server                              client
________________________________________________________________________
# authorization request
FF FD 25
FF FB 01
FF FD 03
FF FD 1F
FF FD 00
FF FB 00
                                    # ready to authenticate myself
                                    FF FB 25
# ready to get NTLM auth
FF FA 25 01 0F 00
FF F0
                                    FF FD 01

                                    FF FB 03

                                    FF FB 1F
                                    FF FA 1F 00 50 00 19
                                    FF F0

                                    FF FB 00

                                    FF FD 00

                                    # authentication, NTLM
                                    FF FA 25 00 0F 00
                                    ---
                                    00
                                    20 00 00 00 02 00 00 00
                                    ===
                                    4E 54 4C 4D 53 53 50
                                    00 01
                                    00 00
                                    00 97 82 00 C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                    ===
                                    FF F0

# authorization response, NTLM ...
FF FA 25 02 0F 00
---
01
62 00 00 00 02 00 00 00
===
4E 54 4C 4D 53 53 50 00
02 00
00 00
# domain size and shift
06 00 06 00 30 00
00 00
95 82 82 C0
# nonce
EB CD 1C 54 E3 E4 66 0A
00 00 00 00 00 00 00 00
# size and shift of info block after domain part
2C 00 2C 00 36 00
00 00
42 00 45 00 45 00
02 00 06 00
42 00 45 00 45 00
01 00 06 00
42 00 45 00 45 00
04 00 06 00
62 00 65 00 65 00
03 00 06 00
62 00 65 00 65 00
00 00 00 00
===
FF F0

                                    # authentication continue, NTLM ...
                                    FF FA 25 00 0F 00
                                    ---
                                    02
                                    A6  00 00 00 02 00 00 00
                                    ===
                                    4E 54 4C 4D 53 53 50 00
                                    03 00
                                    00 00
                                    # LM part size and shift
                                    18 00 18 00 66 00
                                    00 00
                                    # NT part size and shift
                                    18 00 18 00 7E 00
                                    00 00
                                    # domain part size and shift
                                    06 00 06 00 40 00
                                    00 00
                                    # user part size and shift
                                    1A 00 1A 00 46 00
                                    00 00
                                    # host part size and shift
                                    06 00 06 00 60 00
                                    00 00
                                    # additional info after NT and LM parts part size and shift
                                    10 00 10 00 96 00
                                    00 00
                                    # flags
                                    95 82 80 C0
                                    # domain, user, host
                                    42 00 45 00 45 00
                                    41 00 64 00 6D 00 69 00 6E 00 69 00 73 00 74 00 72 00 61  00 74 00 6F 00 72 00
                                    42 00 45 00 45 00
                                    # LM response
                                    C2 A0 52 5D 7A C5 66 B3 9E 58 B3 E3
                                    09 EE 88 1B C8 65 B7 08 F2 F1 AD 54
                                    # NT response
                                    91 36 10 30 31 00 55 E2 82 0D 55 B4
                                    98 BC 27 76 4B 36 BF 51 16 D0 FC 6A
                                    # unknown additional info
                                    83 3D 88 20 F1 97 47 83 1F A1 39 9E C2 71 3B 2E
                                    ===
                                    FF F0
# authorization info, NTLM ...
FF FA 25 02 0F 00
---
03
===
===
FF F0

# termianl type request
FF FD 18
                                    # ready to set terminal type
                                    FF FB 18
# ready to get terminal type
FF FA 18 01
FF F0
                                    # termial type is ANSI
                                    FF FA 18 00 41 4E 53 49
                                    FF F0

    Source: geocities.com/rozmanov/ntlm

               ( geocities.com/rozmanov)