[Samba] Being able to read password hashes

Achim Gottinger achim at ag-web.biz
Wed Jul 23 09:57:27 MDT 2014


Am 23.07.2014 12:14, schrieb Rowland Penny:
> On 23/07/14 10:59, Achim Gottinger wrote:
>> Am 23.07.2014 11:43, schrieb Rowland Penny:
>>> On 23/07/14 10:31, Achim Gottinger wrote:
>>>> Am 22.07.2014 21:52, schrieb Stuart Naylor:
>>>>> Think it was mentioned here. 
>>>>> http://technet.microsoft.com/en-us/magazine/ff848710.aspx
>>>>>
>>>>> Apols guys as I was just trying to work out the implications.
>>>>>
>>>>> Makes it easier for the admin to be honest, the admin might not 
>>>>> know the password but you can set up users with the password they 
>>>>> know.
>>>>>
>>>>>     -----Original message-----
>>>>>> From:Jefferson Davis <jdavis at standard.k12.ca.us>
>>>>>> Sent: Tuesday 22nd July 2014 18:08
>>>>>> To: Stuart Naylor <stuartiannaylor at thursbygarden.org>
>>>>>> Cc: samba at lists.samba.org
>>>>>> Subject: Re: [Samba] Being able to read password hashes
>>>>>>
>>>>>> So, how do you do this?
>>>>>>
>>>>>> ----- Original Message -----
>>>>>>
>>>>>> From: "Stuart Naylor" <stuartiannaylor at thursbygarden.org>
>>>>>> To: "Achim Gottinger" <achim at ag-web.biz>, samba at lists.samba.org
>>>>>> Sent: Tuesday, July 22, 2014 12:56:57 AM
>>>>>> Subject: Re: [Samba] Being able to read password hashes
>>>>>>
>>>>>> I just wondered that is all.
>>>>>>
>>>>>> On a M$ AD you can only write not read the hash directly.
>>>>>>
>>>>>> Its different on samba4 and thought I would just mention it.
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> -----Original message-----
>>>>>>> From:Achim Gottinger <achim at ag-web.biz>
>>>>>>> Sent: Monday 21st July 2014 18:38
>>>>>>> To: samba at lists.samba.org
>>>>>>> Subject: Re: [Samba] Being able to read password hashes
>>>>>>>
>>>>>>> Am 21.07.2014 19:03, schrieb Jefferson Davis:
>>>>>>>> I was wondering about this as we continue our migration.
>>>>>>>>
>>>>>>>> I have a script that my tech's use to temporarily change 
>>>>>>>> passwords so that they can login as a user for testing config 
>>>>>>>> changes, repairs, etc.
>>>>>>>>
>>>>>>>> While I'm still a bit bent about having to rework my entire 
>>>>>>>> freaking account mgmt toolchain due to the massive changes 
>>>>>>>> wrought by AD DC functionality in samba4, it's nice to know the 
>>>>>>>> functionality we need is there.
>>>>>>>>
>>>>>>>> Now to see if I can locate a reasonably-priced time-travel 
>>>>>>>> device on craigslist to allow the extra time needed to do this...
>>>>>>>>
>>>>>>>> ----- Original Message -----
>>>>>>>>
>>>>>>>> From: "Stuart Naylor" <stuartiannaylor at thursbygarden.org>
>>>>>>>> To: "Rowland Penny" <rowlandpenny at googlemail.com>, "sambalist" 
>>>>>>>> <samba at lists.samba.org>
>>>>>>>> Sent: Monday, July 21, 2014 9:21:33 AM
>>>>>>>> Subject: Re: [Samba] Being able to read password hashes
>>>>>>>>
>>>>>>>> With any Microsoft active directory server you can not get 
>>>>>>>> access to read password hashes you can only change them.
>>>>>>>>
>>>>>>>> Its the fact I can get the hash so easily and also ever-body 
>>>>>>>> else's.
>>>>>>>>
>>>>>>>> I am not all that bothered as for this sysadmin its a Brucie 
>>>>>>>> Bonus.
>>>>>>>>
>>>>>>>> Irrespective of the website if its not there all I need to do 
>>>>>>>> is throw some cuda cores at http://hashcat.net/hashcat/ and one 
>>>>>>>> way or another I will get it.
>>>>>>>>
>>>>>>>> Should the hashes be so easily available was my main question?
>>>>>>>>
>>>>>>>> I was just wondering what others thought, seems cool enough.
>>>>>>>>
>>>>>>>> Stuart
>>>>>>>>
>>>>>>>>
>>>>>>>> -----Original message-----
>>>>>>>>> From:Rowland Penny <rowlandpenny at googlemail.com>
>>>>>>>>> Sent: Monday 21st July 2014 10:24
>>>>>>>>> To: sambalist <samba at lists.samba.org>
>>>>>>>>> Subject: Re: [Samba] Being able to read password hashes
>>>>>>>>>
>>>>>>>>> On 21/07/14 10:02, Philippe.Simonet at swisscom.com wrote:
>>>>>>>>>> not cracking : ntlm hash database lookup.
>>>>>>>>> Same difference, the OP said he put a unicodePwd password into 
>>>>>>>>> a webpage
>>>>>>>>> that deals with NTLM passwords and got his plain password 
>>>>>>>>> back, or are
>>>>>>>>> you missing the point?
>>>>>>>>>
>>>>>>>>> Rowland
>>>>>>>>>>> -----Original Message-----
>>>>>>>>>>> From: samba-bounces at lists.samba.org [mailto:samba-
>>>>>>>>>>> bounces at lists.samba.org] On Behalf Of Rowland Penny
>>>>>>>>>>> Sent: Monday, July 21, 2014 10:46 AM
>>>>>>>>>>> To: samba at lists.samba.org
>>>>>>>>>>> Subject: Re: [Samba] Being able to read password hashes
>>>>>>>>>>>
>>>>>>>>>>> On 21/07/14 09:29, Stuart Naylor wrote:
>>>>>>>>>>>> ldbsearch -H /var/lib/samba/private/sam.ldb
>>>>>>>>>>> '(&(objectclass=person)(name=Administrator))' name unicodePwd
>>>>>>>>>>>> # record 1
>>>>>>>>>>>> dn: CN=Administrator,CN=Users,DC=office,DC=zentyal,DC=lan
>>>>>>>>>>>> name: Administrator
>>>>>>>>>>>> unicodePwd:: kXh1DQFudwnw+lnHhubyUw==
>>>>>>>>>>>>
>>>>>>>>>>>> http://www.hashkiller.co.uk/ntlm-decrypter.aspx just took 
>>>>>>>>>>>> 242ms to return
>>>>>>>>>>> my password
>>>>>>>>>>> Are you sure? you put a unicodePwd into something that 
>>>>>>>>>>> cracks ntlm
>>>>>>>>>>> passwords and got your plain password back??
>>>>>>>>>>>
>>>>>>>>>>> Rowland
>>>>>>>>>>>
>>>>>>>>>>>> Only zent1 as its just a VM running a test of Zentyal3.5
>>>>>>>>>>> -- 
>>>>>>>>>>> To unsubscribe from this list go to the following URL and 
>>>>>>>>>>> read the
>>>>>>>>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>>>>>>
>>>>>>> After reading this
>>>>>>> http://technet.microsoft.com/de-de/magazine/ff848710.aspx the 
>>>>>>> unicodePwd
>>>>>>> is not encrypted and it does not look too difficulta to create the
>>>>>>> plaintext password out of this base64 sequence.
>>>>>>>
>>>>>>> That article also mentiones that this unicodePwd attribute only 
>>>>>>> exists
>>>>>>> on servers having ad lds templates applied whom seem to be not
>>>>>>> neccessary for normal ad behaviour.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>> -- 
>>>>>> To unsubscribe from this list go to the following URL and read the
>>>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>>>
>>>>>>
>>>>>>
>>>>>> -- 
>>>>>>
>>>>>>
>>>>>>
>>>>>> Jefferson K Davis
>>>>>> Technology and Information Systems Manager
>>>>>> Standard School District
>>>>>> 1200 North Chester Ave
>>>>>> Bakersfield, CA 93308
>>>>>> 661.392.2110 ext 120 (office)
>>>>>> http://district.standard.k12.ca.us
>>>>>>
>>>>>> District Users: Click here to report technology issues
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>> To change the password with an hash (read earlier from unicodePwd) 
>>>> i assume you must modify dBCSPwd 
>>>> http://msdn.microsoft.com/en-us/library/cc245687.aspx and maybe 
>>>> unicodePwd as well. A few other erquirements are mentioned in the 
>>>> link.
>>>>
>>>> Tried mimikaze.exe and it's scary how fast it displays all user 
>>>> passwords in cleartext.
>>>>
>>>> Interesting thread.
>>>>
>>>> achim~
>>>>
>>> Hi, yes you need to encode the password, you can do this in bash 
>>> like this:
>>>
>>> echo -n "\"PASSWORD\"" | iconv -f UTF-8 -t UTF-16LE | base64 -w 0
>>>
>>> and then put the result into the users 'unicodePwd' attribute.
>>>
>>> You are supposed to have to do this over SSL, but I seem to be able 
>>> to this without using SSL.
>>>
>>> Rowland
>> Hi Rowland,
>>
>> The aim is to be able to change an user password temporary for 
>> maintainence purpose and then restoring it without knowing it.
>>
>> The encrypted base64 encoded password can be read as described 
>> earlier. Now the question is what has do be done to restore it.
>>
>> Writing to "unicodePwd" requires the knowledge of the unencrypted 
>> password.
>>
>> Cheers,
>> achim~
> HI, are you sure about that, surely if you can get and store the users 
> encrypted password, you can later restore this.
>
> Getting the password is easy:
>
> ldbsearch -d 0 -H /var/lib/samba/private/sam.ldb -b dc=example,dc=com 
> '(&(objectClass=user)(sAMAccountname=username))' unicodePwd
>
> So, all you would need to do, is pick the required info from the 
> result of that command and store it somewhere, change the password 
> temporarily, do whatever you want to and then put the old password 
> back, all without actually knowing the users password.
>
> Rowland
>
I have not yet tried it but does AD distinguish between an base64 
encoded cleartext and encryptet passwords?
By further reading i also found that dBCSPwd holds the LM password and 
unicodePwd the NT password. So in theory both must be backed up and 
restored.

achim~


More information about the samba mailing list