none
how to calculate the NTLMSSP verifier(checksum) of DCOM packet? RRS feed

  • Question

  • I am learning DCOM and try to write a DCOM server.

    When I sniffer a packet of DCOM, I find the NTLMSSP verifier body: 62 9c 0d 86 cc 00 09 35 00 00 00 00

    I want to know how to caculate to got this value.

    the data in this packet is followed:

    05 00 01 00 00 00 00 00    00 00 00 00 93 07 56 0f          ......    ....モV
    5d 7b 4f 44 8a e5 2b b3    9a 1c 8e d4 00 00 00 00          ]{ODハ¥+ᄈ    レホᅯ....
    1f 00 00 00 00 00 00 00    1f 00 00 00 4b 00 65 00          .......    ...K.e.
    70 00 77 00 61 00 72 00    65 00 2e 00 4b 00 45 00          p.w.a.r.    e...K.E.
    50 00 53 00 65 00 72 00    76 00 65 00 72 00 45 00          P.S.e.r.    v.e.r.E.
    6e 00 74 00 65 00 72 00    70 00 72 00 69 00 73 00          n.t.e.r.    p.r.i.s.
    65 00 2e 00 56 00 35 00    00 00 00 00 8a e3 13 71          e...V.5.    ....ハ ̄q
    02 f4 36 71 01 00 04 00    01 00 00 00 02 40 28 00          ?6q..    ...@(.
    50 6d 48 13 21 48 d2 11    a4 94 3c b3 06 c1 00 00          PmH!Hᅭ    ᄂヤ<ᄈ￁..
    00 00 00 00 04 5d 88 8a    eb 1c c9 11 9f e8 08 00          ....]ネハ    →￉゚.
    2b 10 48 60 02 00 00 00    00 00 00 00 00 00 00 00

    and the Session Key in the last packet (AUTH3) is 

    bf:f0:9f:ed:8a:5a:9e:5a:1a:82:32:0f:4a:08:24:51

    anyone would like to tell me how to caculate go get the value of the verifier?

    I have found a web page to show the procedure of caculation:

    https://msdn.microsoft.com/en-us/library/cc422954.aspx?query=

    Define MAC(Handle, SigningKey, SeqNum, Message) as       Set NTLMSSP_MESSAGE_SIGNATURE.Version to 0x00000001       Set NTLMSSP_MESSAGE_SIGNATURE.Checksum to           HMAC_MD5(SigningKey,           ConcatenationOf(SeqNum, Message))[0..7]       Set NTLMSSP_MESSAGE_SIGNATURE.SeqNum to SeqNum       Set SeqNum to SeqNum + 1  EndDefine

    I try to write a code the implement that, I cannot get right value.

    First of all, I cannot get the byte[] of concatenationOf(int sequenceNumber, byte[] data).

    for example, what should I get from concatenationOf(0, new byte[]{0x33})?

    Second, using what value for singingKey? The sessionKey in AUTH3 packet?

    Hope someone would try to give me a clue, thx.

    Frank Lee


    Friday, October 28, 2016 3:43 AM

Answers

All replies

  • Frank,

    Thank you for your question.

    An engineer from the protocols team will contact you soon.


    Bryan S. Burgin Senior Escalation Engineer Microsoft Protocol Open Specifications Team

    Friday, October 28, 2016 4:06 PM
    Moderator
  • Hi Frank:

    I'll help you with this.

    Can you please send an email to dochelp@microsoft.com to my attention? I need the network capture and password to show you how the signature is calculated.


    Regards, Obaid Farooqi

    Friday, October 28, 2016 5:26 PM
    Owner
  • Hi Frank:

    If you still need help on this, please send me an email as I requested above.


    Regards, Obaid Farooqi

    Wednesday, November 2, 2016 4:25 AM
    Owner
  • Hi Frank:

    I have still not received an email from you. If you want to work on this issue, please send me an email to the address mentioned above.


    Regards, Obaid Farooqi

    Monday, November 7, 2016 4:41 AM
    Owner
  • Hi Frank:

    I am archiving this case. Please feel free to contact us whenever you are ready to work on this case.


    Regards, Obaid Farooqi

    Friday, November 11, 2016 9:04 PM
    Owner