[Samba] Being able to read password hashes

Wed Jul 23 03:43:15 MDT 2014

On 23/07/14 10:31, Achim Gottinger wrote:
> Am 22.07.2014 21:52, schrieb Stuart Naylor:
>> Think it was mentioned here. 
>> http://technet.microsoft.com/en-us/magazine/ff848710.aspx
>>
>> Apols guys as I was just trying to work out the implications.
>>
>> Makes it easier for the admin to be honest, the admin might not know 
>> the password but you can set up users with the password they know.
>>
>>     -----Original message-----
>>> From:Jefferson Davis <jdavis at standard.k12.ca.us>
>>> Sent: Tuesday 22nd July 2014 18:08
>>> To: Stuart Naylor <stuartiannaylor at thursbygarden.org>
>>> Cc: samba at lists.samba.org
>>> Subject: Re: [Samba] Being able to read password hashes
>>>
>>> So, how do you do this?
>>>
>>> ----- Original Message -----
>>>
>>> From: "Stuart Naylor" <stuartiannaylor at thursbygarden.org>
>>> To: "Achim Gottinger" <achim at ag-web.biz>, samba at lists.samba.org
>>> Sent: Tuesday, July 22, 2014 12:56:57 AM
>>> Subject: Re: [Samba] Being able to read password hashes
>>>
>>> I just wondered that is all.
>>>
>>> On a M$ AD you can only write not read the hash directly.
>>>
>>> Its different on samba4 and thought I would just mention it.
>>>
>>>
>>>
>>>
>>>
>>> -----Original message-----
>>>> From:Achim Gottinger <achim at ag-web.biz>
>>>> Sent: Monday 21st July 2014 18:38
>>>> To: samba at lists.samba.org
>>>> Subject: Re: [Samba] Being able to read password hashes
>>>>
>>>> Am 21.07.2014 19:03, schrieb Jefferson Davis:
>>>>> I was wondering about this as we continue our migration.
>>>>>
>>>>> I have a script that my tech's use to temporarily change passwords 
>>>>> so that they can login as a user for testing config changes, 
>>>>> repairs, etc.
>>>>>
>>>>> While I'm still a bit bent about having to rework my entire 
>>>>> freaking account mgmt toolchain due to the massive changes wrought 
>>>>> by AD DC functionality in samba4, it's nice to know the 
>>>>> functionality we need is there.
>>>>>
>>>>> Now to see if I can locate a reasonably-priced time-travel device 
>>>>> on craigslist to allow the extra time needed to do this...
>>>>>
>>>>> ----- Original Message -----
>>>>>
>>>>> From: "Stuart Naylor" <stuartiannaylor at thursbygarden.org>
>>>>> To: "Rowland Penny" <rowlandpenny at googlemail.com>, "sambalist" 
>>>>> <samba at lists.samba.org>
>>>>> Sent: Monday, July 21, 2014 9:21:33 AM
>>>>> Subject: Re: [Samba] Being able to read password hashes
>>>>>
>>>>> With any Microsoft active directory server you can not get access 
>>>>> to read password hashes you can only change them.
>>>>>
>>>>> Its the fact I can get the hash so easily and also ever-body else's.
>>>>>
>>>>> I am not all that bothered as for this sysadmin its a Brucie Bonus.
>>>>>
>>>>> Irrespective of the website if its not there all I need to do is 
>>>>> throw some cuda cores at http://hashcat.net/hashcat/ and one way 
>>>>> or another I will get it.
>>>>>
>>>>> Should the hashes be so easily available was my main question?
>>>>>
>>>>> I was just wondering what others thought, seems cool enough.
>>>>>
>>>>> Stuart
>>>>>
>>>>>
>>>>> -----Original message-----
>>>>>> From:Rowland Penny <rowlandpenny at googlemail.com>
>>>>>> Sent: Monday 21st July 2014 10:24
>>>>>> To: sambalist <samba at lists.samba.org>
>>>>>> Subject: Re: [Samba] Being able to read password hashes
>>>>>>
>>>>>> On 21/07/14 10:02, Philippe.Simonet at swisscom.com wrote:
>>>>>>> not cracking : ntlm hash database lookup.
>>>>>> Same difference, the OP said he put a unicodePwd password into a 
>>>>>> webpage
>>>>>> that deals with NTLM passwords and got his plain password back, 
>>>>>> or are
>>>>>> you missing the point?
>>>>>>
>>>>>> Rowland
>>>>>>>> -----Original Message-----
>>>>>>>> From: samba-bounces at lists.samba.org [mailto:samba-
>>>>>>>> bounces at lists.samba.org] On Behalf Of Rowland Penny
>>>>>>>> Sent: Monday, July 21, 2014 10:46 AM
>>>>>>>> To: samba at lists.samba.org
>>>>>>>> Subject: Re: [Samba] Being able to read password hashes
>>>>>>>>
>>>>>>>> On 21/07/14 09:29, Stuart Naylor wrote:
>>>>>>>>> ldbsearch -H /var/lib/samba/private/sam.ldb
>>>>>>>> '(&(objectclass=person)(name=Administrator))' name unicodePwd
>>>>>>>>> # record 1
>>>>>>>>> dn: CN=Administrator,CN=Users,DC=office,DC=zentyal,DC=lan
>>>>>>>>> name: Administrator
>>>>>>>>> unicodePwd:: kXh1DQFudwnw+lnHhubyUw==
>>>>>>>>>
>>>>>>>>> http://www.hashkiller.co.uk/ntlm-decrypter.aspx just took 
>>>>>>>>> 242ms to return
>>>>>>>> my password
>>>>>>>> Are you sure? you put a unicodePwd into something that cracks ntlm
>>>>>>>> passwords and got your plain password back??
>>>>>>>>
>>>>>>>> Rowland
>>>>>>>>
>>>>>>>>> Only zent1 as its just a VM running a test of Zentyal3.5
>>>>>>>> -- 
>>>>>>>> To unsubscribe from this list go to the following URL and read the
>>>>>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>>>
>>>> After reading this
>>>> http://technet.microsoft.com/de-de/magazine/ff848710.aspx the 
>>>> unicodePwd
>>>> is not encrypted and it does not look too difficulta to create the
>>>> plaintext password out of this base64 sequence.
>>>>
>>>> That article also mentiones that this unicodePwd attribute only exists
>>>> on servers having ad lds templates applied whom seem to be not
>>>> neccessary for normal ad behaviour.
>>>>
>>>>
>>>>
>>>>
>>> -- 
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions: https://lists.samba.org/mailman/options/samba
>>>
>>>
>>>
>>> -- 
>>>
>>>
>>>
>>> Jefferson K Davis
>>> Technology and Information Systems Manager
>>> Standard School District
>>> 1200 North Chester Ave
>>> Bakersfield, CA 93308
>>> 661.392.2110 ext 120 (office)
>>> http://district.standard.k12.ca.us
>>>
>>> District Users: Click here to report technology issues
>>>
>>>
>>>
>>>
> To change the password with an hash (read earlier from unicodePwd) i 
> assume you must modify dBCSPwd 
> http://msdn.microsoft.com/en-us/library/cc245687.aspx and maybe 
> unicodePwd as well. A few other erquirements are mentioned in the link.
>
> Tried mimikaze.exe and it's scary how fast it displays all user 
> passwords in cleartext.
>
> Interesting thread.
>
> achim~
>
Hi, yes you need to encode the password, you can do this in bash like this:

echo -n "\"PASSWORD\"" | iconv -f UTF-8 -t UTF-16LE | base64 -w 0

and then put the result into the users 'unicodePwd' attribute.

You are supposed to have to do this over SSL, but I seem to be able to 
this without using SSL.

Rowland