Index of /archives/net/samba/pwdump

Icon  Name                    Last modified      Size  Description
[PARENTDIR] Parent Directory - [TXT] pwdump.c 1997-03-25 03:36 22K [   ] pwdump.exe.asc 2012-02-29 04:35 190 [   ] pwdump.zip 2012-10-01 05:51 37K [TXT] README 2012-10-01 06:02 5.7K
Note: This utility accesses and exports password information from the
      Microsoft Windows security databases.  Some antivirus heuristics
      interpret such access as malicious and will, therefore, identify
      this utility as a threat.

      Systems administrators should understand the purpose of this
      utility, and should determine for themselves whether its presence
      is a real threat.  As an additional precaution, the GPG signature
      of the executable should be verified.  The signature got created
      with key ID 0x6568B7EA

      In addition to that we decided to save the utility now in an
      encrypted way because some sucurity scanners classify the binary as
      undesirable/unwanted/whatever. To decrypt the pwdump.zip archive
      use the password "dontscare".


	Windows NT Password Dump Utility
        --------------------------------

This handy utility dumps the password database of an NT machine that
is held in the NT registry (under
HKEY_LOCAL_MACHINE\SECURITY\SAM\Domains\Account\Users) into a valid
smbpasswd format file. This should be a help to Samba administrators
who have a master password database on a Windows NT machine and need
to keep this in sync with the smbpasswd file on their UNIX/Samba
server.

This utility dumps NT password entries in the format :

<user>:<id>:<lanman pw>:<NT pw>:comment:homedir:

Where <user> is the user-name on Windows NT, <id> is the Windows NT
RID (relative ID) - the last 32 bit component of the Windows NT users
SID, <lanman pw> is the users lanman password hash, <NT pw> is the
users Windows NT (md4) password hash - note that if the user has no
password these will be dumped as the string 'NO PASSWORD*****', if the
account is disabled or invalid these are dumped as 32 '*'
characters. The comment is a concatenation of the users full name on
Windows NT and the description field in the Windows NT user-manager
program. The homedir cannot contain ':' characters unfortunately, as
these are used as field separators in the smbpasswd file (as per
UNIX), all ':' characters after drive letters are dumped as '_'
characters.

How to use pwdump 
-----------------

Only as a suggestion, I would recommend dumping your NT machines
account database and then creating regular UNIX users (in /etc/passwd)
with the same UNIX account numbers as their NT RID - this will make
replicating the smbpasswd file much easier later on. These /etc/passwd
accounts may have disabled password entries, prohibiting the NT users
from logging onto the UNIX box via telnet (this is similar to removing
the 'log on locally' right on an NT server). This will not prohibit
them from using the Samba box as a server via Samba though. The
created smbpasswd file may then be copied to the
$SAMBA/private/smbpasswd file (where $SAMBA is the base directory you
installed Samba into). If Samba is set up for user level security and
encrypted passwords (set :

security = user encrypted passwords = yes

in your smb.conf file) then Windows NT / 95 users who have logged on
to the NT domain will be able to transparently access the resources on
the Samba box as their correct UNIX user id's (the ones you originally
created). You can then set up a 'AT' job on your NT server to
periodically dump your NT password database into a new smbpasswd file
and copy it over (securely somehow) to the Samba server to keep the
password databases on the two machines in sync.

The pwdump.exe utility can take a \\machine name as argument, it will
then proceed to dump the password database from that machine instead
of the local machine, if it has sufficient privillages to do so. By
default it will dump the password database of the local machine.

NOTE: The passwords dumped by this utility are 'plain-text equivalent'
in the CIFS protocol and *MUST* be protected. The UNIX security on the
smbpasswd file *MUST* be set to (owner root, permissions rw------- -
ie. read/write owner, no access to anyone else).


Future Enhancements 
-------------------

As this code decrypts the obfuscication step in the NT password
database it may be reversed, allowing a lanman and md4 hash to be
written into the NT registry for a user account. This would allow a
UNIX/Samba box to be the master repository for user account details,
and the account passwords to be replicated and 'brute forced' into the
NT password database, bypassing the rather baroque NT API mechanisms.

This code doesn't attempt to do this however, this is left as an
'exercise to the reader' (or an enterprising university somewhere :-).


How it works 
------------

This utility takes great pains to maintain NT security as it wanders
through the NT SAM areas of the registry. It will not even run is you
are not running as Administrator. Firstly it goes through and adds the
'minimum necessary change' (see Asimov's 'the End of Eternity' :-) to
allow the program to read the password entries. It dumps the users
entries (see the code for details) and then goes back through the
registry restoring the security on all the keys it touched. I have
tested this code on NT Server/Workstation 4.0 and NT 3.51 and have
never had problems, but as always, this code has *NO GUARANTEE*
associated.

Source code 
-----------

The source code for this utility may be found in 

ftp://samba.anu.edu.au/pub/samba/pwdump/pwdump.c

Note that this code needs a DES library to compile. The one I used in
development is Eric Young's excellent DES library found at :

ftp://ftp.psy.uq.oz.au/pub/Crypto/DES/libdes-4.01.tar.gz

which compiles fine under Windows NT. I used Microsoft Visual C++ 4.x
as the compile environment. The code pwdump.exe is provided for people
who do not have a compiler and is a binary of the program for x86 NT
machines (are there any other kind :-).

Please report all bugs to :

Jeremy Allison,
jeremy@valinux.com