A while ago I once again got frustrated by LMCompatibilityLevel and the amount of confusion that is out there about it. There was also an intriguing thing in the SAMBA documentation that they (incorrectly) called “NTLM2 Session Response” that needed figured out. The results are in the latest issue of TechNet Magazine.
One additional thing deserves mention. Roger Grimes contacted me after he saw the article and asked why the Cain tool shows an MD4 hash and an NT hash, when I claim the NT hash is actually an MD4 hash. He then proceeded to answer his own question because I couldn’t think of why. What Cain calls an MD4 hash appears to be an MD4 hash of the entire string, including the NULL terminator. The NT hash that is used in Windows is, as I mention somewhat obscurely in the article, a hash of the Unicode password string (in fact, it is even called the UnicodePwd in Active Directory, as I pointed out in the book among other places), but it does not include the NULL terminator. It just never occurred to me that Cain might display an MD4 hash that does. Thanks Roger for figuring that out.