Update to NTLM docs
Eric Glass
eric.glass at gmail.com
Thu Sep 7 00:09:21 GMT 2006
>
> >
> > key = 0xae33a32dca8c9821844f740d5b3f4d6c
>
> The key is (this being NTLMv1) at an offset of 216 bytes if the server context
> exported, right?
>
The key (in this case) is the NTLM user session key; it is the MD4
digest of the NTLM hash (which is itself the MD4 digest of the Unicode
password):
key = MD4(MD4(0x0x74006500730074003100320033003400)) =
0xae33a32dca8c9821844f740d5b3f4d6c
The signing/sealing keys usually show up in the context export, but
their location can differ between different OS versions. Typically
the export contains the four subkeys (server-to-client signing,
server-to-client sealing, client-to-server signing, client-to-server
sealing); in the case of NTLM1, those are all the same key, so it's
repeated 4 times. From your export:
c8b32e78c8b32e780000000000000000000000000000000060730a00058282a10000000000000000
a8aa1300a8aa130028ab130028ab13000000000000000000d0020000000000000000000000000000
00000000000000000200000000000000ffffffffffffff7f20050000
ae33a32dca8c9821844f740d5b3f4d6c <----(here are the keys)
ae33a32dca8c9821844f740d5b3f4d6c
ae33a32dca8c9821844f740d5b3f4d6c
ae33a32dca8c9821844f740d5b3f4d6c
000000000000000000000000ae3787b72ff94884680d3e5658c064df...
The export itself is useful more as a sanity check; i.e. if you
calculate an output and it's different than what you get, it can help
since you can at least check back against the intermediate keys. But
since the format can vary across different versions, that's pretty
much all it's good for.
Eric
More information about the samba-technical
mailing list