Recover passwords in clear text from ldap


From Lenny to Squeeze the authentication method changed completely, and you have to set new passwords for the students. The below workaround describes how to recover clear text passwords from ldap cracking the LM- and NT-hashes.

How it work's

If you add a new user and supply a password, several hashes of this password will be generated and stored in ldap. For example an sha-hash which is used by Linux operating systems. If someone wants to log in and enters his password, a hash of this password is generated, if this hash is equal to the hash in the ldap database the user can log in. sha uses a One-Way-Function to calculate the hash, there is (till now) no way to calculate the clear text password from the hash. The only possibility is to try all combinations, and that takes tens of years, especially therefore the hash is salted.

Furthermore there is the LM Hash, the Windows operating system uses. This hash is more ordinary. One the one hand it is case-insensitiv and that's why there are less possibilities for a password. On the other hand an password longer than 7 characters is divided in two parts. For each part a hash is generated. Thats why you only need a database of hashes for all possibilities of seven letters (+ Numbers + special characters) long passwords. Than you can search for the right hash in the database and you got the clear text password.

In a second step you need the NT Hash, which is used in newer Windows operating systems and also stored in ldap. This hash is case-sensitiv. If you found the case-insensitiv password, you can generate the hashes of all upper-lowercase combination of this password and check it against the NT-hash from the ldap database. This takes less then 1 second per password.

The LM hash method only uses the first 14 character of the password. If there are longer passwords you can try this.

ophcrack

ophcrack There is a nice open-source tool called ophcrack. It handles the described steps. It uses the mentioned databases (called Rainbow Tables). This can be downloaded from the homepage.

To use ophcrack, install the package ophcrack (it depends on Qt, so you should do it on an workstation with a desktop environment). Then you have to download the appropriate Rainbow Tables from http://ophcrack.sourceforge.net/tables.php. I used XP free fast and XP special (the Vista tables are only necessary, if you only have the NT-hash).

Load this tables using the Tables button in the menu.

Than you need to get the hashes and usernames from the skolelinux ldap.

Getting the LM- and NT-hashes

The attached script fetches the usernames and the corresponding LM- and NT-hashes from the skolelinux ldap. It generates the file pwdump.txt, which you can load into ophcrack. To run this script put it somewhere on a computer in your skolelinux-network, from where you can access ldap.

The script is written in perl, so you need to install perl (is installed by default on debian-edu machines). Furthermore you need to install the packages libnet-ldap-perl and libcrypt-smbhash-perl.

In line 24 of the script you have to enter your ldap password. This is, if not changed, the root password of tjener. For this it is a good idea, to give read and execution rights only to the right users.

Then run

   perl recoverPasswords.pl pwdump

This will generate a file pwdump.txt in the same directory as the script. This file contains the usernames and the corresponding LM- and NT hashes in pwdump-Syntax.

Running ophcrack

ophcrack Open ophcrack and choose the button Load and then PWDUMP file and choose the file pwdump.txt generated by the script. Now you see all users an the hashes. Hit the button Crack, now ophcrack tries to find the clear text passwords from his database. This can take a little (approx 30-60min for 1000 users).

Keep in mind, that ophcrack can't handle filenames and paths with special characters (like ä, æ, ß).

Generate a csv-file for gosa

After ophcrack has done his work, choose Save and then Save to file. Save it in the same folder as the perl-script and choose ophcrack.txt as filename. After this you run the script again with option csv.

   perl recoverPasswords.pl csv

This will generate a csv-files with usernames and clear text password, which you can import using gosa.

Options for the csv-file

There are some option to control the generation of the csv-files. You can set this options, while changing the values of the variables in line 25, 26 and 27 of the perl-script.

$templatename
The name for the template you will use in gosa. This is only used as part of the filename, if you want to generate different csv-files.
$useTemplateFromFunction

If set to 1, the result of the function template() (near the end of the page) will be used as template name. This function calculates the templatename for each user. I use this, because I want to use different templates in gosa. Each age group has its own subfolder in /skole/tjener/home0 like /skole/tjener/home0/year11, /skole/tjener/home0/year11, ... . For each year I have a own gosa-template. The function finds the templatename from the homefolderpath. You can overwrite this function and fit it to your needs.

For every different template a own csv-file will be generated.
$checkAgain
If set to 1, the password from ophcrack will be checked again during generation of the csv-file. This i usefull, if someone changed his password during this process.

If there is any problem with a user (no password found, etc.) this user and results until there will be written into the file users.skiped.

Manual operations

If you have any problems with a user you can try to find the password manually.

If a password is longer then 14 characters ophcrack only finds the first 14 characters of this password using the LM-Hash (there is one table for 16 characters long passwords on the homepage). Say you found SkOLeLiNuXDebI for user john and you have an idea of the missing characters you can run

   perl recoverPasswords.pl check john SkOLeLiNuXDebIan

this will check all uppercase-lowercase combinations of the given password and prints the result if one matches.

There are some online tools like http://www.md5decrypter.co.uk/ntlm-decrypt.aspx and http://crackstation.net/ which can crack hashes for 16 characters long passwords.

Attachment

recoverPasswords.pl