#21 If the password is too long, NTLM APS didn't work!

closed
nobody
None
5
2008-10-23
2006-11-22
Anonymous
No

if I set a following password:wwwwwwwwwww@123456, the NTLM APS didn't work! So what's the longest password?

Discussion

  • Logged In: YES
    user_id=487909
    Originator: NO

    From looking at the source (ntlm_procs.py - Lines 44 to 71), it seems that only the first 14 characters are used. This is a surprise to me and maybe a limitation of the LanManager part. The NT part is fine.

    In my server.cfg I have the following ...

    ==================[SNIP]=========================
    # These two options replace old FULL_NTLM option.
    # NTLM authentication consists virtually of two parts: LM and NT. Windows95/98 use
    # only LM part, WindowsNT/2000 can use NT and LM or just NT part.
    # Almost always using just LM part will be enough. I had several reports
    # about LM and NT requirement and no about just NT.
    # So try to setup 1, 1 only if you have enough reasons to do so and when you understand
    # what you are doing.
    # 0, 0 is an illegal combination
    # NOTE: if you change these options then you have to setup flag option accordingly.
    LM_PART:1
    NT_PART:0

    # Highly experimental option. See research.txt for details.
    # LM - 06820000
    # NT - 05820000
    # LM + NT - 07820000
    NTLM_FLAGS: 06820000
    ==================[SNIP]=========================

    If you are on Windows NT or greater (NT/2K/XP/2K3/etc), then try ...

    LM_PART:0
    NT_PART:1
    NTLM_FLAGS:05820000

    If that doesn't work, then try ...

    LM_PART:1
    NT_PART:1
    NTLM_FLAGS:07820000

    The NT part doesn't seem to have any limits on password length.

     
  • Logged In: YES
    user_id=487909
    Originator: NO

    http://davenport.sourceforge.net/ntlm.html

    [QUOTE]In the event that the user's password is longer than 15 characters, the host or domain controller will not store the LM hash for the user; the LM response cannot be used to authenticate the user in this case. A response is still generated and placed in the LM Response field, using a 16-byte null value (0x00000000000000000000000000000000) as the LM hash in the calculation. This value is ignored by the target.[QUOTE]

    So. Using an LM (LanManager) response is limited to a 15 character password (14 characters and a null probably).

    This is a limitation of LM, not the NTLM authentication proxy server.

    I suspect that if you where on window 9x, you couldn't have a password over 14 characters.

     
  • Matt Domsch
    Matt Domsch
    2008-10-23

    • status: open --> closed
     
  • Matt Domsch
    Matt Domsch
    2008-10-23

    The LanManager password is at most 14 bytes long.