Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
[Samba] Being able to read password hashes
737 views
Skip to first unread message
Stuart Naylor
Jul 21, 2014, 4:29:24 AM7/21/14
to
ldbsearch -H /var/lib/samba/private/sam.ldb '(&(objectclass=person)(name=Administrator))' name unicodePwd
# record 1
dn: CN=Administrator,CN=Users,DC=office,DC=zentyal,DC=lan
name: Administrator
unicodePwd:: kXh1DQFudwnw+lnHhubyUw==
http://www.hashkiller.co.uk/ntlm-decrypter.aspx just took 242ms to return my password
Only zent1 as its just a VM running a test of Zentyal3.5
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
# record 1
dn: CN=Administrator,CN=Users,DC=office,DC=zentyal,DC=lan
name: Administrator
unicodePwd:: kXh1DQFudwnw+lnHhubyUw==
http://www.hashkiller.co.uk/ntlm-decrypter.aspx just took 242ms to return my password
Only zent1 as its just a VM running a test of Zentyal3.5
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Rowland Penny
Jul 21, 2014, 4:45:37 AM7/21/14
to
On 21/07/14 09:29, Stuart Naylor wrote:
> ldbsearch -H /var/lib/samba/private/sam.ldb '(&(objectclass=person)(name=Administrator))' name unicodePwd
>
> # record 1
> dn: CN=Administrator,CN=Users,DC=office,DC=zentyal,DC=lan
> name: Administrator
> unicodePwd:: kXh1DQFudwnw+lnHhubyUw==
>
> http://www.hashkiller.co.uk/ntlm-decrypter.aspx just took 242ms to return my password
Are you sure? you put a unicodePwd into something that cracks ntlm
> ldbsearch -H /var/lib/samba/private/sam.ldb '(&(objectclass=person)(name=Administrator))' name unicodePwd
>
> # record 1
> dn: CN=Administrator,CN=Users,DC=office,DC=zentyal,DC=lan
> name: Administrator
> unicodePwd:: kXh1DQFudwnw+lnHhubyUw==
>
> http://www.hashkiller.co.uk/ntlm-decrypter.aspx just took 242ms to return my password
passwords and got your plain password back??
Rowland
Rowland Penny
Jul 21, 2014, 5:24:47 AM7/21/14
to
On 21/07/14 10:02, Philippe...@swisscom.com wrote:
> not cracking : ntlm hash database lookup.
Same difference, the OP said he put a unicodePwd password into a webpage
that deals with NTLM passwords and got his plain password back, or are
you missing the point?
Rowland
> not cracking : ntlm hash database lookup.
Same difference, the OP said he put a unicodePwd password into a webpage
that deals with NTLM passwords and got his plain password back, or are
you missing the point?
Rowland
Achim Gottinger
Jul 21, 2014, 5:52:11 AM7/21/14
to
Am 21.07.2014 10:29, schrieb Stuart Naylor:
> ldbsearch -H /var/lib/samba/private/sam.ldb '(&(objectclass=person)(name=Administrator))' name unicodePwd
>
> # record 1
> dn: CN=Administrator,CN=Users,DC=office,DC=zentyal,DC=lan
> name: Administrator
> unicodePwd:: kXh1DQFudwnw+lnHhubyUw==
>
> http://www.hashkiller.co.uk/ntlm-decrypter.aspx just took 242ms to return my password
>
> Only zent1 as its just a VM running a test of Zentyal3.5
Because this website uses an database of decrypted hashes and zent1 is
in that database.
Stuart Naylor
Jul 21, 2014, 12:21:33 PM7/21/14
to
With any Microsoft active directory server you can not get access to read password hashes you can only change them.
Its the fact I can get the hash so easily and also ever-body else's.
I am not all that bothered as for this sysadmin its a Brucie Bonus.
Irrespective of the website if its not there all I need to do is throw some cuda cores at http://hashcat.net/hashcat/ and one way or another I will get it.
Should the hashes be so easily available was my main question?
I was just wondering what others thought, seems cool enough.
Stuart
-----Original message-----
> From:Rowland Penny <rowlan...@googlemail.com>
> Sent: Monday 21st July 2014 10:24
> To: sambalist <sa...@lists.samba.org>
> Subject: Re: [Samba] Being able to read password hashes
>
> On 21/07/14 10:02, Philippe...@swisscom.com wrote:
> > not cracking : ntlm hash database lookup.
>
> Same difference, the OP said he put a unicodePwd password into a webpage
> that deals with NTLM passwords and got his plain password back, or are
> you missing the point?
>
> Rowland
> >
> >> -----Original Message-----
> >> From: samba-...@lists.samba.org [mailto:samba-
> >> bou...@lists.samba.org] On Behalf Of Rowland Penny
> >> Sent: Monday, July 21, 2014 10:46 AM
> >> To: sa...@lists.samba.org
> >> Subject: Re: [Samba] Being able to read password hashes
> >>
> >> On 21/07/14 09:29, Stuart Naylor wrote:
Its the fact I can get the hash so easily and also ever-body else's.
I am not all that bothered as for this sysadmin its a Brucie Bonus.
Irrespective of the website if its not there all I need to do is throw some cuda cores at http://hashcat.net/hashcat/ and one way or another I will get it.
Should the hashes be so easily available was my main question?
I was just wondering what others thought, seems cool enough.
Stuart
-----Original message-----
> From:Rowland Penny <rowlan...@googlemail.com>
> Sent: Monday 21st July 2014 10:24
> To: sambalist <sa...@lists.samba.org>
> Subject: Re: [Samba] Being able to read password hashes
>
> On 21/07/14 10:02, Philippe...@swisscom.com wrote:
> > not cracking : ntlm hash database lookup.
>
> Same difference, the OP said he put a unicodePwd password into a webpage
> that deals with NTLM passwords and got his plain password back, or are
> you missing the point?
>
> Rowland
> >
> >> -----Original Message-----
> >> From: samba-...@lists.samba.org [mailto:samba-
> >> bou...@lists.samba.org] On Behalf Of Rowland Penny
> >> Sent: Monday, July 21, 2014 10:46 AM
> >> To: sa...@lists.samba.org
> >> Subject: Re: [Samba] Being able to read password hashes
> >>
> >> On 21/07/14 09:29, Stuart Naylor wrote:
> >>> ldbsearch -H /var/lib/samba/private/sam.ldb
> >> '(&(objectclass=person)(name=Administrator))' name unicodePwd
> >>> # record 1
> >>> dn: CN=Administrator,CN=Users,DC=office,DC=zentyal,DC=lan
> >>> name: Administrator
> >>> unicodePwd:: kXh1DQFudwnw+lnHhubyUw==
> >>>
> >>> http://www.hashkiller.co.uk/ntlm-decrypter.aspx just took 242ms to return
> >> my password
> >> '(&(objectclass=person)(name=Administrator))' name unicodePwd
> >>> # record 1
> >>> dn: CN=Administrator,CN=Users,DC=office,DC=zentyal,DC=lan
> >>> name: Administrator
> >>> unicodePwd:: kXh1DQFudwnw+lnHhubyUw==
> >>>
> >>> http://www.hashkiller.co.uk/ntlm-decrypter.aspx just took 242ms to return
> >> my password
> >> Are you sure? you put a unicodePwd into something that cracks ntlm
> >> passwords and got your plain password back??
> >>
> >> Rowland
> >>
> >> passwords and got your plain password back??
> >>
> >> Rowland
> >>
> >>> Only zent1 as its just a VM running a test of Zentyal3.5
Jefferson Davis
Jul 21, 2014, 1:03:54 PM7/21/14
to
I was wondering about this as we continue our migration.
I have a script that my tech's use to temporarily change passwords so that they can login as a user for testing config changes, repairs, etc.
While I'm still a bit bent about having to rework my entire freaking account mgmt toolchain due to the massive changes wrought by AD DC functionality in samba4, it's nice to know the functionality we need is there.
Now to see if I can locate a reasonably-priced time-travel device on craigslist to allow the extra time needed to do this...
----- Original Message -----
--
Jefferson K Davis
Technology and Information Systems Manager
Standard School District
1200 North Chester Ave
Bakersfield, CA 93308
661.392.2110 ext 120 (office)
http://district.standard.k12.ca.us
District Users: Click here to report technology issues
I have a script that my tech's use to temporarily change passwords so that they can login as a user for testing config changes, repairs, etc.
While I'm still a bit bent about having to rework my entire freaking account mgmt toolchain due to the massive changes wrought by AD DC functionality in samba4, it's nice to know the functionality we need is there.
Now to see if I can locate a reasonably-priced time-travel device on craigslist to allow the extra time needed to do this...
----- Original Message -----
Jefferson K Davis
Technology and Information Systems Manager
Standard School District
1200 North Chester Ave
Bakersfield, CA 93308
661.392.2110 ext 120 (office)
http://district.standard.k12.ca.us
District Users: Click here to report technology issues
Achim Gottinger
Jul 21, 2014, 1:38:40 PM7/21/14
to
http://technet.microsoft.com/de-de/magazine/ff848710.aspx the unicodePwd
is not encrypted and it does not look too difficulta to create the
plaintext password out of this base64 sequence.
That article also mentiones that this unicodePwd attribute only exists
on servers having ad lds templates applied whom seem to be not
neccessary for normal ad behaviour.
Gaiseric Vandal
Jul 21, 2014, 1:38:53 PM7/21/14
to
Is the concern here that unauthorized users can get the password hashes
and therefore decrypt them? Or is the concern that they might be
sniffed over the network somehow?
I would guess that no matter what system you use , a sysadmin will have
the ability to get the password hashes from the server.
and therefore decrypt them? Or is the concern that they might be
sniffed over the network somehow?
I would guess that no matter what system you use , a sysadmin will have
the ability to get the password hashes from the server.
Achim Gottinger
Jul 21, 2014, 2:12:01 PM7/21/14
to
Am 21.07.2014 19:38, schrieb Achim Gottinger:
> Am 21.07.2014 19:03, schrieb Jefferson Davis:
> Am 21.07.2014 19:03, schrieb Jefferson Davis:
> After reading this
> http://technet.microsoft.com/de-de/magazine/ff848710.aspx the
> unicodePwd is not encrypted and it does not look too difficulta to
> create the plaintext password out of this base64 sequence.
>
> That article also mentiones that this unicodePwd attribute only exists
> on servers having ad lds templates applied whom seem to be not
> neccessary for normal ad behaviour.
>
>
Tried to decrypt an password on my server but it did not work, found
> http://technet.microsoft.com/de-de/magazine/ff848710.aspx the
> unicodePwd is not encrypted and it does not look too difficulta to
> create the plaintext password out of this base64 sequence.
>
> That article also mentiones that this unicodePwd attribute only exists
> on servers having ad lds templates applied whom seem to be not
> neccessary for normal ad behaviour.
>
>
this old discussion on the samba list about the issue.
https://lists.samba.org/archive/samba-technical/2011-December/080849.html
There it is mentioned that the unicodePwd attribute is the nt password
hash base64 encoded and not and base64 encoded version of the plaintext
password as mentioned in the microsoft article.
What happens when i add an samba server as an ADDC to an windows AD
Domain with the AD LDS schema in use. Will unicodePwd return an base64
encoded version of the plaintext password?
Achim Gottinger
Jul 21, 2014, 2:49:37 PM7/21/14
to
the password and must be fed with base64 encoded cleartext password
enclosed in "". The password gets encrypted before being stored
(http://msdn.microsoft.com/en-us/library/cc245688.aspx).
Only difference on samba seems that it makes this attribute readable.
Jefferson Davis
Jul 21, 2014, 7:07:10 PM7/21/14
to
Could someone enlighten me as to how I can query the password hash attributes with ldapsearch?
To clarify my earlier post, I have two scripts. One saves the user's password hashes to an LDIF, and then resets the user's password to something our techs know.
The other runs an ldapmodify using the previously saved ldif.
with samba4 AD I cannot seem to query the password attributes.
----- Original Message -----
To clarify my earlier post, I have two scripts. One saves the user's password hashes to an LDIF, and then resets the user's password to something our techs know.
The other runs an ldapmodify using the previously saved ldif.
with samba4 AD I cannot seem to query the password attributes.
----- Original Message -----
--
Jefferson K Davis
Technology and Information Systems Manager
Standard School District
1200 North Chester Ave
Bakersfield, CA 93308
661.392.2110 ext 120 (office)
http://district.standard.k12.ca.us
District Users: Click here to report technology issues
Jefferson K Davis
Technology and Information Systems Manager
Standard School District
1200 North Chester Ave
Bakersfield, CA 93308
661.392.2110 ext 120 (office)
http://district.standard.k12.ca.us
District Users: Click here to report technology issues
Andrew Bartlett
Jul 21, 2014, 7:32:10 PM7/21/14
to
On Mon, 2014-07-21 at 13:38 -0400, Gaiseric Vandal wrote:
> Is the concern here that unauthorized users can get the password hashes
> and therefore decrypt them? Or is the concern that they might be
> sniffed over the network somehow?
>
> I would guess that no matter what system you use , a sysadmin will have
> the ability to get the password hashes from the server.
We don't allow access to this over the network, but these keys are
> Is the concern here that unauthorized users can get the password hashes
> and therefore decrypt them? Or is the concern that they might be
> sniffed over the network somehow?
>
> I would guess that no matter what system you use , a sysadmin will have
> the ability to get the password hashes from the server.
stored in the local ldb files, for use in authentication. That is why
your sam.ldb.d directory should be mode 0700.
Andrew Bartlett
--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
Rob Townley
Jul 21, 2014, 7:41:07 PM7/21/14
to
Windows MimiKatz.exe utility run as elevated admin knows how to retrieve
the system keys used to hash the password in the first place. Result is
most all passwords on the system are instantly reverted to plain human
text.
So if a Domain Admin logs onto a workstation that the janitor has physical
access to, the janitor can retieve the Domain Admin password. Recommend
domain admin cannot log on to abything but DCs.
Tested on Win8.1 and found the password I could not remember. Retrieving
your forgotten plain text password is a "feature" in the age of Alzheimers.
Thomas Habets (of true arping fame) is writing TPM software so that your
ssh private key never has to go into RAM.
Note how MS Trustworthy Computing Group says it can onlu be mitigated, not
prevented.
http://www.microsoft.com/en-us/download/details.aspx?id=36036
the system keys used to hash the password in the first place. Result is
most all passwords on the system are instantly reverted to plain human
text.
So if a Domain Admin logs onto a workstation that the janitor has physical
access to, the janitor can retieve the Domain Admin password. Recommend
domain admin cannot log on to abything but DCs.
Tested on Win8.1 and found the password I could not remember. Retrieving
your forgotten plain text password is a "feature" in the age of Alzheimers.
Thomas Habets (of true arping fame) is writing TPM software so that your
ssh private key never has to go into RAM.
Note how MS Trustworthy Computing Group says it can onlu be mitigated, not
prevented.
http://www.microsoft.com/en-us/download/details.aspx?id=36036
>>>>>>> --
>>>>>>> To unsubscribe from this list go to the following URL and read the
>>>>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>>>>
>>>>>>
>>>>>
>>>>> After reading this http://technet.microsoft.com/
>>>>>>> To unsubscribe from this list go to the following URL and read the
>>>>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>>>>
>>>>>>
>>>>>
>>> de-de/magazine/ff848710.aspx the unicodePwd is not encrypted and it
>>> does not look too difficulta to create the plaintext password out of this
>>> base64 sequence.
>>>
>>> That article also mentiones that this unicodePwd attribute only exists
>>> on servers having ad lds templates applied whom seem to be not neccessary
>>> for normal ad behaviour.
>>>
>>>
>>> Tried to decrypt an password on my server but it did not work, found
>> this old discussion on the samba list about the issue.
>>
>> https://lists.samba.org/archive/samba-technical/2011-December/080849.html
>>
>> There it is mentioned that the unicodePwd attribute is the nt password
>> hash base64 encoded and not and base64 encoded version of the plaintext
>> password as mentioned in the microsoft article.
>>
>> What happens when i add an samba server as an ADDC to an windows AD
>> Domain with the AD LDS schema in use. Will unicodePwd return an base64
>> encoded version of the plaintext password?
>>
>>
>> Sorry for the noise, figured it out , unicodePwd can be used to change
> the password and must be fed with base64 encoded cleartext password
> enclosed in "". The password gets encrypted before being stored (
> http://msdn.microsoft.com/en-us/library/cc245688.aspx).
> Only difference on samba seems that it makes this attribute readable.
>
>>> does not look too difficulta to create the plaintext password out of this
>>> base64 sequence.
>>>
>>> That article also mentiones that this unicodePwd attribute only exists
>>> on servers having ad lds templates applied whom seem to be not neccessary
>>> for normal ad behaviour.
>>>
>>>
>>> Tried to decrypt an password on my server but it did not work, found
>> this old discussion on the samba list about the issue.
>>
>> https://lists.samba.org/archive/samba-technical/2011-December/080849.html
>>
>> There it is mentioned that the unicodePwd attribute is the nt password
>> hash base64 encoded and not and base64 encoded version of the plaintext
>> password as mentioned in the microsoft article.
>>
>> What happens when i add an samba server as an ADDC to an windows AD
>> Domain with the AD LDS schema in use. Will unicodePwd return an base64
>> encoded version of the plaintext password?
>>
>>
>> Sorry for the noise, figured it out , unicodePwd can be used to change
> the password and must be fed with base64 encoded cleartext password
> enclosed in "". The password gets encrypted before being stored (
> http://msdn.microsoft.com/en-us/library/cc245688.aspx).
> Only difference on samba seems that it makes this attribute readable.
>
Rob Townley
Jul 21, 2014, 8:15:07 PM7/21/14
to
It does not appear that the hashes are salted but even if they were...
maybe MimiKatz knows the value of the salt so it does not matter unless the
syskey utility was run.
maybe MimiKatz knows the value of the salt so it does not matter unless the
syskey utility was run.
Jefferson Davis
Jul 21, 2014, 8:35:34 PM7/21/14
to
So, bottom line, ldapsearch (from openldap) won't work even if accessed from the DC?
oy. I get it's a microsofty security "feature" but in my mind admin is ADMIN. aka root. aka do what I say and don't ask questions.
So we would HAVE to use ldbsearch on the local server ONLY for such things?
FWIW I am not looking to retrieve and decrypt passwords, just save the hashes into an LDIF to re-apply to the user's account.
Thanks for the info, hope I can figure this out. When I told my techs the password save/restore scripts would not work anymore there was much pouting and gnashing of teeth.
----- Original Message -----
From: "Andrew Bartlett" <abar...@samba.org>
To: "gaiseric vandal" <gaiseri...@gmail.com>
Cc: sa...@lists.samba.org
Sent: Monday, July 21, 2014 4:32:10 PM
Subject: Re: [Samba] Being able to read password hashes
oy. I get it's a microsofty security "feature" but in my mind admin is ADMIN. aka root. aka do what I say and don't ask questions.
So we would HAVE to use ldbsearch on the local server ONLY for such things?
FWIW I am not looking to retrieve and decrypt passwords, just save the hashes into an LDIF to re-apply to the user's account.
Thanks for the info, hope I can figure this out. When I told my techs the password save/restore scripts would not work anymore there was much pouting and gnashing of teeth.
----- Original Message -----
From: "Andrew Bartlett" <abar...@samba.org>
To: "gaiseric vandal" <gaiseri...@gmail.com>
Cc: sa...@lists.samba.org
Sent: Monday, July 21, 2014 4:32:10 PM
Subject: Re: [Samba] Being able to read password hashes
On Mon, 2014-07-21 at 13:38 -0400, Gaiseric Vandal wrote:
> Is the concern here that unauthorized users can get the password hashes
> and therefore decrypt them? Or is the concern that they might be
> sniffed over the network somehow?
>
> I would guess that no matter what system you use , a sysadmin will have
> the ability to get the password hashes from the server.
We don't allow access to this over the network, but these keys are
stored in the local ldb files, for use in authentication. That is why
your sam.ldb.d directory should be mode 0700.
Andrew Bartlett
--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
> Is the concern here that unauthorized users can get the password hashes
> and therefore decrypt them? Or is the concern that they might be
> sniffed over the network somehow?
>
> I would guess that no matter what system you use , a sysadmin will have
> the ability to get the password hashes from the server.
We don't allow access to this over the network, but these keys are
stored in the local ldb files, for use in authentication. That is why
your sam.ldb.d directory should be mode 0700.
Andrew Bartlett
--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
Jefferson K Davis
Technology and Information Systems Manager
Standard School District
1200 North Chester Ave
Bakersfield, CA 93308
661.392.2110 ext 120 (office)
http://district.standard.k12.ca.us
District Users: Click here to report technology issues
Technology and Information Systems Manager
Standard School District
1200 North Chester Ave
Bakersfield, CA 93308
661.392.2110 ext 120 (office)
http://district.standard.k12.ca.us
District Users: Click here to report technology issues
Stuart Naylor
Jul 22, 2014, 3:56:57 AM7/22/14
to
I just wondered that is all.
On a M$ AD you can only write not read the hash directly.
Its different on samba4 and thought I would just mention it.
-----Original message-----
> From:Achim Gottinger <ac...@ag-web.biz>
> Sent: Monday 21st July 2014 18:38
> To: sa...@lists.samba.org
> Subject: Re: [Samba] Being able to read password hashes
>
> http://technet.microsoft.com/de-de/magazine/ff848710.aspx the unicodePwd
On a M$ AD you can only write not read the hash directly.
Its different on samba4 and thought I would just mention it.
-----Original message-----
> From:Achim Gottinger <ac...@ag-web.biz>
> Sent: Monday 21st July 2014 18:38
> To: sa...@lists.samba.org
> Subject: Re: [Samba] Being able to read password hashes
>
> Am 21.07.2014 19:03, schrieb Jefferson Davis:
> > I was wondering about this as we continue our migration.
> >
> > I have a script that my tech's use to temporarily change passwords so that they can login as a user for testing config changes, repairs, etc.
> >
> > While I'm still a bit bent about having to rework my entire freaking account mgmt toolchain due to the massive changes wrought by AD DC functionality in samba4, it's nice to know the functionality we need is there.
> >
> > Now to see if I can locate a reasonably-priced time-travel device on craigslist to allow the extra time needed to do this...
> >
> > ----- Original Message -----
> > I was wondering about this as we continue our migration.
> >
> > I have a script that my tech's use to temporarily change passwords so that they can login as a user for testing config changes, repairs, etc.
> >
> > While I'm still a bit bent about having to rework my entire freaking account mgmt toolchain due to the massive changes wrought by AD DC functionality in samba4, it's nice to know the functionality we need is there.
> >
> > Now to see if I can locate a reasonably-priced time-travel device on craigslist to allow the extra time needed to do this...
> >
> >
> > From: "Stuart Naylor" <stuarti...@thursbygarden.org>
> > To: "Rowland Penny" <rowlan...@googlemail.com>, "sambalist" <sa...@lists.samba.org>
> > Sent: Monday, July 21, 2014 9:21:33 AM
> > Subject: Re: [Samba] Being able to read password hashes
> >
> > From: "Stuart Naylor" <stuarti...@thursbygarden.org>
> > To: "Rowland Penny" <rowlan...@googlemail.com>, "sambalist" <sa...@lists.samba.org>
> > Sent: Monday, July 21, 2014 9:21:33 AM
> > Subject: Re: [Samba] Being able to read password hashes
> >
> > With any Microsoft active directory server you can not get access to read password hashes you can only change them.
> >
> > Its the fact I can get the hash so easily and also ever-body else's.
> >
> > I am not all that bothered as for this sysadmin its a Brucie Bonus.
> >
> > Irrespective of the website if its not there all I need to do is throw some cuda cores at http://hashcat.net/hashcat/ and one way or another I will get it.
> >
> > Should the hashes be so easily available was my main question?
> >
> > I was just wondering what others thought, seems cool enough.
> >
> > Stuart
> >
> >
> > -----Original message-----
> >> From:Rowland Penny <rowlan...@googlemail.com>
> >> Sent: Monday 21st July 2014 10:24
> >> To: sambalist <sa...@lists.samba.org>
> >
> > Its the fact I can get the hash so easily and also ever-body else's.
> >
> > I am not all that bothered as for this sysadmin its a Brucie Bonus.
> >
> > Irrespective of the website if its not there all I need to do is throw some cuda cores at http://hashcat.net/hashcat/ and one way or another I will get it.
> >
> > Should the hashes be so easily available was my main question?
> >
> > I was just wondering what others thought, seems cool enough.
> >
> > Stuart
> >
> >
> > -----Original message-----
> >> From:Rowland Penny <rowlan...@googlemail.com>
> >> Sent: Monday 21st July 2014 10:24
> >> To: sambalist <sa...@lists.samba.org>
> >> Subject: Re: [Samba] Being able to read password hashes
> >>
> >>
> >> On 21/07/14 10:02, Philippe...@swisscom.com wrote:
> >>> not cracking : ntlm hash database lookup.
> >> Same difference, the OP said he put a unicodePwd password into a webpage
> >> that deals with NTLM passwords and got his plain password back, or are
> >> you missing the point?
> >>
> >> Rowland
> >>>> -----Original Message-----
> >>>> From: samba-...@lists.samba.org [mailto:samba-
> >>>> bou...@lists.samba.org] On Behalf Of Rowland Penny
> >>>> Sent: Monday, July 21, 2014 10:46 AM
> >>>> To: sa...@lists.samba.org
> >>> not cracking : ntlm hash database lookup.
> >> Same difference, the OP said he put a unicodePwd password into a webpage
> >> that deals with NTLM passwords and got his plain password back, or are
> >> you missing the point?
> >>
> >> Rowland
> >>>> -----Original Message-----
> >>>> From: samba-...@lists.samba.org [mailto:samba-
> >>>> bou...@lists.samba.org] On Behalf Of Rowland Penny
> >>>> Sent: Monday, July 21, 2014 10:46 AM
> >>>> To: sa...@lists.samba.org
> >>>> Subject: Re: [Samba] Being able to read password hashes
> >>>>
> >>>>
> >>>> On 21/07/14 09:29, Stuart Naylor wrote:
> >>>>> ldbsearch -H /var/lib/samba/private/sam.ldb
> >>>> '(&(objectclass=person)(name=Administrator))' name unicodePwd
> >>>>> # record 1
> >>>>> dn: CN=Administrator,CN=Users,DC=office,DC=zentyal,DC=lan
> >>>>> name: Administrator
> >>>>> unicodePwd:: kXh1DQFudwnw+lnHhubyUw==
> >>>>>
> >>>>> http://www.hashkiller.co.uk/ntlm-decrypter.aspx just took 242ms to return
> >>>> my password
> >>>> Are you sure? you put a unicodePwd into something that cracks ntlm
> >>>> passwords and got your plain password back??
> >>>>
> >>>> Rowland
> >>>>
> >>>>> Only zent1 as its just a VM running a test of Zentyal3.5
> >>>>> ldbsearch -H /var/lib/samba/private/sam.ldb
> >>>> '(&(objectclass=person)(name=Administrator))' name unicodePwd
> >>>>> # record 1
> >>>>> dn: CN=Administrator,CN=Users,DC=office,DC=zentyal,DC=lan
> >>>>> name: Administrator
> >>>>> unicodePwd:: kXh1DQFudwnw+lnHhubyUw==
> >>>>>
> >>>>> http://www.hashkiller.co.uk/ntlm-decrypter.aspx just took 242ms to return
> >>>> my password
> >>>> Are you sure? you put a unicodePwd into something that cracks ntlm
> >>>> passwords and got your plain password back??
> >>>>
> >>>> Rowland
> >>>>
> >>>>> Only zent1 as its just a VM running a test of Zentyal3.5
> >>>> --
> >>>> To unsubscribe from this list go to the following URL and read the
> >>>> instructions: https://lists.samba.org/mailman/options/samba
> >>
> >>
> After reading this
> >>>> To unsubscribe from this list go to the following URL and read the
> >>>> instructions: https://lists.samba.org/mailman/options/samba
> >>
> >>
> http://technet.microsoft.com/de-de/magazine/ff848710.aspx the unicodePwd
> is not encrypted and it does not look too difficulta to create the
> plaintext password out of this base64 sequence.
>
> That article also mentiones that this unicodePwd attribute only exists
> on servers having ad lds templates applied whom seem to be not
> neccessary for normal ad behaviour.
>
>
>
>
> plaintext password out of this base64 sequence.
>
> That article also mentiones that this unicodePwd attribute only exists
> on servers having ad lds templates applied whom seem to be not
> neccessary for normal ad behaviour.
>
>
>
>
Jefferson Davis
Jul 22, 2014, 1:08:24 PM7/22/14
to
So, how do you do this?
--
Jefferson K Davis
Technology and Information Systems Manager
Standard School District
1200 North Chester Ave
Bakersfield, CA 93308
661.392.2110 ext 120 (office)
http://district.standard.k12.ca.us
District Users: Click here to report technology issues
Jefferson K Davis
Technology and Information Systems Manager
Standard School District
1200 North Chester Ave
Bakersfield, CA 93308
661.392.2110 ext 120 (office)
http://district.standard.k12.ca.us
District Users: Click here to report technology issues
Stuart Naylor
Jul 22, 2014, 3:52:45 PM7/22/14
to
Think it was mentioned here. http://technet.microsoft.com/en-us/magazine/ff848710.aspx
Apols guys as I was just trying to work out the implications.
Makes it easier for the admin to be honest, the admin might not know the password but you can set up users with the password they know.
Apols guys as I was just trying to work out the implications.
Makes it easier for the admin to be honest, the admin might not know the password but you can set up users with the password they know.
Achim Gottinger
Jul 23, 2014, 5:31:47 AM7/23/14
to
assume you must modify dBCSPwd
http://msdn.microsoft.com/en-us/library/cc245687.aspx and maybe
unicodePwd as well. A few other erquirements are mentioned in the link.
Tried mimikaze.exe and it's scary how fast it displays all user
passwords in cleartext.
Interesting thread.
achim~
Rowland Penny
Jul 23, 2014, 5:43:15 AM7/23/14
to
echo -n "\"PASSWORD\"" | iconv -f UTF-8 -t UTF-16LE | base64 -w 0
and then put the result into the users 'unicodePwd' attribute.
You are supposed to have to do this over SSL, but I seem to be able to
this without using SSL.
Rowland
Achim Gottinger
Jul 23, 2014, 5:59:15 AM7/23/14
to
The aim is to be able to change an user password temporary for
maintainence purpose and then restoring it without knowing it.
The encrypted base64 encoded password can be read as described earlier.
Now the question is what has do be done to restore it.
Writing to "unicodePwd" requires the knowledge of the unencrypted password.
Cheers,
achim~
Rowland Penny
Jul 23, 2014, 6:14:33 AM7/23/14
to
encrypted password, you can later restore this.
Getting the password is easy:
ldbsearch -d 0 -H /var/lib/samba/private/sam.ldb -b dc=example,dc=com
'(&(objectClass=user)(sAMAccountname=username))' unicodePwd
So, all you would need to do, is pick the required info from the result
of that command and store it somewhere, change the password temporarily,
do whatever you want to and then put the old password back, all without
actually knowing the users password.
Rowland
Achim Gottinger
Jul 23, 2014, 11:57:27 AM7/23/14
to
encoded cleartext and encryptet passwords?
By further reading i also found that dBCSPwd holds the LM password and
unicodePwd the NT password. So in theory both must be backed up and
restored.
achim~
Jefferson Davis
Jul 23, 2014, 12:46:44 PM7/23/14
to
Sent: Wednesday, July 23, 2014 8:57:27 AM
Thanks guys that looks doable, though I'd prefer to be able to do the same thing but with ldapsearch from openldap. I understand this may not be possible due to AD restricting reading such attributes over the network.
The other roadblock I am running into along the same lines is getting GADS (Google Apps Directory Sync) to read the unicodePwd attribute.
--
Jefferson K Davis
Technology and Information Systems Manager
Standard School District
1200 North Chester Ave
Bakersfield, CA 93308
661.392.2110 ext 120 (office)
http://district.standard.k12.ca.us
District Users: Click here to report technology issues
The other roadblock I am running into along the same lines is getting GADS (Google Apps Directory Sync) to read the unicodePwd attribute.
--
Jefferson K Davis
Technology and Information Systems Manager
Standard School District
1200 North Chester Ave
Bakersfield, CA 93308
661.392.2110 ext 120 (office)
http://district.standard.k12.ca.us
District Users: Click here to report technology issues
Rowland Penny
Jul 23, 2014, 2:28:37 PM7/23/14
to
the line I posted was from a script a use to change/set AD users
password. Input a plain password that you want the user to have, it is
checked for complexity, it then creates an ldif and then uses the ldif
with ldbmodify to change the password.
Rowland
Achim Gottinger
Jul 23, 2014, 2:41:13 PM7/23/14
to
described it, it will not bestored like that but encrypted and if you
read unicodePwd afterwards you'll not get the base64 string you had
passed in your ldif file but an base64 encoded version of the encrypted
password.
Have you tried if you can pass an encryptet base64 encoded password that
you read with your code snipped above back to ad via an ldif?
achim~
Rowland Penny
Jul 23, 2014, 2:49:15 PM7/23/14
to
Rowland
Rowland Penny
Jul 24, 2014, 5:46:53 AM7/24/14
to
is stored in the 'unicodePwd' attribute is not what you actually put
there, so whilst you can change the password easily, reading it in human
form is extremely hard if not impossible. What is more, whilst trying to
make it work and carrying out numerous internet searches, it soon became
very apparent that:
1) The 'unicodePwd' attribute shouldn't be readable
2) The password should only be changeable over SSL.
I can do both on my test samba4 AD DC, so I must presume that this is a
bug and as such I have filed a bug report:
https://bugzilla.samba.org/show_bug.cgi?id=10740
0 new messages