[Samba] Being able to read password hashes

Wed Jul 23 12:49:15 MDT 2014

On 23/07/14 19:41, Achim Gottinger wrote:
> Am 23.07.2014 20:28, schrieb Rowland Penny:
>> On 23/07/14 16:57, Achim Gottinger wrote:
>>> Am 23.07.2014 12:14, schrieb Rowland Penny:
>>>> On 23/07/14 10:59, Achim Gottinger wrote:
>>>>> Am 23.07.2014 11:43, schrieb Rowland Penny:
>>>>>> On 23/07/14 10:31, Achim Gottinger wrote:
>>>>>>> Am 22.07.2014 21:52, schrieb Stuart Naylor:
>>>>>>>> Think it was mentioned here.
>>>>>>>> http://technet.microsoft.com/en-us/magazine/ff848710.aspx
>>>>>>>>
>>>>>>>> Apols guys as I was just trying to work out the implications.
>>>>>>>>
>>>>>>>> Makes it easier for the admin to be honest, the admin might not
>>>>>>>> know the password but you can set up users with the password
>>>>>>>> they know.
>>>>>>>>
>>>>>>>>     -----Original message-----
>>>>>>>>> From:Jefferson Davis <jdavis at standard.k12.ca.us>
>>>>>>>>> Sent: Tuesday 22nd July 2014 18:08
>>>>>>>>> To: Stuart Naylor <stuartiannaylor at thursbygarden.org>
>>>>>>>>> Cc: samba at lists.samba.org
>>>>>>>>> Subject: Re: [Samba] Being able to read password hashes
>>>>>>>>>
>>>>>>>>> So, how do you do this?
>>>>>>>>>
>>>>>>>>> ----- Original Message -----
>>>>>>>>>
>>>>>>>>> From: "Stuart Naylor" <stuartiannaylor at thursbygarden.org>
>>>>>>>>> To: "Achim Gottinger" <achim at ag-web.biz>, samba at lists.samba.org
>>>>>>>>> Sent: Tuesday, July 22, 2014 12:56:57 AM
>>>>>>>>> Subject: Re: [Samba] Being able to read password hashes
>>>>>>>>>
>>>>>>>>> I just wondered that is all.
>>>>>>>>>
>>>>>>>>> On a M$ AD you can only write not read the hash directly.
>>>>>>>>>
>>>>>>>>> Its different on samba4 and thought I would just mention it.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> -----Original message-----
>>>>>>>>>> From:Achim Gottinger <achim at ag-web.biz>
>>>>>>>>>> Sent: Monday 21st July 2014 18:38
>>>>>>>>>> To: samba at lists.samba.org
>>>>>>>>>> Subject: Re: [Samba] Being able to read password hashes
>>>>>>>>>>
>>>>>>>>>> Am 21.07.2014 19:03, schrieb Jefferson Davis:
>>>>>>>>>>> I was wondering about this as we continue our migration.
>>>>>>>>>>>
>>>>>>>>>>> I have a script that my tech's use to temporarily change
>>>>>>>>>>> passwords so that they can login as a user for testing config
>>>>>>>>>>> changes, repairs, etc.
>>>>>>>>>>>
>>>>>>>>>>> While I'm still a bit bent about having to rework my entire
>>>>>>>>>>> freaking account mgmt toolchain due to the massive changes
>>>>>>>>>>> wrought by AD DC functionality in samba4, it's nice to know
>>>>>>>>>>> the functionality we need is there.
>>>>>>>>>>>
>>>>>>>>>>> Now to see if I can locate a reasonably-priced time-travel
>>>>>>>>>>> device on craigslist to allow the extra time needed to do
>>>>>>>>>>> this...
>>>>>>>>>>>
>>>>>>>>>>> ----- Original Message -----
>>>>>>>>>>>
>>>>>>>>>>> From: "Stuart Naylor" <stuartiannaylor at thursbygarden.org>
>>>>>>>>>>> To: "Rowland Penny" <rowlandpenny at googlemail.com>,
>>>>>>>>>>> "sambalist" <samba at lists.samba.org>
>>>>>>>>>>> Sent: Monday, July 21, 2014 9:21:33 AM
>>>>>>>>>>> Subject: Re: [Samba] Being able to read password hashes
>>>>>>>>>>>
>>>>>>>>>>> With any Microsoft active directory server you can not get
>>>>>>>>>>> access to read password hashes you can only change them.
>>>>>>>>>>>
>>>>>>>>>>> Its the fact I can get the hash so easily and also ever-body
>>>>>>>>>>> else's.
>>>>>>>>>>>
>>>>>>>>>>> I am not all that bothered as for this sysadmin its a Brucie
>>>>>>>>>>> Bonus.
>>>>>>>>>>>
>>>>>>>>>>> Irrespective of the website if its not there all I need to do
>>>>>>>>>>> is throw some cuda cores at http://hashcat.net/hashcat/ and
>>>>>>>>>>> one way or another I will get it.
>>>>>>>>>>>
>>>>>>>>>>> Should the hashes be so easily available was my main question?
>>>>>>>>>>>
>>>>>>>>>>> I was just wondering what others thought, seems cool enough.
>>>>>>>>>>>
>>>>>>>>>>> Stuart
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> -----Original message-----
>>>>>>>>>>>> From:Rowland Penny <rowlandpenny at googlemail.com>
>>>>>>>>>>>> Sent: Monday 21st July 2014 10:24
>>>>>>>>>>>> To: sambalist <samba at lists.samba.org>
>>>>>>>>>>>> Subject: Re: [Samba] Being able to read password hashes
>>>>>>>>>>>>
>>>>>>>>>>>> On 21/07/14 10:02, Philippe.Simonet at swisscom.com wrote:
>>>>>>>>>>>>> not cracking : ntlm hash database lookup.
>>>>>>>>>>>> Same difference, the OP said he put a unicodePwd password
>>>>>>>>>>>> into a webpage
>>>>>>>>>>>> that deals with NTLM passwords and got his plain password
>>>>>>>>>>>> back, or are
>>>>>>>>>>>> you missing the point?
>>>>>>>>>>>>
>>>>>>>>>>>> Rowland
>>>>>>>>>>>>>> -----Original Message-----
>>>>>>>>>>>>>> From: samba-bounces at lists.samba.org [mailto:samba-
>>>>>>>>>>>>>> bounces at lists.samba.org] On Behalf Of Rowland Penny
>>>>>>>>>>>>>> Sent: Monday, July 21, 2014 10:46 AM
>>>>>>>>>>>>>> To: samba at lists.samba.org
>>>>>>>>>>>>>> Subject: Re: [Samba] Being able to read password hashes
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> On 21/07/14 09:29, Stuart Naylor wrote:
>>>>>>>>>>>>>>> ldbsearch -H /var/lib/samba/private/sam.ldb
>>>>>>>>>>>>>> '(&(objectclass=person)(name=Administrator))' name 
>>>>>>>>>>>>>> unicodePwd
>>>>>>>>>>>>>>> # record 1
>>>>>>>>>>>>>>> dn: CN=Administrator,CN=Users,DC=office,DC=zentyal,DC=lan
>>>>>>>>>>>>>>> name: Administrator
>>>>>>>>>>>>>>> unicodePwd:: kXh1DQFudwnw+lnHhubyUw==
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> http://www.hashkiller.co.uk/ntlm-decrypter.aspx just took
>>>>>>>>>>>>>>> 242ms to return
>>>>>>>>>>>>>> my password
>>>>>>>>>>>>>> Are you sure? you put a unicodePwd into something that
>>>>>>>>>>>>>> cracks ntlm
>>>>>>>>>>>>>> passwords and got your plain password back??
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Only zent1 as its just a VM running a test of Zentyal3.5
>>>>>>>>>>>>>> -- 
>>>>>>>>>>>>>> To unsubscribe from this list go to the following URL and
>>>>>>>>>>>>>> read the
>>>>>>>>>>>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>>>>>>>>>
>>>>>>>>>> After reading this
>>>>>>>>>> http://technet.microsoft.com/de-de/magazine/ff848710.aspx the
>>>>>>>>>> unicodePwd
>>>>>>>>>> is not encrypted and it does not look too difficulta to create
>>>>>>>>>> the
>>>>>>>>>> plaintext password out of this base64 sequence.
>>>>>>>>>>
>>>>>>>>>> That article also mentiones that this unicodePwd attribute
>>>>>>>>>> only exists
>>>>>>>>>> on servers having ad lds templates applied whom seem to be not
>>>>>>>>>> neccessary for normal ad behaviour.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>> -- 
>>>>>>>>> To unsubscribe from this list go to the following URL and read 
>>>>>>>>> the
>>>>>>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> -- 
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Jefferson K Davis
>>>>>>>>> Technology and Information Systems Manager
>>>>>>>>> Standard School District
>>>>>>>>> 1200 North Chester Ave
>>>>>>>>> Bakersfield, CA 93308
>>>>>>>>> 661.392.2110 ext 120 (office)
>>>>>>>>> http://district.standard.k12.ca.us
>>>>>>>>>
>>>>>>>>> District Users: Click here to report technology issues
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>> To change the password with an hash (read earlier from
>>>>>>> unicodePwd) i assume you must modify dBCSPwd
>>>>>>> http://msdn.microsoft.com/en-us/library/cc245687.aspx and maybe
>>>>>>> unicodePwd as well. A few other erquirements are mentioned in the
>>>>>>> link.
>>>>>>>
>>>>>>> Tried mimikaze.exe and it's scary how fast it displays all user
>>>>>>> passwords in cleartext.
>>>>>>>
>>>>>>> Interesting thread.
>>>>>>>
>>>>>>> achim~
>>>>>>>
>>>>>> Hi, yes you need to encode the password, you can do this in bash
>>>>>> like this:
>>>>>>
>>>>>> echo -n "\"PASSWORD\"" | iconv -f UTF-8 -t UTF-16LE | base64 -w 0
>>>>>>
>>>>>> and then put the result into the users 'unicodePwd' attribute.
>>>>>>
>>>>>> You are supposed to have to do this over SSL, but I seem to be
>>>>>> able to this without using SSL.
>>>>>>
>>>>>> Rowland
>>>>> Hi Rowland,
>>>>>
>>>>> The aim is to be able to change an user password temporary for
>>>>> maintainence purpose and then restoring it without knowing it.
>>>>>
>>>>> The encrypted base64 encoded password can be read as described
>>>>> earlier. Now the question is what has do be done to restore it.
>>>>>
>>>>> Writing to "unicodePwd" requires the knowledge of the unencrypted
>>>>> password.
>>>>>
>>>>> Cheers,
>>>>> achim~
>>>> HI, are you sure about that, surely if you can get and store the
>>>> users encrypted password, you can later restore this.
>>>>
>>>> Getting the password is easy:
>>>>
>>>> ldbsearch -d 0 -H /var/lib/samba/private/sam.ldb -b
>>>> dc=example,dc=com '(&(objectClass=user)(sAMAccountname=username))'
>>>> unicodePwd
>>>>
>>>> So, all you would need to do, is pick the required info from the
>>>> result of that command and store it somewhere, change the password
>>>> temporarily, do whatever you want to and then put the old password
>>>> back, all without actually knowing the users password.
>>>>
>>>> Rowland
>>>>
>>> I have not yet tried it but does AD distinguish between an base64
>>> encoded cleartext and encryptet passwords?
>>> By further reading i also found that dBCSPwd holds the LM password
>>> and unicodePwd the NT password. So in theory both must be backed up
>>> and restored.
>>>
>>> achim~
>> Hi, firstly none of my AD users have the 'dBCSPwd' attribute, secondly
>> the line I posted was from a script a use to change/set AD users
>> password. Input a plain password that you want the user to have, it is
>> checked for complexity, it then creates an ldif and then uses the ldif
>> with ldbmodify to change the password.
>>
>> Rowland
> Letting aside dBCSPwd, if you pass an plaintext password as you 
> described it, it will not bestored like that but encrypted and if you 
> read unicodePwd afterwards you'll not get the base64 string you had 
> passed in your ldif file but an base64 encoded version of the 
> encrypted password.
> Have you tried if you can pass an encryptet base64 encoded password 
> that you read with your code snipped above back to ad via an ldif?
>
> achim~
>
>
Ok, let me think about this and I will knock a bash script up to test ;-)

Rowland