[Samba] check accounts for known bad passwords

Andrew Bartlett abartlet at samba.org
Thu Jul 20 20:45:19 UTC 2017

On Thu, 2017-07-20 at 15:52 +0200, mj via samba wrote:
> Hi,
> Des anyone know if a script of some sort or way to check my samba 
> accounts for known bad passwords, such as "123321", "1q2w3e", and such?
> We are currently the target by a botnet, trying out those easy passwords 
> on our imap server. While many (all?) of our users have good complex 
> paswords, I am not 100% sure about *all* of them. If possible I'd like 
> to disable their accounts, in the case of such bad passwords.

I would, if I were you, use:


To get the hashes in the form you want for this, try:

pdbedit -w

That dumps an smbpasswd file format file (be very careful with this, it
contains your krbtgt key, admin password and everything else!)

Note this in the FAQ:

A: With PWDUMP-format files, John focuses on LM rather than NTLM hashes
by default, and it might not load any hashes at all if there are no LM
hashes to crack. To have JtR Pro or a -jumbo version focus on NTLM
hashes instead, you need to pass the "--format=nt" option. 

I guess you would run it:

john --wordlist=/usr/share/john/password.lst /root/smbpasswd  

You will need that jumbo version, the NTLM hash isn't in the one
packaged on Fedora, so this is where I stopped. 

I hope this helps you keep in front of the bad guys!

Andrew Bartlett

Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba mailing list