[Samba] Being able to read password hashes

Rob Townley rob.townley at gmail.com
Mon Jul 21 18:15:07 MDT 2014


It does not appear that the hashes are salted but even if they were...
maybe MimiKatz knows the value of the salt so it does not matter unless the
syskey utility was run.
On Jul 21, 2014 6:41 PM, "Rob Townley" <rob.townley at gmail.com> wrote:

> Windows MimiKatz.exe utility run as elevated admin knows how to retrieve
> the system keys used to hash the password in the first place.  Result is
> most all passwords on the system are instantly reverted to plain human
> text.
>
> So if a Domain Admin logs onto a workstation that the janitor has physical
> access to, the janitor can retieve the Domain Admin password.  Recommend
> domain admin cannot log on to abything but DCs.
>
> Tested on Win8.1 and found the password I could not remember.  Retrieving
> your forgotten plain text password is a "feature" in the age of Alzheimers.
>
> Thomas Habets (of true arping fame) is writing TPM software so that your
> ssh private key never has to go into RAM.
>
> Note how MS Trustworthy Computing Group says it can onlu be mitigated, not
> prevented.
> http://www.microsoft.com/en-us/download/details.aspx?id=36036
>  On Jul 21, 2014 1:50 PM, "Achim Gottinger" <achim at ag-web.biz> wrote:
>
>> Am 21.07.2014 20:12, schrieb Achim Gottinger:
>>
>>> Am 21.07.2014 19:38, schrieb Achim Gottinger:
>>>
>>>> Am 21.07.2014 19:03, schrieb Jefferson Davis:
>>>>
>>>>> I was wondering about this as we continue our migration.
>>>>>
>>>>> I have a script that my tech's use to temporarily change passwords so
>>>>> that they can login as a user for testing config changes, repairs, etc.
>>>>>
>>>>> While I'm still a bit bent about having to rework my entire freaking
>>>>> account mgmt toolchain due to the massive changes wrought by AD DC
>>>>> functionality in samba4, it's nice to know the functionality we need is
>>>>> there.
>>>>>
>>>>> Now to see if I can locate a reasonably-priced time-travel device on
>>>>> craigslist to allow the extra time needed to do this...
>>>>>
>>>>> ----- Original Message -----
>>>>>
>>>>> From: "Stuart Naylor" <stuartiannaylor at thursbygarden.org>
>>>>> To: "Rowland Penny" <rowlandpenny at googlemail.com>, "sambalist" <
>>>>> samba at lists.samba.org>
>>>>> Sent: Monday, July 21, 2014 9:21:33 AM
>>>>> Subject: Re: [Samba] Being able to read password hashes
>>>>>
>>>>> With any Microsoft active directory server you can not get access to
>>>>> read password hashes you can only change them.
>>>>>
>>>>> Its the fact I can get the hash so easily and also ever-body else's.
>>>>>
>>>>> I am not all that bothered as for this sysadmin its a Brucie Bonus.
>>>>>
>>>>> Irrespective of the website if its not there all I need to do is throw
>>>>> some cuda cores at http://hashcat.net/hashcat/ and one way or another
>>>>> I will get it.
>>>>>
>>>>> Should the hashes be so easily available was my main question?
>>>>>
>>>>> I was just wondering what others thought, seems cool enough.
>>>>>
>>>>> Stuart
>>>>>
>>>>>
>>>>> -----Original message-----
>>>>>
>>>>>> From:Rowland Penny <rowlandpenny at googlemail.com>
>>>>>> Sent: Monday 21st July 2014 10:24
>>>>>> To: sambalist <samba at lists.samba.org>
>>>>>> Subject: Re: [Samba] Being able to read password hashes
>>>>>>
>>>>>> On 21/07/14 10:02, Philippe.Simonet at swisscom.com wrote:
>>>>>>
>>>>>>> not cracking : ntlm hash database lookup.
>>>>>>>
>>>>>> Same difference, the OP said he put a unicodePwd password into a
>>>>>> webpage
>>>>>> that deals with NTLM passwords and got his plain password back, or are
>>>>>> you missing the point?
>>>>>>
>>>>>> Rowland
>>>>>>
>>>>>>> -----Original Message-----
>>>>>>>> From: samba-bounces at lists.samba.org [mailto:samba-
>>>>>>>> bounces at lists.samba.org] On Behalf Of Rowland Penny
>>>>>>>> Sent: Monday, July 21, 2014 10:46 AM
>>>>>>>> To: samba at lists.samba.org
>>>>>>>> Subject: Re: [Samba] Being able to read password hashes
>>>>>>>>
>>>>>>>> On 21/07/14 09:29, Stuart Naylor wrote:
>>>>>>>>
>>>>>>>>> ldbsearch -H /var/lib/samba/private/sam.ldb
>>>>>>>>>
>>>>>>>> '(&(objectclass=person)(name=Administrator))' name unicodePwd
>>>>>>>>
>>>>>>>>> # record 1
>>>>>>>>> dn: CN=Administrator,CN=Users,DC=office,DC=zentyal,DC=lan
>>>>>>>>> name: Administrator
>>>>>>>>> unicodePwd:: kXh1DQFudwnw+lnHhubyUw==
>>>>>>>>>
>>>>>>>>> http://www.hashkiller.co.uk/ntlm-decrypter.aspx just took 242ms
>>>>>>>>> to return
>>>>>>>>>
>>>>>>>> my password
>>>>>>>> Are you sure? you put a unicodePwd into something that cracks ntlm
>>>>>>>> passwords and got your plain password back??
>>>>>>>>
>>>>>>>> Rowland
>>>>>>>>
>>>>>>>>  Only zent1 as its just a VM running a test of Zentyal3.5
>>>>>>>>>
>>>>>>>> --
>>>>>>>> To unsubscribe from this list go to the following URL and read the
>>>>>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>>  After reading this http://technet.microsoft.com/
>>>> de-de/magazine/ff848710.aspx the unicodePwd is not encrypted and it
>>>> does not look too difficulta to create the plaintext password out of this
>>>> base64 sequence.
>>>>
>>>> That article also mentiones that this unicodePwd attribute only exists
>>>> on servers having ad lds templates applied whom seem to be not neccessary
>>>> for normal ad behaviour.
>>>>
>>>>
>>>>  Tried to decrypt an password on my server but it did not work, found
>>> this old discussion on the samba list about the issue.
>>>
>>> https://lists.samba.org/archive/samba-technical/2011-
>>> December/080849.html
>>>
>>> There it is mentioned that the unicodePwd attribute is the nt password
>>> hash base64 encoded and not and base64 encoded version of the plaintext
>>> password as mentioned in the microsoft article.
>>>
>>> What happens when i add an samba server as an ADDC to an windows AD
>>> Domain with the AD LDS schema in use. Will unicodePwd return an base64
>>> encoded version of the plaintext password?
>>>
>>>
>>>  Sorry for the noise, figured it out , unicodePwd can be used to change
>> the password and must be fed with base64 encoded cleartext password
>> enclosed in "". The password gets encrypted before being stored (
>> http://msdn.microsoft.com/en-us/library/cc245688.aspx).
>> Only difference on samba seems that it makes this attribute readable.
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>


More information about the samba mailing list