From dab1a1227873f1a88dc7a4b8f63edcccd60ada85 Mon Sep 17 00:00:00 2001 From: Luke Leighton Date: Sun, 21 Nov 1999 19:24:01 +0000 Subject: you know what? this sort of thing makes me laugh. hmm, what functions have we got. and what data do we have. hmm.. i wonder what the NTLMv2 user session key can be... hmmm... weell.... there's some hidden data here, generated from the user password that doesn't go over-the-wire, so that's _got_ to be involved. and... that bit of data took a lot of computation to produce, so it's probably _also_ involved... and md4 no, md5? no, how about hmac_md5 yes let's try that one (the other's didn't work) oh goodie, it worked! i love it when this sort of thing happens. took all of fifteen minutes to guess it. tried concatenating client and server challenges. tried concatenating _random_ bits of client and server challenges. tried md5 of the above. tried hmac_md5 of the above. eventually, it boils down to this: kr = MD4(NT#,username,domainname) hmacntchal=hmac_md5(kr, nt server challenge) sess_key = hmac_md5(kr, hmacntchal); (This used to be commit ab174759cd210fe1be888d0c589a5b2669f7ff1e) --- source3/libsmb/clientgen.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) (limited to 'source3/libsmb/clientgen.c') diff --git a/source3/libsmb/clientgen.c b/source3/libsmb/clientgen.c index b153654591..26a5f25c7d 100644 --- a/source3/libsmb/clientgen.c +++ b/source3/libsmb/clientgen.c @@ -1026,8 +1026,13 @@ static BOOL cli_calc_session_pwds(struct cli_state *cli, *ntpasslen = cli->nt_cli_chal_len + 16; hmac_md5_init_limK_to_64(kr, 16, &ctx); - hmac_md5_update(cli->nt_cli_chal, cli->nt_cli_chal_len, &ctx); + hmac_md5_update(cli->nt_cli_chal, cli->nt_cli_chal_len, + &ctx); hmac_md5_final(cli->sess_key, &ctx); +#if DEBUG_PASSWORD + DEBUG(100,("session key:\n")); + dump_data(100, cli->sess_key, sizeof(cli->sess_key)); +#endif } else @@ -3262,7 +3267,7 @@ BOOL cli_establish_connection(struct cli_state *cli, } pwd_get_lm_nt_owf(&(cli->pwd), lm_sess_pwd, nt_sess_pwd, - &nt_sess_pwd_len); + &nt_sess_pwd_len, cli->sess_key); /* attempt encrypted session */ if (!cli_session_setup_x(cli, cli->user_name, -- cgit