Everhart,Glenn From: Paul Ashton [paul@ARGO.DEMON.CO.UK] Sent: Thursday, February 12, 1998 6:41 AM To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM Subject: What to do with a password hash? Several times on this list I've mentioned the issue about password equivalents/hashes. Previously I published a tiny patch to samba that allows you to use these hashes to authenticate, but recently I've been asked how you could use them without having to resort to that ugly word "unix". The standard NT authentication package MSV1_0 makes a copy of your hashed password and supplies it later on when you attempt to access remote services. I think that replacing the hash at this point would involve quite a bit of work. Anybody got source to a replacement authentication package anywhere? The easiest thing to do is to change the password and change it back later. You can change a password using only knowledge of the old hash using CIFS/SMB function 115. The only problem is that you lose the NT hash in the process. Newer functions require knowledge of the plaintext password so that the server can do quality checks on it. That means that you can change the password to anything you want, but you can't change it back. There may be other APIs such as those mentioned in the ms CHAP extensions document that allow you to preserve both hashes. How do you retrieve a password hash? After you have gained admin access to your machine, you can use my LSA secrets program in the ntbugtraq archives as lsadump nl$1 which gives you the nthash then lmhash then 3 flag bytes. You'll need to do some detective work to find out who it refers to. You can use Jeremy Allison's PWDUMP to dump the password hashes in the SAM. You can use Todd Sabin's PWDUMP2 (I begged him to call it UNLEACH but he refused :-) ). This works by injecting a DLL into LSASS and asking it to dump the hashes. This works after syskey has been applied. If the password is 7 characters or less you can ask a DC to send the LMhash of any user who you also have a valid challenge response from. Roll on Kerberos... Cheers, Paul -- "Samba: NT file, print, and domain control. Free with 50000 CALs, extra CALs: $0 each"E1 @ 3 @ 9 @ B @ C @  F1 @ 4 @ 6 @ C @  A02 @ 5 @ 8 @ A @ C @ F @  10 @ 4 @ 8 @ A @ E @