you know what? this sort of thing makes me laugh. hmm, what functions

have we got.  and what data do we have.  hmm.. i wonder what the NTLMv2
user session key can be... hmmm... weell.... there's some hidden data
here, generated from the user password that doesn't go over-the-wire,
so that's _got_ to be involved.  and... that bit of data took a lot of
computation to produce, so it's probably _also_ involved... and md4 no, md5?
no, how about hmac_md5 yes let's try that one (the other's didn't work)
oh goodie, it worked!

i love it when this sort of thing happens.  took all of fifteen minutes to
guess it.  tried concatenating client and server challenges.  tried
concatenating _random_ bits of client and server challenges.  tried
md5 of the above.  tried hmac_md5 of the above.  eventually, it boils down
to this:

kr = MD4(NT#,username,domainname)
hmacntchal=hmac_md5(kr, nt server challenge)
sess_key = hmac_md5(kr, hmacntchal);
(This used to be commit ab174759cd210fe1be888d0c589a5b2669f7ff1e)

1 files changed, 1 insertions, 1 deletions

diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
index df09f02398..71670c0d84 100644
--- a/source3/rpc_client/cli_pipe.c
+++ b/source3/rpc_client/cli_pipe.c
@@ -973,7 +973,7 @@ static BOOL rpc_pipe_bind(struct cli_state *cli, uint16 fnum,
 			                     rpc_call_id,
 			                     &hdra, &hdr_autha, &auth_resp);
 			                    
-			pwd_get_lm_nt_owf(&cli->pwd, lm_owf, NULL, NULL);
+			pwd_get_lm_nt_owf(&cli->pwd, lm_owf, NULL, NULL, NULL);
 			pwd_get_lm_nt_16(&cli->pwd, lm_hash, NULL);
 			NTLMSSPOWFencrypt(lm_hash, lm_owf, p24);
 			{