Everhart,Glenn
From:	Paul Ashton [paul@ARGO.DEMON.CO.UK]
Sent:	Thursday, February 12, 1998 6:41 AM
To:	NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject:	What to do with a password hash?
Several times on this list I've mentioned the issue
about password equivalents/hashes. Previously I published
a tiny patch to samba that allows you to use these hashes
to authenticate, but recently I've been asked how you could
use them without having to resort to that ugly word "unix".

The standard NT authentication package MSV1_0 makes a copy
of your hashed password and supplies it later on when you
attempt to access remote services. I think that replacing
the hash at this point would involve quite a bit of work.
Anybody got source to a replacement authentication package
anywhere?

The easiest thing to do is to change the password and
change it back later. You can change a password using
only knowledge of the old hash using CIFS/SMB function
115. The only problem is that you lose the NT hash in
the process.


Newer functions require knowledge of the plaintext
password so that the server can do quality checks on
it. That means that you can change the password to
anything you want, but you can't change it back.

There may be other APIs such as those mentioned in
the ms CHAP extensions document that allow you to
preserve both hashes.

How do you retrieve a password hash? After you have
gained admin access to your machine, you can use my
LSA secrets program in the ntbugtraq archives as
lsadump nl$1 which gives you the nthash then lmhash
then 3 flag bytes. You'll need to do some detective
work to find out who it refers to.

You can use Jeremy Allison's PWDUMP to dump the
password hashes in the SAM.

You can use Todd Sabin's PWDUMP2 (I begged him to
call it UNLEACH but he refused :-) ). This works
by injecting a DLL into LSASS and asking it to
dump the hashes. This works after syskey has been
applied.

If the password is 7 characters or less you can
ask a DC to send the LMhash of any user who you
also have a valid challenge response from.

Roll on Kerberos...

Cheers,

Paul
--
"Samba: NT file, print, and domain control.
Free with 50000 CALs, extra CALs: $0 each"E�1�����
@�Œ
3�����
@�Œ
9�����
@�Œ
B�����
@�Œ
C�����
@�Œ
F�1�����
@�Œ
4�����
@�Œ
6�����
@�Œ
C�����
@�Œ

A�0�2�����
@�Œ
5�����
@�Œ
8�����
@�Œ
A�����
@�Œ
C�����
@�Œ
F�����
@�Œ
1�0�����
@�Œ
4�����
@�Œ
8�����
@�Œ
A�����
@�Œ
E�����
@�Œ