xx:xx (LinksysG_xx:xx:xx)
Source: xx:xx:xx:xx:xx:xx (LinksysG_xx:xx:xx)
Type: IP (0x0800)
Internet Protocol, Src Addr: 68.249.92.101 (68.249.92.101), Dst Addr:
192.168.1.20 (192.168.1.20)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x20 (DSCP 0x08: Class Selector 1;
ECN: 0x00)
0010 00.. = Differentiated Services Codepoint: Class Selector 1
(0x08)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 1492
Identification: 0x70f3 (28915)
Flags: 0x04 (Don't Fragment)
0... = Reserved bit: Not set
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 105
Protocol: TCP (0x06)
Header checksum: 0x37f6 (correct)
Source: 68.249.92.101 (68.249.92.101)
Destination: 192.168.1.20 (192.168.1.20)
Transmission Control Protocol, Src Port: 1972 (1972), Dst Port: http
(80), Seq: 1, Ack: 1, Len: 1452
Source port: 1972 (1972)
Destination port: http (80)
Sequence number: 1 (relative sequence number)
Next sequence number: 1453 (relative sequence number)
Acknowledgement number: 1 (relative ack number)
Header length: 20 bytes
Flags: 0x0010 (ACK)
0... .... = Congestion Window Reduced (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...1 .... = Acknowledgment: Set
.... 0... = Push: Not set
.... .0.. = Reset: Not set
.... ..0. = Syn: Not set
.... ...0 = Fin: Not set
Window size: 65340
Checksum: 0x67d5 (correct)
Hypertext Transfer Protocol
GET / HTTP/1.0\r\n
Request Method: GET
Host: xxx.xxx.xxx.xxx\r\n
Authorization: Negotiate
YIIQegYGKwYBBQUCoIIQbjCCEGqhghBmI4IQYgOCBAEAQUFBQU FBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU FBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB QUFBQUFBQUFBQU
NTLMSSP
NTLMSSP identifier: `\202\020z\006\006+\006
NTLM Message Type: Unknown (0x02050501)
Unrecognized NTLMSSP Message

Frame (1506 bytes):

0000 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ..%.g...%.&...E
0010 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ..p.@.i.7.D.\e..
0020 01 14 07 b4 00 50 e6 04 80 1f ec 3f 5a 39 50 10 .....P.....?Z9P.
0030 ff 3c 67 d5 00 00 47 45 54 20 2f 20 48 54 54 50 .<g...GET / HTTP
0040 2f 31 2e 30 0d 0a 48 xxxxxxxxxxxxxxxxxxxxxxxxxx /1.0..Host: xx.x
0050 xxxxxxxxxxxxxxxxxxxx 32 0d 0a 41 75 74 68 6f 72 x.xxx.xx..Author
0060 69 7a 61 74 69 6f 6e 3a 20 4e 65 67 6f 74 69 61 ization: Negotia
0070 74 65 20 59 49 49 51 65 67 59 47 4b 77 59 42 42 te YIIQegYGKwYBB
0080 51 55 43 6f 49 49 51 62 6a 43 43 45 47 71 68 67 QUCoIIQbjCCEGqhg
0090 68 42 6d 49 34 49 51 59 67 4f 43 42 41 45 41 51 hBmI4IQYgOCBAEAQ
00a0 55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
00b0 55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
00c0 55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
00d0 55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
00e0 55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
00f0 55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
0100 55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
0110 55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
0120 55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
0130 55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
0140 55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
0150 55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
0160 55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
0170 55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
0180 55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
0190 55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
01a0 55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
01b0 55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
01c0 55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
01d0 55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
01e0 55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
01f0 55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
0200 55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
0210 55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
0220 55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
0230 55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
0240 55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
0250 55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
0260 55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
0270 55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
0280 55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
0290 55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
02a0 55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
02b0 55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
02c0 55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
02d0 55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
02e0 55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
02f0 55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
0300 55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
0310 55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
0320 55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
0330 55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
0340 55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
0350 55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
0360 55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
0370 55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
0380 55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
0390 55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
03a0 55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
03b0 55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
03c0 55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
03d0 55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
03e0 55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
03f0 55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
0400 55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
0410 55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
0420 55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
0430 55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
0440 55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
0450 55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
0460 55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
0470 55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
0480 55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
0490 55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
04a0 55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
04b0 55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
04c0 55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
04d0 55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
04e0 55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
04f0 55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
0500 55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
0510 55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
0520 55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
0530 55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
0540 55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
0550 55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
0560 55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
0570 55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
0580 55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
0590 55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
05a0 55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
05b0 55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
05c0 55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
05d0 55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
05e0 55 46 UF

NTLMSSP Data (1044 bytes):

0000 60 82 10 7a 06 06 2b 06 01 05 05 02 a0 82 10 6e `..z..+........n
0010 30 82 10 6a a1 82 10 66 23 82 10 62 03 82 04 01 0..j...f#..b....
0020 00 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 .AAAAAAAAAAAAAAA
0030 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0040 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0050 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0060 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0070 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0080 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0090 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00a0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00b0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00c0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00d0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00e0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00f0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0100 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0110 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0120 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0130 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0140 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0150 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0160 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0170 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0180 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0190 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
01a0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
01b0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
01c0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
01d0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
01e0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
01f0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0200 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0210 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0220 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0230 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0240 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0250 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0260 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0270 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0280 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0290 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
02a0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
02b0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
02c0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
02d0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
02e0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
02f0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0300 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0310 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0320 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0330 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0340 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0350 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0360 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0370 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0380 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0390 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
03a0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
03b0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
03c0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
03d0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
03e0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
03f0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0400 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0410 41 41 41 40 AAA@
 
Reply With Quote
 
Menno Duursma
Guest
Posts: n/a

 
      06-18-2005, 03:10 PM
On Sat, 18 Jun 2005 09:03:55 -0400, Mike - EMAIL IGNORED wrote:
> Menno Duursma wrote:
>> On Fri, 17 Jun 2005 18:34:15 -0400, Mike - EMAIL IGNORED wrote:

>> > What is the NTLMSSP?
>>
>> New Technology LAN (local area network) Manager, Security Support
>> Provider

IIUC: the Mozilla Firefox browser supports this authentication scheme too.

[ Snip. ]

> The ethereal dump is pasted below with some identifying info x'ed out.
> There are confinuation packets, but none contain anything like

? s/confinuation/confirmation/

> "AAAAAAAA...". I note that my tethereal filter is:
> tcp port 80
....
> Hypertext Transfer Protocol
> GET / HTTP/1.0\r\n
> Request Method: GET
> Host: xxx.xxx.xxx.xxx\r\n
> Authorization: Negotiate
> YIIQegYGKwYBBQUCoIIQbjCCEGqhghBmI4IQYgOCBAEAQUFBQU FBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU FBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB QUFBQUFBQUFBQU
> NTLMSSP
> NTLMSSP identifier: `\202\020z\006\006+\006 NTLM Message
> Type: Unknown (0x02050501) Unrecognized NTLMSSP Message

This look like a remote exploit attempt against some vulnerability in
MS-IIS webwerver or MS-ISA proxy server software.

> Frame (1506 bytes):

[ Sniped - what look like protocol headers to me. ]

> NTLMSSP Data (1044 bytes):

Here the payload:

> 0000 60 82 10 7a 06 06 2b 06 01 05 05 02 a0 82 10 6e `..z..+........n
> 0010 30 82 10 6a a1 82 10 66 23 82 10 62 03 82 04 01 0..j...f#..b....
> 0020 00 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 .AAAAAAAAAAAAAAA
> 0030 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA

Which looks like something calculated, then automated like in:

perl -e 'print "header_stuff", 'A' x 100' |nc someserver 80

--
-Menno.
 
Reply With Quote
 
 
 
Reply

« Enabling DMZ on SMC router and connectivity problems in suse 9.3 | 2 computer network from Wi-Fi »
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Can't launch ethereal--- bash: ethereal: command not found krakov@mailinator.com Linux Networking 1 06-20-2005 10:16 AM
Ethereal Anthony R. Gold Wireless Internet 8 01-10-2005 07:22 AM
ETHEREAL?????? =?Utf-8?B?Qm9iYnkyOA==?= Windows Networking 2 11-14-2004 01:04 AM
NTLmSsp Carl Hilton Windows Networking 0 04-01-2004 04:26 PM
Ethereal Documentation Steve Glines Linux Networking 0 07-02-2003 12:07 AM


Forum Software Powered by vBulletin®, Copyright Jelsoft Enterprises Ltd.
SEO by vBSEO 3.3.2 ©2009, Crawlability, Inc.
Contact Us - Archive - Privacy Statement - Top

1 2 3 4 5 6 7 8 9 10 11