this page is a summarization for https://en.hackndo.com/ntlm-relay/#session-signin’s awesome work
during the negotiation period. both pariteis indicate the signing requirement
authentication, indiciate what they support, and if they are capable of signing
Once signed. the session contiunes.
Can we edit the flag to indicate the signing? not really until mic removed.
HMAC_MD5(Session key, NEGOTIATE_MESSAGE + CHALLENGE_MESSAGE + AUTHENTICATE_MESSAGE)
the session key depends on the client’s secret
with msAvFlags in the ntlmv2 response.Well it won’t work, because there is another flag that indicates that a MIC will be present, msAvFlags. It is also present in NTLM response and if it is 0x00000002, it tells the server that a MIC must be present. So if the server doesn’t see the MIC, it will know that there is something going on, and it will terminate the authentication. If the flag says there must be a MIC, then there must be a MIC.
In order for DC to know where the authentication is coming from the real server. in the
AUTHENTICATE