[Samba] Being able to read password hashes

Achim Gottinger achim at ag-web.biz
Wed Jul 23 12:41:13 MDT 2014 

Am 23.07.2014 20:28, schrieb Rowland Penny:
> On 23/07/14 16:57, Achim Gottinger wrote:
>> Am 23.07.2014 12:14, schrieb Rowland Penny:
>>> On 23/07/14 10:59, Achim Gottinger wrote:
>>>> Am 23.07.2014 11:43, schrieb Rowland Penny:
>>>>> On 23/07/14 10:31, Achim Gottinger wrote:
>>>>>> Am 22.07.2014 21:52, schrieb Stuart Naylor:
>>>>>>> Think it was mentioned here.
>>>>>>> http://technet.microsoft.com/en-us/magazine/ff848710.aspx
>>>>>>>
>>>>>>> Apols guys as I was just trying to work out the implications.
>>>>>>>
>>>>>>> Makes it easier for the admin to be honest, the admin might not
>>>>>>> know the password but you can set up users with the password
>>>>>>> they know.
>>>>>>>
>>>>>>>     -----Original message-----
>>>>>>>> From:Jefferson Davis <jdavis at standard.k12.ca.us>
>>>>>>>> Sent: Tuesday 22nd July 2014 18:08
>>>>>>>> To: Stuart Naylor <stuartiannaylor at thursbygarden.org>
>>>>>>>> Cc: samba at lists.samba.org
>>>>>>>> Subject: Re: [Samba] Being able to read password hashes
>>>>>>>>
>>>>>>>> So, how do you do this?
>>>>>>>>
>>>>>>>> ----- Original Message -----
>>>>>>>>
>>>>>>>> From: "Stuart Naylor" <stuartiannaylor at thursbygarden.org>
>>>>>>>> To: "Achim Gottinger" <achim at ag-web.biz>, samba at lists.samba.org
>>>>>>>> Sent: Tuesday, July 22, 2014 12:56:57 AM
>>>>>>>> Subject: Re: [Samba] Being able to read password hashes
>>>>>>>>
>>>>>>>> I just wondered that is all.
>>>>>>>>
>>>>>>>> On a M$ AD you can only write not read the hash directly.
>>>>>>>>
>>>>>>>> Its different on samba4 and thought I would just mention it.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> -----Original message-----
>>>>>>>>> From:Achim Gottinger <achim at ag-web.biz>
>>>>>>>>> Sent: Monday 21st July 2014 18:38
>>>>>>>>> To: samba at lists.samba.org
>>>>>>>>> Subject: Re: [Samba] Being able to read password hashes
>>>>>>>>>
>>>>>>>>> Am 21.07.2014 19:03, schrieb Jefferson Davis:
>>>>>>>>>> I was wondering about this as we continue our migration.
>>>>>>>>>>
>>>>>>>>>> I have a script that my tech's use to temporarily change
>>>>>>>>>> passwords so that they can login as a user for testing config
>>>>>>>>>> changes, repairs, etc.
>>>>>>>>>>
>>>>>>>>>> While I'm still a bit bent about having to rework my entire
>>>>>>>>>> freaking account mgmt toolchain due to the massive changes
>>>>>>>>>> wrought by AD DC functionality in samba4, it's nice to know
>>>>>>>>>> the functionality we need is there.
>>>>>>>>>>
>>>>>>>>>> Now to see if I can locate a reasonably-priced time-travel
>>>>>>>>>> device on craigslist to allow the extra time needed to do
>>>>>>>>>> this...
>>>>>>>>>>
>>>>>>>>>> ----- Original Message -----
>>>>>>>>>>
>>>>>>>>>> From: "Stuart Naylor" <stuartiannaylor at thursbygarden.org>
>>>>>>>>>> To: "Rowland Penny" <rowlandpenny at googlemail.com>,
>>>>>>>>>> "sambalist" <samba at lists.samba.org>
>>>>>>>>>> Sent: Monday, July 21, 2014 9:21:33 AM
>>>>>>>>>> Subject: Re: [Samba] Being able to read password hashes
>>>>>>>>>>
>>>>>>>>>> With any Microsoft active directory server you can not get
>>>>>>>>>> access to read password hashes you can only change them.
>>>>>>>>>>
>>>>>>>>>> Its the fact I can get the hash so easily and also ever-body
>>>>>>>>>> else's.
>>>>>>>>>>
>>>>>>>>>> I am not all that bothered as for this sysadmin its a Brucie
>>>>>>>>>> Bonus.
>>>>>>>>>>
>>>>>>>>>> Irrespective of the website if its not there all I need to do
>>>>>>>>>> is throw some cuda cores at http://hashcat.net/hashcat/ and
>>>>>>>>>> one way or another I will get it.
>>>>>>>>>>
>>>>>>>>>> Should the hashes be so easily available was my main question?
>>>>>>>>>>
>>>>>>>>>> I was just wondering what others thought, seems cool enough.
>>>>>>>>>>
>>>>>>>>>> Stuart
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> -----Original message-----
>>>>>>>>>>> From:Rowland Penny <rowlandpenny at googlemail.com>
>>>>>>>>>>> Sent: Monday 21st July 2014 10:24
>>>>>>>>>>> To: sambalist <samba at lists.samba.org>
>>>>>>>>>>> Subject: Re: [Samba] Being able to read password hashes
>>>>>>>>>>>
>>>>>>>>>>> On 21/07/14 10:02, Philippe.Simonet at swisscom.com wrote:
>>>>>>>>>>>> not cracking : ntlm hash database lookup.
>>>>>>>>>>> Same difference, the OP said he put a unicodePwd password
>>>>>>>>>>> into a webpage
>>>>>>>>>>> that deals with NTLM passwords and got his plain password
>>>>>>>>>>> back, or are
>>>>>>>>>>> you missing the point?
>>>>>>>>>>>
>>>>>>>>>>> Rowland
>>>>>>>>>>>>> -----Original Message-----
>>>>>>>>>>>>> From: samba-bounces at lists.samba.org [mailto:samba-
>>>>>>>>>>>>> bounces at lists.samba.org] On Behalf Of Rowland Penny
>>>>>>>>>>>>> Sent: Monday, July 21, 2014 10:46 AM
>>>>>>>>>>>>> To: samba at lists.samba.org
>>>>>>>>>>>>> Subject: Re: [Samba] Being able to read password hashes
>>>>>>>>>>>>>
>>>>>>>>>>>>> On 21/07/14 09:29, Stuart Naylor wrote:
>>>>>>>>>>>>>> ldbsearch -H /var/lib/samba/private/sam.ldb
>>>>>>>>>>>>> '(&(objectclass=person)(name=Administrator))' name unicodePwd
>>>>>>>>>>>>>> # record 1
>>>>>>>>>>>>>> dn: CN=Administrator,CN=Users,DC=office,DC=zentyal,DC=lan
>>>>>>>>>>>>>> name: Administrator
>>>>>>>>>>>>>> unicodePwd:: kXh1DQFudwnw+lnHhubyUw==
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> http://www.hashkiller.co.uk/ntlm-decrypter.aspx just took
>>>>>>>>>>>>>> 242ms to return
>>>>>>>>>>>>> my password
>>>>>>>>>>>>> Are you sure? you put a unicodePwd into something that
>>>>>>>>>>>>> cracks ntlm
>>>>>>>>>>>>> passwords and got your plain password back??
>>>>>>>>>>>>>
>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>>
>>>>>>>>>>>>>> Only zent1 as its just a VM running a test of Zentyal3.5
>>>>>>>>>>>>> --
>>>>>>>>>>>>> To unsubscribe from this list go to the following URL and
>>>>>>>>>>>>> read the
>>>>>>>>>>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>>>>>>>>
>>>>>>>>> After reading this
>>>>>>>>> http://technet.microsoft.com/de-de/magazine/ff848710.aspx the
>>>>>>>>> unicodePwd
>>>>>>>>> is not encrypted and it does not look too difficulta to create
>>>>>>>>> the
>>>>>>>>> plaintext password out of this base64 sequence.
>>>>>>>>>
>>>>>>>>> That article also mentiones that this unicodePwd attribute
>>>>>>>>> only exists
>>>>>>>>> on servers having ad lds templates applied whom seem to be not
>>>>>>>>> neccessary for normal ad behaviour.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>> --
>>>>>>>> To unsubscribe from this list go to the following URL and read the
>>>>>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> Jefferson K Davis
>>>>>>>> Technology and Information Systems Manager
>>>>>>>> Standard School District
>>>>>>>> 1200 North Chester Ave
>>>>>>>> Bakersfield, CA 93308
>>>>>>>> 661.392.2110 ext 120 (office)
>>>>>>>> http://district.standard.k12.ca.us
>>>>>>>>
>>>>>>>> District Users: Click here to report technology issues
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>> To change the password with an hash (read earlier from
>>>>>> unicodePwd) i assume you must modify dBCSPwd
>>>>>> http://msdn.microsoft.com/en-us/library/cc245687.aspx and maybe
>>>>>> unicodePwd as well. A few other erquirements are mentioned in the
>>>>>> link.
>>>>>>
>>>>>> Tried mimikaze.exe and it's scary how fast it displays all user
>>>>>> passwords in cleartext.
>>>>>>
>>>>>> Interesting thread.
>>>>>>
>>>>>> achim~
>>>>>>
>>>>> Hi, yes you need to encode the password, you can do this in bash
>>>>> like this:
>>>>>
>>>>> echo -n "\"PASSWORD\"" | iconv -f UTF-8 -t UTF-16LE | base64 -w 0
>>>>>
>>>>> and then put the result into the users 'unicodePwd' attribute.
>>>>>
>>>>> You are supposed to have to do this over SSL, but I seem to be
>>>>> able to this without using SSL.
>>>>>
>>>>> Rowland
>>>> Hi Rowland,
>>>>
>>>> The aim is to be able to change an user password temporary for
>>>> maintainence purpose and then restoring it without knowing it.
>>>>
>>>> The encrypted base64 encoded password can be read as described
>>>> earlier. Now the question is what has do be done to restore it.
>>>>
>>>> Writing to "unicodePwd" requires the knowledge of the unencrypted
>>>> password.
>>>>
>>>> Cheers,
>>>> achim~
>>> HI, are you sure about that, surely if you can get and store the
>>> users encrypted password, you can later restore this.
>>>
>>> Getting the password is easy:
>>>
>>> ldbsearch -d 0 -H /var/lib/samba/private/sam.ldb -b
>>> dc=example,dc=com '(&(objectClass=user)(sAMAccountname=username))'
>>> unicodePwd
>>>
>>> So, all you would need to do, is pick the required info from the
>>> result of that command and store it somewhere, change the password
>>> temporarily, do whatever you want to and then put the old password
>>> back, all without actually knowing the users password.
>>>
>>> Rowland
>>>
>> I have not yet tried it but does AD distinguish between an base64
>> encoded cleartext and encryptet passwords?
>> By further reading i also found that dBCSPwd holds the LM password
>> and unicodePwd the NT password. So in theory both must be backed up
>> and restored.
>>
>> achim~
> Hi, firstly none of my AD users have the 'dBCSPwd' attribute, secondly
> the line I posted was from a script a use to change/set AD users
> password. Input a plain password that you want the user to have, it is
> checked for complexity, it then creates an ldif and then uses the ldif
> with ldbmodify to change the password.
>
> Rowland
Letting aside dBCSPwd, if you pass an plaintext password as you 
described it, it will not bestored like that but encrypted and if you 
read unicodePwd afterwards you'll not get the base64 string you had 
passed in your ldif file but an base64 encoded version of the encrypted 
password.
Have you tried if you can pass an encryptet base64 encoded password that 
you read with your code snipped above back to ad via an ldif?

achim~

More information about the samba mailing list