Scapy provides dissection & build methods for NTLM and other Windows mechanisms.

How NTLM works

NTLM is a legacy method of authentication that uses a challenge-response mechanism. The goal is to:

  • verify the identity of the client

  • negotiate a common session key between the client and server


We won’t get in more details. You can read more in this article from hackndo to understand how NTLM works.

NTLM in Scapy

Scapy implements Security Providers trying to stay as close a what you would find in the Windows world.

Basically those are classes that implement two functions:

  • GSS_Init_sec_context: called by the client, passing it a Context and optionally a token

  • GSS_Accept_sec_context: called by the server, passing it a Context and optionally a token

They both return the updated Context, a token to optionally send to the server/client and a GSSAPI status code.

For NTLM, this is implemented in the NTLMSSP. You can typically use it in SMB_Client, SMB_Server, DCERPC_Client or DCERPC_Server. Have a look at SMB and DCE/RPC to get examples on how to use it.


Remember that you can wrap it in a SPNEGOSSP