final SmbSession ssn = trans.getSmbSession(NtlmPasswordAuthentication.DEFAULT);
            ssn.getSmbTree(LOGON_SHARE, null).treeConnect(null, null);
        }
        return new NtlmChallenge(trans.server.encryptionKey, dc);
    }

    /**
     * Retrieves an NTLM challenge from a domain controller for the configured domain.
     *
     * @return the NTLM challenge from the domain controller

        SmbTransport.ServerData serverData = mockTransport.new ServerData();
        serverData.security = ServerMessageBlock.SECURITY_USER;
        serverData.encryptedPasswords = true;
        serverData.encryptionKey = new byte[8];

        // Configure mock transport
        mockTransport.server = serverData;
        mockTransport.sessionKey = 0x12345678;

            if (session.transport.server.encryptedPasswords) {
                // encrypted
                password = session.auth.getAnsiHash(session.transport.server.encryptionKey);
                passwordLength = password.length;
            } else if (DISABLE_PLAIN_TEXT_PASSWORDS) {
                throw new RuntimeException("Plain text passwords are disabled");
            } else {

        SmbTransport.ServerData serverData = transport.new ServerData();
        serverData.security = 0; // Set to 0 or appropriate value for SECURITY_SHARE
        serverData.encryptionKey = new byte[8]; // Initialize with empty encryption key

        // Configure the mock transport with the server data
        transport.server = serverData;

        smbtStatic = mockStatic(SmbTransport.class);

                this.passwordLength = 1;
            } else if (this.server.encryptedPasswords) {
                // encrypted
                try {
                    this.password = pwAuth.getAnsiHash(this.ctx, this.server.encryptionKey);
                } catch (final GeneralSecurityException e) {
                    throw new RuntimeCIFSException("Failed to encrypt password", e);
                }

    private static class ServerDataStub extends ServerData {
        public ServerDataStub() {
            this.security = SmbConstants.SECURITY_USER;
            this.encryptedPasswords = false;
            this.encryptionKey = new byte[0];
        }
    }

    @Test
    void anonymousGuestCredentials() throws Exception {
        setupNegotiateStubs();

        NtlmPasswordAuthenticator auth = mock(NtlmPasswordAuthenticator.class);

        // SMB1 negotiation with server data
        SmbComNegotiateResponse smb1 = new SmbComNegotiateResponse(ctx);
        ServerData sd = smb1.getServerData();
        sd.encryptionKey = new byte[] { 1, 2, 3 };
        setField(transport, "negotiated", smb1);
        assertArrayEquals(new byte[] { 1, 2, 3 }, transport.getServerEncryptionKey());

        // SMB2 negotiation never exposes key via this API

### 12.1 Handle State Encryption
```java
public class SecureHandleStorage {
    private final SecretKey encryptionKey;
    
    public void saveEncrypted(HandleInfo handle, Path file) throws Exception {
        Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding");
        cipher.init(Cipher.ENCRYPT_MODE, encryptionKey);
        
        ByteArrayOutputStream baos = new ByteArrayOutputStream();

            final byte[] encryptionKey = Smb3KeyDerivation.deriveEncryptionKey(dialectInt, sessionKey, preauthHash);
            final byte[] decryptionKey = Smb3KeyDerivation.deriveDecryptionKey(dialectInt, sessionKey, preauthHash);

            // Pass session key and preauthHash to enable automatic key rotation
            return new Smb2EncryptionContext(cipherId, dialect, encryptionKey, decryptionKey, sessionKey, preauthHash);

                        }
                    } else {
                        log.debug("Initialize signing");
                        byte[] signingKey = npa.getSigningKey(getContext(), negoResp.getServerData().encryptionKey);
                        if (signingKey == null) {
                            throw new SmbException("Need a signature key but the server did not provide one");
                        }