cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: NTLM Test server details

From: Cris Bailiff <c.bailiff+curl_at_devsecure.com>
Date: Fri, 13 Jun 2003 18:30:51 +1000

(CC to the list - this is 'public info'):

On Fri, 13 Jun 2003 05:59 pm, you wrote:
> Then we have a problem with £-letters in the password. It might be related
> to the fact it is a >7bit letter and the password gets translated to
> unicode... I'm really clueless on unicode...

'Me too'. I expect it's the unix '£' sign thats "wrong", but we could look at
that later.

> Heck, the captures I made helped absolutely nothing. They just confused me
> a lot and I had to stop looking at them to do any progress! IE 6 is
> obviously not sending the NTLM as libcurl is now. I left comments in the
> code showing fundamental differences.

I think that's NTLMv2 support you can see - I did some googling, and you can
tell there is NTLMv2 support in the message, "because it's longer" :-) NTLMv2
uses a 128 bit hash. Thats about all I know so far.

> BTW, your patch also proved another interesting thing:
> (the test servers didn't) care much about the 'lanmanager' hashed
> password.

Yes - windows servers will use the NT hash in preference. The LMHASH is for
'very backwards' compatability. I believe win2k servers have a security
policy setting which can switch from 'Accept LANMAN, NTLM, NTLMv2' all the
way up to 'Only accept Kerberos (SPNEGO)' (and points in between)

> Yesterday I was having problems to write a test case for NTLM because a few
> bytes in the package seemed to differ between invokes (which your patch
> addressed), but still I could suck down NTLM from two live IIS servers...!

It just ignores the LM hash - in fact, many clients just null it out, I think
- I'm sure there's a registry setting controlling it's use. Like the
Basic/Digest thing - there's no point sending the strong NTLM hash if there
is a 'weak' copy in the same packet. Could be another curl switch.

Additional feature bonus:

I'm attaching a patch to support connection re-use (so you can do multiple
requests over one authenticated connection). According to the innovation.ch
documentation, once authenticated, you shouldn't send any further
Authenticate headers, so I just removed the header once we have sent the
type-3. ntlm_output looks about ready to become a switch() to me.

Cheers,
Cris

-------------------------------------------------------
This SF.NET email is sponsored by: eBay
Great deals on office technology -- on eBay now! Click here:
http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5

Received on 2003-06-13