Skip to content

Adding NTLM Type 2 Message Decoding#545

Open
lobsterjerusalem wants to merge 16 commits into
mainfrom
ntlm-type2-decode
Open

Adding NTLM Type 2 Message Decoding#545
lobsterjerusalem wants to merge 16 commits into
mainfrom
ntlm-type2-decode

Conversation

@lobsterjerusalem
Copy link
Copy Markdown
Collaborator

@lobsterjerusalem lobsterjerusalem commented Feb 25, 2026
edited
Loading

Ready for review.
Adds NTLM Type 2 Message Decoding.

@lobsterjerusalem lobsterjerusalem self-assigned this Feb 25, 2026
@lobsterjerusalem lobsterjerusalem changed the title needs tests, but drafting this in case any interim feedback is necessary Adding NTLM Type 2 Message Decoding Feb 25, 2026
@lobsterjerusalem lobsterjerusalem marked this pull request as ready for review February 26, 2026 18:34
terrorbyte
terrorbyte suggested changes Mar 2, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@terrorbyte terrorbyte left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The NTLM type 2 component seems good, I think the UTF16-LE decoding is too fragile.

Comment thread transform/encode.go
@j-baines j-baines requested a review from Copilot March 6, 2026 11:06
Copilot AI reviewed Mar 6, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds NTLM Type 2 message decoding utilities to the transform package, including parsing of TargetInfo AV pairs and UTF-16LE decoding, with accompanying unit tests.

Changes:

  • Added NTLM Type 2 decoding (DecodeNTLMType2) and supporting data structures (NTLMType2Message, TargetInfo).
  • Added TargetInfo AV-pair parsing (decodeTargetInfo) and UTF-16LE decoding helper (DecodeUTF16LE).
  • Added unit tests covering UTF-16LE, TargetInfo parsing, and Type 2 message decoding.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 11 comments.

File Description
transform/encode.go Implements NTLM Type 2 message parsing, TargetInfo parsing, and UTF-16LE decoding.
transform/encode_test.go Adds tests validating UTF-16LE decoding, TargetInfo parsing, and NTLM Type 2 decoding.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

Comment thread transform/encode.go Outdated
Comment thread transform/encode.go
Comment thread transform/encode.go Outdated
Comment thread transform/encode.go Outdated
Comment thread transform/encode_test.go
Comment thread transform/encode_test.go Outdated
Comment thread transform/encode_test.go Outdated
Comment thread transform/encode.go Outdated
Comment thread transform/encode.go Outdated
Comment thread transform/encode_test.go Outdated
spac3yspace
spac3yspace requested changes May 13, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@spac3yspace spac3yspace left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just one comment from me on checking the length of the received message before indexing.

Comment thread transform/encode.go
lobsterjerusalem and others added 8 commits May 13, 2026 21:05
@lobsterjerusalem
Update transform/encode.go
86772d3 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@lobsterjerusalem
Apply suggestion from @Copilot
e1f38f8 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@lobsterjerusalem
Apply suggestion from @Copilot
20cf4d5 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@lobsterjerusalem
Apply suggestion from @Copilot
be4f7bc 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@lobsterjerusalem
Apply suggestion from @Copilot
94c0067 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@lobsterjerusalem
fixed the base parsing and made the targetinfo a conditional
b854ca1
@lobsterjerusalem
added better length checks and a test for an invalid ntlm message
5fe354e
@lobsterjerusalem
Wrapped unicode package instead of our own implementation
ffb40b7
spac3yspace
spac3yspace approved these changes May 15, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@spac3yspace spac3yspace left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just suggesting an extra guard, but this otherwise looks good to me.

Comment thread transform/encode.go

// optional value parsing
if (returnMessage.Flags & 0x00800000) != 0 { // Negotiate target info is set
targetInfoData := message[targetNameOffset : targetNameOffset+targetNameLen]
Copy link
Copy Markdown
Collaborator

@spac3yspace spac3yspace May 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe add a guard here to ensure the message is large enough to be indexed here

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@spac3yspace spac3yspace spac3yspace approved these changes

@j-shomo j-shomo Awaiting requested review from j-shomo

@wvu wvu Awaiting requested review from wvu

+1 more reviewer

@terrorbyte terrorbyte terrorbyte requested changes

Reviewers whose approvals may not affect merge requirements

Assignees

@lobsterjerusalem lobsterjerusalem

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@lobsterjerusalem @terrorbyte @spac3yspace