Sunday, April 18, 2004

Sad bunny

Yesterday was fine, so it was time to rake the lawn for the spring, and mow it - enough clippings and rakings to half fill the green wheelie-bin. But today it rained. So for amusement I wrote a minimal C# implementation of NTLM (or, to be precise, NTLMv2) authentication, using only the MD5 code from the CLR, with everything else HMAC and MD4, Base-64 encoding, and HTML parsing in explicit code. It's quite amazing how much cruft there is in NTLM which can simply be discarded with no apparent loss (like the client advertising its name, or sending the insecure LAN Manager password hash in response to the server challenge) when talking to a straight-up IIS.

No comments :