[debian-edu-commits] [Debian Wiki] Update of "DebianEdu/HowTo/RecoverPasswords" by Martin Schulte

Debian Wiki debian-www at lists.debian.org
Tue Mar 26 21:02:32 UTC 2013 

Dear Wiki user,

You have subscribed to a wiki page or wiki category on "Debian Wiki" for change notification.

The "DebianEdu/HowTo/RecoverPasswords" page has been changed by Martin Schulte:
http://wiki.debian.org/DebianEdu/HowTo/RecoverPasswords

New page:
~+'''Recover passwords in clear text from ldap'''+~
------
>From Lenny to Squeeze the authentication method changed completely, and you have to set new passwords for the students. The below workaround describes how to recover clear text passwords from ldap cracking the LM- and NT-hashes.
<<TableOfContents(3)>>
= How it work's =

If you add a new user and supply a password, several [[WikiPedia:Cryptographic_hash_function|hashes]] of this password will be generated and stored in ldap. For example an sha-hash which is used by Linux operating systems. If someone wants to log in  and enters his password, a hash of this password is generated, if this hash is equal to the hash in the ldap database the user can log in. sha uses a [[WikiPedia:One-way_function|One-Way-Function]] to calculate the hash, there is (till now) no way to calculate the clear text password from the hash. The only possibility is to try all combinations, and that takes tens of years, especially therefore the hash is  [[WikiPedia:Salt_(cryptography)|salted]].

Furthermore there is the [[WikiPedia:Lm_hash|LM Hash]], the Windows operating system uses. This hash is more ordinary. One the one hand it is case-insensitiv and that's why there are less possibilities for a password. On the other hand an password longer than 7 characters is divided in two parts. For each part a hash is generated. Thats why you only need a database of hashes for all possibilities of seven letters (+ Numbers + special characters) long passwords. Than you can search for the right hash in the database and you got the clear text password.

In a second step you need the [[WikiPedia:NTLM|NT Hash]], which is used in newer Windows operating systems and also stored in ldap. This hash is case-sensitiv. If you found the case-insensitiv password, you can generate the hashes of all upper-lowercase combination of this password and check it against the NT-hash from the ldap database. This takes less then 1 second per password.

The LM hash method only uses the first 14 character of the password. If there are longer passwords you can try [[#manualOptions|this]].

== ophcrack ==

There is a nice open-source tool called [[http://ophcrack.sourceforge.net/|ophcrack]]. It handles the described steps. It uses the mentioned databases (called [[WikiPedia:Rainbow_tables|Rainbow Tables]]). This can be downloaded from the homepage.

To use ophcrack, install the package `ophcrack` (it depends on ''Qt'', so you should do it on an workstation with a desktop environment). Then you have to download the appropriate ''Rainbow Tables'' from http://ophcrack.sourceforge.net/tables.php. I used ''XP free fast'' and ''XP special'' (the Vista tables are only necessary, if you only have the NT-hash). 

Load this tables using the ''Tables'' button in the menu.

Than you need to get the hashes and usernames from the skolelinux ldap. 


= Getting the LM- and NT-hashes =
The attached script fetches the usernames and the corresponding LM- and NT-hashes from the skolelinux ldap. It generates the file `pwdump.txt`, which you can load into ''ophcrack''. To run this script put it somewhere on a computer in your skolelinux-network, from where you can access ldap. 

The script is written in ''perl'', so you need to install `perl` (is installed by default on debian-edu machines). Furthermore you need to install the packages {{{libnet-ldap-perl}}} and {{{libcrypt-smbhash-perl}}}.

In line 24 of the script you have to enter your ldap password. This is, if not changed, the root password of tjener. For this it is a good idea, to give read and execution rights only to the right users.

Then run
{{{
   perl recoverPasswords.pl pwdump
}}}

This will generate a file `pwdump.txt` in the same directory as the script. This file contains the usernames and the corresponding LM- and NT hashes in [[WikiPedia:Pwdump|pwdump]]-Syntax.

= Running ophcrack =
Open ''ophcrack'' and choose the button ''Load'' and then ''PWDUMP file'' and choose the file `pwdump.txt` generated by the script. Now you see all users an the hashes. Hit the button ''Crack'', now ophcrack tries to find the clear text passwords from his database. This can take a little (approx 30-60min for 1000 users). 

Keep in mind, that ophcrack can't handle filenames and paths with special characters (like ä, æ, ß).

== Generate a csv-file for gosa ==

After ophcrack has done his work, choose ''Save'' and then ''Save to file''. Save it in the same folder as the perl-script and choose `ophcrack.txt` as filename. After this you run the script again with option `csv`.
{{{
   perl recoverPasswords.pl csv
}}}

This will generate a csv-files with usernames and clear text password, which you can import using gosa. 

<<Anchor(manualOptions)>> 
== Options for the csv-file ==
There are some option to control the generation of the csv-files. You can set this options, while changing the values of the variables in line 25, 26 and 27 of the perl-script.
 $templatename:: The name for the template you will use in gosa. This is only used as part of the filename, if you want to generate  different csv-files.
 $useTemplateFromFunction::
 :: If set to 1,  the result of the function `template()`  (near the end of the page) will be used as template name. This function calculates the templatename for each user. I use this, because I want to use different templates in gosa. Each age group has its own subfolder in ''/skole/tjener/home0'' like ''/skole/tjener/home0/year11'', ''/skole/tjener/home0/year11'', ... . For each year I have a own gosa-template. The function finds the templatename from the homefolderpath. You can overwrite this function and fit it to your needs. 
 :: For every different template a own csv-file will be generated.
 $checkAgain:: If set to 1, the password from ophcrack will be checked again during generation of the csv-file. This i usefull, if someone changed his password during this process.

If there is any problem with a user (no password found, etc.) this user and results until there will be written into the file `users.skiped`.

= Manual operations =
If you have any problems with a user you can try to find the password manually. 

If a password is longer then 14 characters ophcrack only finds the first 14 characters of this password using the LM-Hash (there is one table for 16 characters long passwords on the homepage). Say you found ''SkOLeLiNuXDebI'' for user ''john'' and you have an idea of the missing characters you can run
{{{
   perl recoverPasswords.pl check john SkOLeLiNuXDebIan
}}}
this will check all uppercase-lowercase combinations of the given password and prints the result if one matches.

There are some online tools like http://www.md5decrypter.co.uk/ntlm-decrypt.aspx and http://crackstation.net/ which can crack hashes for 16 characters long passwords.

More information about the debian-edu-commits mailing list