you know what? this sort of thing makes me laugh. hmm, what functions

have we got.  and what data do we have.  hmm.. i wonder what the NTLMv2
user session key can be... hmmm... weell.... there's some hidden data
here, generated from the user password that doesn't go over-the-wire,
so that's _got_ to be involved.  and... that bit of data took a lot of
computation to produce, so it's probably _also_ involved... and md4 no, md5?
no, how about hmac_md5 yes let's try that one (the other's didn't work)
oh goodie, it worked!

i love it when this sort of thing happens.  took all of fifteen minutes to
guess it.  tried concatenating client and server challenges.  tried
concatenating _random_ bits of client and server challenges.  tried
md5 of the above.  tried hmac_md5 of the above.  eventually, it boils down
to this:

kr = MD4(NT#,username,domainname)
hmacntchal=hmac_md5(kr, nt server challenge)
sess_key = hmac_md5(kr, hmacntchal);
(This used to be commit ab174759cd210fe1be888d0c589a5b2669f7ff1e)

1 files changed, 7 insertions, 2 deletions

diff --git a/source3/libsmb/clientgen.c b/source3/libsmb/clientgen.c
index b153654591..26a5f25c7d 100644
--- a/source3/libsmb/clientgen.c
+++ b/source3/libsmb/clientgen.c
@@ -1026,8 +1026,13 @@ static BOOL cli_calc_session_pwds(struct cli_state *cli,
 			*ntpasslen = cli->nt_cli_chal_len + 16;
 
 			hmac_md5_init_limK_to_64(kr, 16, &ctx);
-			hmac_md5_update(cli->nt_cli_chal, cli->nt_cli_chal_len, &ctx);
+			hmac_md5_update(cli->nt_cli_chal, cli->nt_cli_chal_len,
+			                &ctx);
 			hmac_md5_final(cli->sess_key, &ctx);
+#if DEBUG_PASSWORD
+			DEBUG(100,("session key:\n"));
+			dump_data(100, cli->sess_key, sizeof(cli->sess_key));
+#endif
 
 		}
 		else
@@ -3262,7 +3267,7 @@ BOOL cli_establish_connection(struct cli_state *cli,
 		}
 
 		pwd_get_lm_nt_owf(&(cli->pwd), lm_sess_pwd, nt_sess_pwd,
-		                  &nt_sess_pwd_len);
+		                  &nt_sess_pwd_len, cli->sess_key);
 
 		/* attempt encrypted session */
 		if (!cli_session_setup_x(cli, cli->user_name,