jborean93
commented
2 years ago This is going to fun, on 1 hand using md4 should be respected by OS settings but on the other hand md4 is absolutely required for NTLM which while evil is a very common use case of this library. Using a custom implementation is probably the best way forward.
As reported here https://github.com/jborean93/smbprotocol/issues/173#issue-1198815717 it looks like Ubuntu 22.04 will have openssl without MD4
I guess there are out there other Linux distributions that might already ship without md4, is just that nobody uses them with NTLMv1
I see that md4 is used in pyspnego here
https://github.com/jborean93/pyspnego/blob/03eb0c9f04daad67b1173f27fb365f10bc432caa/src/spnego/_ntlm_raw/crypto.py#L133
With a simply "proxy" implementation here
https://github.com/jborean93/pyspnego/blob/03eb0c9f04daad67b1173f27fb365f10bc432caa/src/spnego/_ntlm_raw/crypto.py#L342
I guess that the only option for legacy, is to vendor/copy/reimplement md4 in pysnego
Like this https://github.com/rpicard/py-md4 ... no licence for the code :(
Or document that ntlmv1 is not supported with old NTLMv1