0

I'm struggling to understand how to properly read and construct my NegotiateFlags parameter on the NTLM messages. On the official protocol specification I simply cannot understand that table. I think it represents a 32-bits since the NegotiateFlags is 4 bytes, but what means these letters? How to set that?

Searching on Google I found another example, that makes a lot more sense to me:

0x00000001  Negotiate Unicode
0x00000002  Negotiate OEM
0x00000004  Request Target
0x00000008  unknown
0x00000010  Negotiate Sign
0x00000020  Negotiate Seal
0x00000040  Negotiate Datagram Style
0x00000080  Negotiate Lan Manager Key
0x00000100  Negotiate Netware
0x00000200  Negotiate NTLM
0x00000400  unknown
0x00000800  Negotiate Anonymous
0x00001000  Negotiate Domain Supplied
0x00002000  Negotiate Workstation Supplied
0x00004000  Negotiate Local Call *//Sent by the server*
0x00008000  Negotiate Always Sign
0x00010000  Target Type Domain *//Sent by the server in the Type 2 message*
0x00020000  Target Type Server *//Sent by the server in the Type 2 message*
0x00040000  Target Type Share *//Sent by the server in the Type 2 message*
0x00080000  Negotiate NTLM2 Key
0x00100000  Request Init Response
0x00200000  Request Accept Response
0x00400000  Request Non-NT Session Key
0x00800000  Negotiate Target Info
0x01000000  unknown
0x02000000  unknown
0x04000000  unknown
0x08000000  unknown
0x10000000  unknown
0x20000000  Negotiate 128
0x40000000  Negotiate Key Exchange
0x80000000  Negotiate 56

But looking on FreeRDP example the NegotiateFlags are:

b7 82 08 e2

Reading in little endian I have:

e2 08 = 57864

82 b7 = 33463

Sum of values = 91327

I cannot get the sum of this value with the example table I show above... How I should calculate this? (I accept explanations that lead me to understand the official table from Microsoft, of course)

Community
  • 1
  • 1
user2864778
  • 333
  • 5
  • 18

1 Answers1

0

Your endian conversion is wrong.

it should be E20882B7

0x is that standard notation for hex.

first digit is , so 0x00000001 Negotiate Unicode + 0x00000002 Negotiate OEM + 0x00000004 Request Target

second digit is B, so 0x00000010 Negotiate Sign + 0x00000020 Negotiate Seal + 0x00000080 Negotiate Lan Manager Key

and so on.

markgamache
  • 436
  • 2
  • 6
  • Hello, thank you for your answer. Could you please explain digit by digit what are the meanings, same way you did to 'B'? Because it looks that we get duplicate flags? – user2864778 Sep 28 '17 at 17:41
  • I ask this because look this real example: `Negotiate Unicode (0x00000001) Request Target (0x00000004) Negotiate NTLM (0x00000200) Negotiate Always Sign (0x00008000)` Combining the above gives "0x00008205". This would be physically laid out as **"0x05820000"** (since it is represented in little-endian byte order). We don't read as 2, 8, 5, 0... We read as 82 05... I don't understand why in your example, it is read digit by digit instead of byte by byte... – user2864778 Sep 28 '17 at 18:40
  • the re-ordering is done after you apply, or parse out, the flags. Remember, hex is just a shortcut. These are really bit flags, not hex digit flags or byte flags. The endianness is only applicable once you put the flags together, or as part of the conversion, prior to parsing them out. The example simply shows how the math is done to combine bits to reach the value for each hex digit. – markgamache Sep 29 '17 at 18:00