[Samba] Being able to read password hashes

Jefferson Davis jdavis at standard.k12.ca.us
Wed Jul 23 10:46:44 MDT 2014 

From: "Achim Gottinger" <achim at ag-web.biz> 
To: samba at lists.samba.org 
Sent: Wednesday, July 23, 2014 8:57:27 AM 
Subject: Re: [Samba] Being able to read password hashes 

Am 23.07.2014 12:14, schrieb Rowland Penny: 
> On 23/07/14 10:59, Achim Gottinger wrote: 
>> Am 23.07.2014 11:43, schrieb Rowland Penny: 
>>> On 23/07/14 10:31, Achim Gottinger wrote: 
>>>> Am 22.07.2014 21:52, schrieb Stuart Naylor: 
>>>>> Think it was mentioned here. 
>>>>> http://technet.microsoft.com/en-us/magazine/ff848710.aspx 
>>>>> 
>>>>> Apols guys as I was just trying to work out the implications. 
>>>>> 
>>>>> Makes it easier for the admin to be honest, the admin might not 
>>>>> know the password but you can set up users with the password they 
>>>>> know. 
>>>>> 
>>>>> -----Original message----- 
>>>>>> From:Jefferson Davis <jdavis at standard.k12.ca.us> 
>>>>>> Sent: Tuesday 22nd July 2014 18:08 
>>>>>> To: Stuart Naylor <stuartiannaylor at thursbygarden.org> 
>>>>>> Cc: samba at lists.samba.org 
>>>>>> Subject: Re: [Samba] Being able to read password hashes 
>>>>>> 
>>>>>> So, how do you do this? 
>>>>>> 
>>>>>> ----- Original Message ----- 
>>>>>> 
>>>>>> From: "Stuart Naylor" <stuartiannaylor at thursbygarden.org> 
>>>>>> To: "Achim Gottinger" <achim at ag-web.biz>, samba at lists.samba.org 
>>>>>> Sent: Tuesday, July 22, 2014 12:56:57 AM 
>>>>>> Subject: Re: [Samba] Being able to read password hashes 
>>>>>> 
>>>>>> I just wondered that is all. 
>>>>>> 
>>>>>> On a M$ AD you can only write not read the hash directly. 
>>>>>> 
>>>>>> Its different on samba4 and thought I would just mention it. 
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> -----Original message----- 
>>>>>>> From:Achim Gottinger <achim at ag-web.biz> 
>>>>>>> Sent: Monday 21st July 2014 18:38 
>>>>>>> To: samba at lists.samba.org 
>>>>>>> Subject: Re: [Samba] Being able to read password hashes 
>>>>>>> 
>>>>>>> Am 21.07.2014 19:03, schrieb Jefferson Davis: 
>>>>>>>> I was wondering about this as we continue our migration. 
>>>>>>>> 
>>>>>>>> I have a script that my tech's use to temporarily change 
>>>>>>>> passwords so that they can login as a user for testing config 
>>>>>>>> changes, repairs, etc. 
>>>>>>>> 
>>>>>>>> While I'm still a bit bent about having to rework my entire 
>>>>>>>> freaking account mgmt toolchain due to the massive changes 
>>>>>>>> wrought by AD DC functionality in samba4, it's nice to know the 
>>>>>>>> functionality we need is there. 
>>>>>>>> 
>>>>>>>> Now to see if I can locate a reasonably-priced time-travel 
>>>>>>>> device on craigslist to allow the extra time needed to do this... 
>>>>>>>> 
>>>>>>>> ----- Original Message ----- 
>>>>>>>> 
>>>>>>>> From: "Stuart Naylor" <stuartiannaylor at thursbygarden.org> 
>>>>>>>> To: "Rowland Penny" <rowlandpenny at googlemail.com>, "sambalist" 
>>>>>>>> <samba at lists.samba.org> 
>>>>>>>> Sent: Monday, July 21, 2014 9:21:33 AM 
>>>>>>>> Subject: Re: [Samba] Being able to read password hashes 
>>>>>>>> 
>>>>>>>> With any Microsoft active directory server you can not get 
>>>>>>>> access to read password hashes you can only change them. 
>>>>>>>> 
>>>>>>>> Its the fact I can get the hash so easily and also ever-body 
>>>>>>>> else's. 
>>>>>>>> 
>>>>>>>> I am not all that bothered as for this sysadmin its a Brucie 
>>>>>>>> Bonus. 
>>>>>>>> 
>>>>>>>> Irrespective of the website if its not there all I need to do 
>>>>>>>> is throw some cuda cores at http://hashcat.net/hashcat/ and one 
>>>>>>>> way or another I will get it. 
>>>>>>>> 
>>>>>>>> Should the hashes be so easily available was my main question? 
>>>>>>>> 
>>>>>>>> I was just wondering what others thought, seems cool enough. 
>>>>>>>> 
>>>>>>>> Stuart 
>>>>>>>> 
>>>>>>>> 
>>>>>>>> -----Original message----- 
>>>>>>>>> From:Rowland Penny <rowlandpenny at googlemail.com> 
>>>>>>>>> Sent: Monday 21st July 2014 10:24 
>>>>>>>>> To: sambalist <samba at lists.samba.org> 
>>>>>>>>> Subject: Re: [Samba] Being able to read password hashes 
>>>>>>>>> 
>>>>>>>>> On 21/07/14 10:02, Philippe.Simonet at swisscom.com wrote: 
>>>>>>>>>> not cracking : ntlm hash database lookup. 
>>>>>>>>> Same difference, the OP said he put a unicodePwd password into 
>>>>>>>>> a webpage 
>>>>>>>>> that deals with NTLM passwords and got his plain password 
>>>>>>>>> back, or are 
>>>>>>>>> you missing the point? 
>>>>>>>>> 
>>>>>>>>> Rowland 
>>>>>>>>>>> -----Original Message----- 
>>>>>>>>>>> From: samba-bounces at lists.samba.org [mailto:samba- 
>>>>>>>>>>> bounces at lists.samba.org] On Behalf Of Rowland Penny 
>>>>>>>>>>> Sent: Monday, July 21, 2014 10:46 AM 
>>>>>>>>>>> To: samba at lists.samba.org 
>>>>>>>>>>> Subject: Re: [Samba] Being able to read password hashes 
>>>>>>>>>>> 
>>>>>>>>>>> On 21/07/14 09:29, Stuart Naylor wrote: 
>>>>>>>>>>>> ldbsearch -H /var/lib/samba/private/sam.ldb 
>>>>>>>>>>> '(&(objectclass=person)(name=Administrator))' name unicodePwd 
>>>>>>>>>>>> # record 1 
>>>>>>>>>>>> dn: CN=Administrator,CN=Users,DC=office,DC=zentyal,DC=lan 
>>>>>>>>>>>> name: Administrator 
>>>>>>>>>>>> unicodePwd:: kXh1DQFudwnw+lnHhubyUw== 
>>>>>>>>>>>> 
>>>>>>>>>>>> http://www.hashkiller.co.uk/ntlm-decrypter.aspx just took 
>>>>>>>>>>>> 242ms to return 
>>>>>>>>>>> my password 
>>>>>>>>>>> Are you sure? you put a unicodePwd into something that 
>>>>>>>>>>> cracks ntlm 
>>>>>>>>>>> passwords and got your plain password back?? 
>>>>>>>>>>> 
>>>>>>>>>>> Rowland 
>>>>>>>>>>> 
>>>>>>>>>>>> Only zent1 as its just a VM running a test of Zentyal3.5 
>>>>>>>>>>> -- 
>>>>>>>>>>> To unsubscribe from this list go to the following URL and 
>>>>>>>>>>> read the 
>>>>>>>>>>> instructions: https://lists.samba.org/mailman/options/samba 
>>>>>>>>> 
>>>>>>> After reading this 
>>>>>>> http://technet.microsoft.com/de-de/magazine/ff848710.aspx the 
>>>>>>> unicodePwd 
>>>>>>> is not encrypted and it does not look too difficulta to create the 
>>>>>>> plaintext password out of this base64 sequence. 
>>>>>>> 
>>>>>>> That article also mentiones that this unicodePwd attribute only 
>>>>>>> exists 
>>>>>>> on servers having ad lds templates applied whom seem to be not 
>>>>>>> neccessary for normal ad behaviour. 
>>>>>>> 
>>>>>>> 
>>>>>>> 
>>>>>>> 
>>>>>> -- 
>>>>>> To unsubscribe from this list go to the following URL and read the 
>>>>>> instructions: https://lists.samba.org/mailman/options/samba 
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> -- 
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> Jefferson K Davis 
>>>>>> Technology and Information Systems Manager 
>>>>>> Standard School District 
>>>>>> 1200 North Chester Ave 
>>>>>> Bakersfield, CA 93308 
>>>>>> 661.392.2110 ext 120 (office) 
>>>>>> http://district.standard.k12.ca.us 
>>>>>> 
>>>>>> District Users: Click here to report technology issues 
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> 
>>>> To change the password with an hash (read earlier from unicodePwd) 
>>>> i assume you must modify dBCSPwd 
>>>> http://msdn.microsoft.com/en-us/library/cc245687.aspx and maybe 
>>>> unicodePwd as well. A few other erquirements are mentioned in the 
>>>> link. 
>>>> 
>>>> Tried mimikaze.exe and it's scary how fast it displays all user 
>>>> passwords in cleartext. 
>>>> 
>>>> Interesting thread. 
>>>> 
>>>> achim~ 
>>>> 
>>> Hi, yes you need to encode the password, you can do this in bash 
>>> like this: 
>>> 
>>> echo -n "\"PASSWORD\"" | iconv -f UTF-8 -t UTF-16LE | base64 -w 0 
>>> 
>>> and then put the result into the users 'unicodePwd' attribute. 
>>> 
>>> You are supposed to have to do this over SSL, but I seem to be able 
>>> to this without using SSL. 
>>> 
>>> Rowland 
>> Hi Rowland, 
>> 
>> The aim is to be able to change an user password temporary for 
>> maintainence purpose and then restoring it without knowing it. 
>> 
>> The encrypted base64 encoded password can be read as described 
>> earlier. Now the question is what has do be done to restore it. 
>> 
>> Writing to "unicodePwd" requires the knowledge of the unencrypted 
>> password. 
>> 
>> Cheers, 
>> achim~ 
> HI, are you sure about that, surely if you can get and store the users 
> encrypted password, you can later restore this. 
> 
> Getting the password is easy: 
> 
> ldbsearch -d 0 -H /var/lib/samba/private/sam.ldb -b dc=example,dc=com 
> '(&(objectClass=user)(sAMAccountname=username))' unicodePwd 
> 
> So, all you would need to do, is pick the required info from the 
> result of that command and store it somewhere, change the password 
> temporarily, do whatever you want to and then put the old password 
> back, all without actually knowing the users password. 
> 
> Rowland 
> 
I have not yet tried it but does AD distinguish between an base64 
encoded cleartext and encryptet passwords? 
By further reading i also found that dBCSPwd holds the LM password and 
unicodePwd the NT password. So in theory both must be backed up and 
restored. 

achim~ 
-- 
To unsubscribe from this list go to the following URL and read the 
instructions: https://lists.samba.org/mailman/options/samba 

Thanks guys that looks doable, though I'd prefer to be able to do the same thing but with ldapsearch from openldap. I understand this may not be possible due to AD restricting reading such attributes over the network. 

The other roadblock I am running into along the same lines is getting GADS (Google Apps Directory Sync) to read the unicodePwd attribute. 

-- 



Jefferson K Davis 
Technology and Information Systems Manager 
Standard School District 
1200 North Chester Ave 
Bakersfield, CA 93308 
661.392.2110 ext 120 (office) 
http://district.standard.k12.ca.us 

District Users: Click here to report technology issues

More information about the samba mailing list