[Samba] Being able to read password hashes

Mon Jul 21 12:49:37 MDT 2014

Am 21.07.2014 20:12, schrieb Achim Gottinger:
> Am 21.07.2014 19:38, schrieb Achim Gottinger:
>> Am 21.07.2014 19:03, schrieb Jefferson Davis:
>>> I was wondering about this as we continue our migration.
>>>
>>> I have a script that my tech's use to temporarily change passwords 
>>> so that they can login as a user for testing config changes, 
>>> repairs, etc.
>>>
>>> While I'm still a bit bent about having to rework my entire freaking 
>>> account mgmt toolchain due to the massive changes wrought by AD DC 
>>> functionality in samba4, it's nice to know the functionality we need 
>>> is there.
>>>
>>> Now to see if I can locate a reasonably-priced time-travel device on 
>>> craigslist to allow the extra time needed to do this...
>>>
>>> ----- Original Message -----
>>>
>>> From: "Stuart Naylor" <stuartiannaylor at thursbygarden.org>
>>> To: "Rowland Penny" <rowlandpenny at googlemail.com>, "sambalist" 
>>> <samba at lists.samba.org>
>>> Sent: Monday, July 21, 2014 9:21:33 AM
>>> Subject: Re: [Samba] Being able to read password hashes
>>>
>>> With any Microsoft active directory server you can not get access to 
>>> read password hashes you can only change them.
>>>
>>> Its the fact I can get the hash so easily and also ever-body else's.
>>>
>>> I am not all that bothered as for this sysadmin its a Brucie Bonus.
>>>
>>> Irrespective of the website if its not there all I need to do is 
>>> throw some cuda cores at http://hashcat.net/hashcat/ and one way or 
>>> another I will get it.
>>>
>>> Should the hashes be so easily available was my main question?
>>>
>>> I was just wondering what others thought, seems cool enough.
>>>
>>> Stuart
>>>
>>>
>>> -----Original message-----
>>>> From:Rowland Penny <rowlandpenny at googlemail.com>
>>>> Sent: Monday 21st July 2014 10:24
>>>> To: sambalist <samba at lists.samba.org>
>>>> Subject: Re: [Samba] Being able to read password hashes
>>>>
>>>> On 21/07/14 10:02, Philippe.Simonet at swisscom.com wrote:
>>>>> not cracking : ntlm hash database lookup.
>>>> Same difference, the OP said he put a unicodePwd password into a 
>>>> webpage
>>>> that deals with NTLM passwords and got his plain password back, or are
>>>> you missing the point?
>>>>
>>>> Rowland
>>>>>> -----Original Message-----
>>>>>> From: samba-bounces at lists.samba.org [mailto:samba-
>>>>>> bounces at lists.samba.org] On Behalf Of Rowland Penny
>>>>>> Sent: Monday, July 21, 2014 10:46 AM
>>>>>> To: samba at lists.samba.org
>>>>>> Subject: Re: [Samba] Being able to read password hashes
>>>>>>
>>>>>> On 21/07/14 09:29, Stuart Naylor wrote:
>>>>>>> ldbsearch -H /var/lib/samba/private/sam.ldb
>>>>>> '(&(objectclass=person)(name=Administrator))' name unicodePwd
>>>>>>> # record 1
>>>>>>> dn: CN=Administrator,CN=Users,DC=office,DC=zentyal,DC=lan
>>>>>>> name: Administrator
>>>>>>> unicodePwd:: kXh1DQFudwnw+lnHhubyUw==
>>>>>>>
>>>>>>> http://www.hashkiller.co.uk/ntlm-decrypter.aspx just took 242ms 
>>>>>>> to return
>>>>>> my password
>>>>>> Are you sure? you put a unicodePwd into something that cracks ntlm
>>>>>> passwords and got your plain password back??
>>>>>>
>>>>>> Rowland
>>>>>>
>>>>>>> Only zent1 as its just a VM running a test of Zentyal3.5
>>>>>> -- 
>>>>>> To unsubscribe from this list go to the following URL and read the
>>>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>
>>>>
>> After reading this 
>> http://technet.microsoft.com/de-de/magazine/ff848710.aspx the 
>> unicodePwd is not encrypted and it does not look too difficulta to 
>> create the plaintext password out of this base64 sequence.
>>
>> That article also mentiones that this unicodePwd attribute only 
>> exists on servers having ad lds templates applied whom seem to be not 
>> neccessary for normal ad behaviour.
>>
>>
> Tried to decrypt an password on my server but it did not work, found 
> this old discussion on the samba list about the issue.
>
> https://lists.samba.org/archive/samba-technical/2011-December/080849.html
>
> There it is mentioned that the unicodePwd attribute is the nt password 
> hash base64 encoded and not and base64 encoded version of the 
> plaintext password as mentioned in the microsoft article.
>
> What happens when i add an samba server as an ADDC to an windows AD 
> Domain with the AD LDS schema in use. Will unicodePwd return an base64 
> encoded version of the plaintext password?
>
>
Sorry for the noise, figured it out , unicodePwd can be used to change 
the password and must be fed with base64 encoded cleartext password 
enclosed in "". The password gets encrypted before being stored 
(http://msdn.microsoft.com/en-us/library/cc245688.aspx).
Only difference on samba seems that it makes this attribute readable.