Note: This utility accesses and exports password information from the Microsoft Windows security databases. Some antivirus heuristics interpret such access as malicious and will, therefore, identify this utility as a threat. Systems administrators should understand the purpose of this utility, and should determine for themselves whether its presence is a real threat. As an additional precaution, the GPG signature of the executable should be verified. The signature got created with key ID 0x6568B7EA In addition to that we decided to save the utility now in an encrypted way because some sucurity scanners classify the binary as undesirable/unwanted/whatever. To decrypt the pwdump.zip archive use the password "dontscare". Windows NT Password Dump Utility -------------------------------- This handy utility dumps the password database of an NT machine that is held in the NT registry (under HKEY_LOCAL_MACHINE\SECURITY\SAM\Domains\Account\Users) into a valid smbpasswd format file. This should be a help to Samba administrators who have a master password database on a Windows NT machine and need to keep this in sync with the smbpasswd file on their UNIX/Samba server. This utility dumps NT password entries in the format : ::::comment:homedir: Where is the user-name on Windows NT, is the Windows NT RID (relative ID) - the last 32 bit component of the Windows NT users SID, is the users lanman password hash, is the users Windows NT (md4) password hash - note that if the user has no password these will be dumped as the string 'NO PASSWORD*****', if the account is disabled or invalid these are dumped as 32 '*' characters. The comment is a concatenation of the users full name on Windows NT and the description field in the Windows NT user-manager program. The homedir cannot contain ':' characters unfortunately, as these are used as field separators in the smbpasswd file (as per UNIX), all ':' characters after drive letters are dumped as '_' characters. How to use pwdump ----------------- Only as a suggestion, I would recommend dumping your NT machines account database and then creating regular UNIX users (in /etc/passwd) with the same UNIX account numbers as their NT RID - this will make replicating the smbpasswd file much easier later on. These /etc/passwd accounts may have disabled password entries, prohibiting the NT users from logging onto the UNIX box via telnet (this is similar to removing the 'log on locally' right on an NT server). This will not prohibit them from using the Samba box as a server via Samba though. The created smbpasswd file may then be copied to the $SAMBA/private/smbpasswd file (where $SAMBA is the base directory you installed Samba into). If Samba is set up for user level security and encrypted passwords (set : security = user encrypted passwords = yes in your smb.conf file) then Windows NT / 95 users who have logged on to the NT domain will be able to transparently access the resources on the Samba box as their correct UNIX user id's (the ones you originally created). You can then set up a 'AT' job on your NT server to periodically dump your NT password database into a new smbpasswd file and copy it over (securely somehow) to the Samba server to keep the password databases on the two machines in sync. The pwdump.exe utility can take a \\machine name as argument, it will then proceed to dump the password database from that machine instead of the local machine, if it has sufficient privillages to do so. By default it will dump the password database of the local machine. NOTE: The passwords dumped by this utility are 'plain-text equivalent' in the CIFS protocol and *MUST* be protected. The UNIX security on the smbpasswd file *MUST* be set to (owner root, permissions rw------- - ie. read/write owner, no access to anyone else). Future Enhancements ------------------- As this code decrypts the obfuscication step in the NT password database it may be reversed, allowing a lanman and md4 hash to be written into the NT registry for a user account. This would allow a UNIX/Samba box to be the master repository for user account details, and the account passwords to be replicated and 'brute forced' into the NT password database, bypassing the rather baroque NT API mechanisms. This code doesn't attempt to do this however, this is left as an 'exercise to the reader' (or an enterprising university somewhere :-). How it works ------------ This utility takes great pains to maintain NT security as it wanders through the NT SAM areas of the registry. It will not even run is you are not running as Administrator. Firstly it goes through and adds the 'minimum necessary change' (see Asimov's 'the End of Eternity' :-) to allow the program to read the password entries. It dumps the users entries (see the code for details) and then goes back through the registry restoring the security on all the keys it touched. I have tested this code on NT Server/Workstation 4.0 and NT 3.51 and have never had problems, but as always, this code has *NO GUARANTEE* associated. Source code ----------- The source code for this utility may be found in ftp://samba.anu.edu.au/pub/samba/pwdump/pwdump.c Note that this code needs a DES library to compile. The one I used in development is Eric Young's excellent DES library found at : ftp://ftp.psy.uq.oz.au/pub/Crypto/DES/libdes-4.01.tar.gz which compiles fine under Windows NT. I used Microsoft Visual C++ 4.x as the compile environment. The code pwdump.exe is provided for people who do not have a compiler and is a binary of the program for x86 NT machines (are there any other kind :-). Please report all bugs to : Jeremy Allison, jeremy@valinux.com