def mkpasswd(pwd, sambaver=3, default='ssha'): ''' Make a given password cryptated, possibly with different crypt-algorihtms. This module was written for use with LDAP - so default is seeded sha ''' alg = { 'sha': 'Secure Hash Algorithm', 'ssha': 'Seeded SHA', 'md5': 'MD5', 'smd5': 'Seeded MD5', } if _crypt: alg['crypt'] = 'standard unix crypt' if smb: alg['lmhash'] = 'lan man hash' alg['nthash'] = 'nt hash' if default not in alg.keys(): return 'algorithm <%s> not supported in this version.' % default else: salt = getsalt() if default == 'ssha': pwString = "{SSHA}" + base64.encodestring( sha.new(str(pwd) + salt).digest() + salt) return pwString[:-1] elif default == 'sha': pwString = "{SHA}" + base64.encodestring( sha.new(str(pwd)).digest()) return pwString[:-1] elif default == 'md5': pwString = "{MD5}" + base64.encodestring( md5.new(str(pwd)).digest()) return pwString[:-1] elif default == 'smd5': salt = getsalt( length=4 ) # Newer versions of OpenLDAP should support the default length 16 pwString = "{SMD5}" + base64.encodestring( md5.new(str(pwd) + salt).digest() + salt) return pwString[:-1] elif default == 'crypt': return "{CRYPT}" + crypt.crypt(str(pwd), getsalt( length=2)) # crypt only uses a salt of length 2 elif default == 'lmhash': if sambaver == 3: return "{sambaLMPassword}" + smbpasswd.lmhash(pwd) elif sambaver == 2: return "{lmPassword}" + smbpasswd.lmhash(pwd) elif default == 'nthash': if sambaver == 3: return "{sambaNTPassword}" + smbpasswd.nthash(pwd) elif sambaver == 2: return "{NTPassword}" + smbpasswd.nthash(pwd)
def mkpasswd(pwd, hash='ssha'): """Generate hashed passwords. Originated from mkpasswd in Luma """ alg = { 'ssha': 'Seeded SHA-1', 'sha': 'Secure Hash Algorithm', 'smd5': 'Seeded MD5', 'md5': 'MD5', 'crypt': 'Standard unix crypt' } # Don't add support for sambapasswords unless we're using it if (update_sambapassword): alg['lmhash'] = 'Lanman hash' alg['nthash'] = 'NT Hash' if hash not in alg.keys(): return "Algorithm <%s> not supported in this version." % hash else: salt = getsalt() if hash == "ssha": return "{SSHA}" + base64.encodestring( sha.new(str(pwd) + salt).digest() + salt) elif hash == "sha": return "{SHA}" + base64.encodestring(sha.new(str(pwd)).digest()) elif hash == "md5": return "{SHA}" + base64.encodestring(md5.new(str(pwd)).digest()) elif hash == "smd5": return "{SMD%}" + base64.encodestring( md5.new(str(pwd) + salt).digest() + salt) elif hash == "crypt": return "{CRYPT}" + crypt.crypt(str(pwd), getsalt(length=2)) # nt/lm-hash are used directly in their own password-attributes.. no need to prefix the hash elif hash == "lmhash": return smbpasswd.lmhash(pwd) elif hash == "nthash": return smbpasswd.nthash(pwd)
def admin(request): admin_member = retrieve_member(request) if not request.user.profile.is_ldap_admin: return render(request, 'access_denied.html') users = admin_member.list_users() if request.method == 'POST': form = AdminForm(request.POST, request=request, users=users) if form.is_valid(): new_password = form.cleaned_data['password1'] admin_member.admin_change_password(form.cleaned_data['username'], new_password) member = MemberValues(form.cleaned_data['username'], new_password) member.set('sambaLMPassword', smbpasswd.lmhash(new_password)) member.set('sambaNTPassword', smbpasswd.nthash(new_password)) member.save() new_form = AdminForm(request=request, users=users) return render( request, 'admin.html', { 'message': _('The password for %s was changed. Thank you!' % form.cleaned_data['username']), 'form': new_form }) else: return render(request, 'admin.html', {'form': form}) else: form = AdminForm(request=request, users=users) return render(request, 'admin.html', {'form': form})
def set_password(self, password): self.password = hash_password(password) if settings.GRANADILLA_USE_SAMBA: import smbpasswd self.samba_ntpassword = smbpasswd.nthash(password) self.samba_lmpassword = smbpasswd.lmhash(password) self.samba_pwdlastset = int(time.time())
def changeUserPasswd(self, uid, passwd, oldpasswd = None, bind = False): """ change SAMBA user password @param uid: user name @type uid: str @param passwd: non encrypted password @type passwd: str """ # Don't update the password if we are using smbk5passwd conf = SambaConf() if conf.isValueTrue(conf.getContent("global", "ldap passwd sync")) in (0, 1): userdn = self.searchUserDN(uid) r = AF().log(PLUGIN_NAME, AA.SAMBA_CHANGE_USER_PASS, [(userdn,AT.USER)]) # If the passwd has been encoded in the XML-RPC stream, decode it if isinstance(passwd, xmlrpclib.Binary): passwd = str(passwd) s = self.l.search_s(userdn, ldap.SCOPE_BASE) c, old = s[0] new = old.copy() new['sambaLMPassword'] = [smbpasswd.lmhash(passwd)] new['sambaNTPassword'] = [smbpasswd.nthash(passwd)] new['sambaPwdLastSet'] = [str(int(time()))] # Update LDAP modlist = ldap.modlist.modifyModlist(old, new) self.l.modify_s(userdn, modlist) self.runHook("samba.changeuserpasswd", uid, passwd) r.commit() return 0
def mkpasswd(pwd,hash='ssha'): """Generate hashed passwords. Originated from mkpasswd in Luma """ alg = { 'ssha':'Seeded SHA-1', 'sha':'Secure Hash Algorithm', 'smd5':'Seeded MD5', 'md5':'MD5', 'crypt':'Standard unix crypt' } # Don't add support for sambapasswords unless we're using it if (update_sambapassword): alg['lmhash'] = 'Lanman hash' alg['nthash'] = 'NT Hash' if hash not in alg.keys(): return "Algorithm <%s> not supported in this version." % hash else: salt = getsalt() if hash == "ssha": return "{SSHA}" + base64.encodestring(sha.new(str(pwd) + salt).digest() + salt) elif hash == "sha": return "{SHA}" + base64.encodestring(sha.new(str(pwd)).digest()) elif hash == "md5": return "{SHA}" + base64.encodestring(md5.new(str(pwd)).digest()) elif hash == "smd5": return "{SMD%}" + base64.encodestring(md5.new(str(pwd) + salt).digest() + salt) elif hash == "crypt": return "{CRYPT}" + crypt.crypt(str(pwd),getsalt(length=2)) # nt/lm-hash are used directly in their own password-attributes.. no need to prefix the hash elif hash == "lmhash": return smbpasswd.lmhash(pwd) elif hash == "nthash": return smbpasswd.nthash(pwd)
def add_lm_hashes(pwds): for p in pwds: if len(p) > 14: continue val = "'{0}','{1}'".format(smbpasswd.lmhash(p).upper(), p) c.execute("INSERT INTO lm VALUES(" + val + ")") lm_db.commit()
def addSmbAttr(self, uid, password): """ Add SAMBA password and attributes on a new user """ # Get domain info domainInfo = self.getDomain() # Get current user entry userdn = self.searchUserDN(uid) r = AF().log(PLUGIN_NAME, AA.SAMBA_ADD_SAMBA_CLASS, [(userdn,AT.USER)]) s = self.l.search_s(userdn, ldap.SCOPE_BASE) c, old = s[0] new = self._applyUserDefault(old.copy(), self.configSamba.userDefault) if not "sambaSamAccount" in new['objectClass']: new['objectClass'].append("sambaSamAccount") new["sambaAcctFlags"] = ["[U ]"] new["sambaSID"] = [domainInfo['sambaSID'][0] + '-' + str(int(domainInfo['sambaNextRid'][0]) + 1)] # If the passwd has been encoded in the XML-RPC stream, decode it if isinstance(password, xmlrpclib.Binary): password = str(password) # If the passwd is in a dict # {'scalar': 'thepassword', 'xmlrpc_type': 'base64'} # take scalar if isinstance(password, dict): password = password['scalar'] new['sambaLMPassword'] = [smbpasswd.lmhash(password)] new['sambaNTPassword'] = [smbpasswd.nthash(password)] new['sambaPwdLastSet'] = [str(int(time()))] # Update LDAP modlist = ldap.modlist.modifyModlist(old, new) self.l.modify_s(userdn, modlist) self.updateDomainNextRID() self.runHook("samba.addsmbattr", uid, password) r.commit()
def admin(request): admin_member = retrieve_member(request) if len(request.user.groups.filter(name__in=['ldap_admins'])) < 1: return render(request, 'access_denied.html') users = admin_member.list_users() if request.method == 'POST': form = AdminForm(request.POST, request=request, users=users) if form.is_valid(): new_password = form.cleaned_data['password1'] admin_member.admin_change_password(form.cleaned_data['username'], new_password) member = MemberValues(form.cleaned_data['username'], new_password) member.set('sambaLMPassword', smbpasswd.lmhash(new_password)) member.set('sambaNTPassword', smbpasswd.nthash(new_password)) member.save() new_form = AdminForm(request=request, users=users) return render(request, 'admin.html', {'message': _('The password for %s was changed. Thank you!' % form.cleaned_data['username']), 'form': new_form}) else: return render(request, 'admin.html', {'form': form}) else: form = AdminForm(request=request, users=users) return render(request, 'admin.html', {'form': form})
def password(request): """ View that changes the password on the LDAP server. """ member = retrieve_member(request) if request.method == 'POST': form = PasswordForm(request.POST, request=request) if form.is_valid(): new_password = form.cleaned_data['password1'] # change the password for the Wifi member.set('sambaLMPassword', smbpasswd.lmhash(new_password)) member.set('sambaNTPassword', smbpasswd.nthash(new_password)) member.save() # change the LDAP password member.change_password(new_password) key = store_ldap_password(request, new_password) request.session.save() new_form = PasswordForm() response = render(request, 'password.html', {'message': _('Your password was changed. Thank you!'), 'form': new_form, 'member': member.to_dict()}) response.set_cookie('sessionkey', key) return response else: return render(request, 'password.html', {'form': form, 'member': member.to_dict()}) else: form = PasswordForm() return render(request, 'password.html', {'form': form, 'member': member.to_dict()})
def change_password(cls, self, password): if isinstance(password, unicode): password = password.encode() self.sambaNTPassword=smbpasswd.nthash(password) self.sambaLMPassword=smbpasswd.lmhash(password) self.sambaPwdMustChange=None self.sambaPwdLastSet=datetime.datetime.now()
def ntlm(self): try: import smbpasswd hash = smbpasswd.lmhash(self.password) self.out['ntlm'] = { 'header': '{ntlm}', 'salt': None, 'hash': hash } return hash except: return None
def ntlm(password): """return tuple with NT and LanMan hash""" nt = smbpasswd.nthash(password) if configRegistry.is_true('password/samba/lmhash', False): lm = smbpasswd.lmhash(password) else: lm = '' return (nt, lm)
def mkpasswd(pwd, sambaver=3, default="ssha"): """ Make a given password cryptated, possibly with different crypt-algorihtms. This module was written for use with LDAP - so default is seeded sha """ alg = {"sha": "Secure Hash Algorithm", "ssha": "Seeded SHA", "md5": "MD5", "smd5": "Seeded MD5"} if _crypt: alg["crypt"] = "standard unix crypt" if smb: alg["lmhash"] = "lan man hash" alg["nthash"] = "nt hash" if default not in alg.keys(): return "algorithm <%s> not supported in this version." % default else: salt = getsalt() if default == "ssha": pwString = "{SSHA}" + base64.encodestring(sha.new(str(pwd) + salt).digest() + salt) return pwString[:-1] elif default == "sha": pwString = "{SHA}" + base64.encodestring(sha.new(str(pwd)).digest()) return pwString[:-1] elif default == "md5": pwString = "{MD5}" + base64.encodestring(md5.new(str(pwd)).digest()) return pwString[:-1] elif default == "smd5": salt = getsalt(length=4) # Newer versions of OpenLDAP should support the default length 16 pwString = "{SMD5}" + base64.encodestring(md5.new(str(pwd) + salt).digest() + salt) return pwString[:-1] elif default == "crypt": return "{CRYPT}" + crypt.crypt(str(pwd), getsalt(length=2)) # crypt only uses a salt of length 2 elif default == "lmhash": if sambaver == 3: return "{sambaLMPassword}" + smbpasswd.lmhash(pwd) elif sambaver == 2: return "{lmPassword}" + smbpasswd.lmhash(pwd) elif default == "nthash": if sambaver == 3: return "{sambaNTPassword}" + smbpasswd.nthash(pwd) elif sambaver == 2: return "{NTPassword}" + smbpasswd.nthash(pwd)
def mkpasswd(pwd,sambaver=3,default='ssha'): ''' Make a given password cryptated, possibly with different crypt-algorihtms. This module was written for use with LDAP - so default is seeded sha ''' alg = { 'ssha':'Seeded SHA', 'sha':'Secure Hash Algorithm', 'md5':'MD5', 'smd5':'Seeded MD5', 'crypt':'standard unix crypt' } if smb: alg['lmhash'] = 'lan man hash' alg['nthash'] = 'nt hash' if default not in alg.keys(): return 'algorithm <%s> not supported in this version.' % default else: salt = getsalt() if default == 'ssha': return "{SSHA}" + base64.encodestring(sha.new(str(pwd) + salt).digest() + salt) elif default =='sha': return "{SHA}" + base64.encodestring(sha.new(str(pwd)).digest()) elif default =='md5': return "{MD5}" + base64.encodestring(md5.new(str(pwd)).digest()) elif default == 'smd5': return "{SMD5}" + base64.encodestring(md5.new(str(pwd) + salt).digest() + salt) elif default =='crypt': return "{CRYPT}" + crypt.crypt(str(pwd),getsalt(length=2)) # crypt only uses a salt of length 2 elif default == 'lmhash': if sambaver==3: return "{sambaLMPassword}" + smbpasswd.lmhash(pwd) elif sambaver==2: return "{lmPassword}" + smbpasswd.lmhash(pwd) elif default == 'nthash': if sambaver==3: return "{sambaNTPassword}" + smbpasswd.lmhash(pwd) elif sambaver==2: return "{NTPassword}" + smbpasswd.lmhash(pwd)
def getHashPasswd(self, password, SecHashAlg): """Генерация хеша пароля, Поддерживаемые алгоритмы шифрования пароля: plain, md5, smd5, crypt, sha, ssha, lm, nt """ if not password: print _("ERROR") + " getHashPasswd: " +\ _("password empty") return False hashPwd = "" if SecHashAlg == "plain": hashPwd = password elif SecHashAlg == "md5": h = hashlib.md5(password) hashPwd = "{MD5}" + b64encode(h.digest()) elif SecHashAlg == "smd5": salt = os.urandom(4) h = hashlib.md5(password) h.update(salt) hashPwd = "{SMD5}" + b64encode(h.digest() + salt) elif SecHashAlg == "crypt": salt = self.__GenCryptSalt__() hashPwd = "{CRYPT}" + crypt.crypt(password, salt) elif SecHashAlg == "sha": h = hashlib.sha1(password) hashPwd = "{SHA}" + b64encode(h.digest()) elif SecHashAlg == "ssha": salt = os.urandom(4) h = hashlib.sha1(password) h.update(salt) hashPwd = "{SSHA}" + b64encode(h.digest() + salt) elif SecHashAlg == "lm": hashPwd = smbpasswd.lmhash(password) elif SecHashAlg == "nt": hashPwd = smbpasswd.nthash(password) else: print _("ERROR") + " getHashPasswd: " +\ _("Can not support '%s' crypto algorithm")%SecHashAlg return False return hashPwd
def ntlm(password): # type: (str) -> Tuple[str, str] """ Return tuple with NT and LanMan hash. :param password: password string. :returns: 2-tuple (NT, LanMan) """ nt = smbpasswd.nthash(password) if configRegistry.is_true('password/samba/lmhash', False): lm = smbpasswd.lmhash(password) else: lm = '' return (nt, lm)
def password(request): """ View that changes the password on the LDAP server. """ member = retrieve_member(request) if request.method == 'POST': form = PasswordForm(request.POST, request=request) if form.is_valid(): new_password = form.cleaned_data['password1'] # change the password for the Wifi member.set('sambaLMPassword', smbpasswd.lmhash(new_password)) member.set('sambaNTPassword', smbpasswd.nthash(new_password)) member.save() # change the LDAP password member.change_password(new_password) key = store_ldap_password(request, new_password) request.session.save() new_form = PasswordForm() response = render( request, 'password.html', { 'message': _('Your password was changed. Thank you!'), 'form': new_form, 'member': member.to_dict() }) response.set_cookie('sessionkey', key) return response else: return render(request, 'password.html', { 'form': form, 'member': member.to_dict() }) else: form = PasswordForm() return render(request, 'password.html', { 'form': form, 'member': member.to_dict() })
passwd = 'Winter14' if count>75 and count<=110: passwd = name+'Acme2016' if count>110 and count<=130: passwd = name+'Acme!' if count>130 and count<=150: passwd = name+':Acme' if count>150 and count<=205: passwd = last if count>205 and count<=250: passwd = name+'Bank!' if count>250 and count<=270: passwd = name+'Bank2016\n' if count>270 and count<=280: passwd = '' if count>280 and count<=298: passwd = 'Password' if count == 299: passwd = 'letmeinAcme' if count == 300: passwd = 'secret:Acme' pair = name + "::" + smbpasswd.lmhash(passwd)+":"+smbpasswd.nthash(passwd)+":::\n" pass_my.write(pair) last = name elif count >= 300: break print 'index is %d' % index print count pass_john.close() pass_my.close()
uid: %(uid)s cn: %(cn)s uidNumber: %(uid_num)s gidNumber: %(uid_num)s homeDirectory: %(home_dir)s sambaSID: %(sid)s sambaNTPassword: %(ntpwd)s sambaLMPassword: %(lmpwd)s userPassword: %(pwd)s """ n = int(sys.argv.pop(1)) print container_template for x in range(n): secret = 'secret%d' % x nt_secret = smbpasswd.nthash(secret) lm_secret = smbpasswd.lmhash(secret) print user_template % dict( uid='uid%d' % x, cn='cn%d' % x, uid_num=str(x), gid_num=str(x), home_dir='/home/uid%d' % x, sid='12345-%d' % x, pwd=secret, ntpwd=nt_secret, lmpwd=lm_secret, ),
def getHashPasswd(self, password, SecHashAlg): """Генерация хеша пароля, Поддерживаемые алгоритмы шифрования пароля: plain, md5, smd5, crypt, sha, ssha, lm, nt, shadow_ssha512, shadow_ssha256, shadow_md5 """ if not password: self.printERROR(_("ERROR") + " getHashPasswd: " + _("empty password")) return False hashPwd = "" if SecHashAlg == "plain": hashPwd = password elif SecHashAlg == "md5": h = hashlib.md5(password) hashPwd = "{MD5}" + b64encode(h.digest()) elif SecHashAlg == "smd5": salt = os.urandom(4) h = hashlib.md5(password) h.update(salt) hashPwd = "{SMD5}" + b64encode(h.digest() + salt) elif SecHashAlg == "shadow_ssha512": salt = self.__GenCryptSalt__(8) hashPwd = crypt.crypt(password, "$6$%s$"%salt) elif SecHashAlg == "shadow_ssha256": salt = self.__GenCryptSalt__(8) hashPwd = crypt.crypt(password, "$5$%s$"%salt) elif SecHashAlg == "shadow_md5": salt = self.__GenCryptSalt__(8) hashPwd = crypt.crypt(password, "$1$%s$"%salt) elif SecHashAlg == "crypt": salt = self.__GenCryptSalt__() hashPwd = "{CRYPT}" + crypt.crypt(password, salt) elif SecHashAlg == "sha": h = hashlib.sha1(password) hashPwd = "{SHA}" + b64encode(h.digest()) elif SecHashAlg == "ssha": salt = os.urandom(4) h = hashlib.sha1(password) h.update(salt) hashPwd = "{SSHA}" + b64encode(h.digest() + salt) elif SecHashAlg == "lm" and lmhash: hashPwd = lmhash(password) elif SecHashAlg == "nt" and nthash: hashPwd = nthash(password) else: if SecHashAlg in ("lm","nt"): self.printERROR(_("ERROR") + " getHashPasswd: " + (_("Failed to support '%s' crypto algorithm") %SecHashAlg) + " " + _("without py-smbpasswd")) else: self.printERROR(_("ERROR") + " getHashPasswd: " + _("Failed to support '%s' crypto algorithm") %SecHashAlg) return False return hashPwd
def authSetSmbPassword(self, username, password): '''Set a user's smb password ''' self.config.setVar( 'user.%s.spasswd' % username, '%s:%s' % (smbpasswd.lmhash(password), smbpasswd.nthash(password)))
def sambaLMPassword(passwd): return smbpasswd.lmhash(passwd)
''' Created on Oct 12, 2012 @author: tivalat ''' import smbpasswd passwd = 'mypassword' print 'LANMAN hash is', smbpasswd.lmhash(passwd) print 'NT hash is', smbpasswd.nthash(passwd) print 'both hashes at once = %s:%s (lm:nt)' % smbpasswd.hash(passwd)
def test_lm(self): self.assertEqual(smbpasswd.lmhash('foo'), '5BFAFBEBFB6A0942AAD3B435B51404EE') self.assertEqual(smbpasswd.lmhash('passphrase'), '855C3697D9979E78AC404C4BA2C66533')
os.remove("lm_hash.txt") os.remove("ntlm_hash.txt") os.remove("mysql323_hash.txt") os.remove("mysqlsha1_hash.txt") os.remove("md4_hash.txt") os.remove("md5_hash.txt") os.remove("doublemd5_hash.txt") os.remove("sha1_hash.txt") except: blub="foo" line = f.readline() while line: #lm addHashtoFile("lm", smbpasswd.lmhash(line.rstrip('\n\r')).lower()) #ntlm addHashtoFile("ntlm", hashlib.new('md4', line.rstrip('\n\r').encode('utf-16le')).hexdigest()) #mysql323 addHashtoFile("mysql323", mysql323.encrypt( line.rstrip('\n\r'))) #mysqlsha1 addHashtoFile("mysqlsha1", hashlib.sha1( hashlib.sha1(line.rstrip('\n\r')).digest()).hexdigest()) #md4 addHashtoFile("md4", hashlib.new('md4', line.rstrip('\n\r')).hexdigest()) #md5 addHashtoFile("md5", hashlib.md5(line.rstrip('\n\r')).hexdigest()) #doublemd5 addHashtoFile("doublemd5", hashlib.md5(hashlib.md5(line.rstrip('\n\r')).digest()).hexdigest()) #sha1 addHashtoFile("sha1", hashlib.sha1(line.rstrip('\n\r')).hexdigest())
import json if len(sys.argv) != 2: print 'USAGE: add_passwords.py file' sys.exit() lm_db = redis.StrictRedis(host='localhost', port=6379, db=1) nt_db = redis.StrictRedis(host='localhost', port=6379, db=2) def add_lm_hash(hash, plain): # print 'Adding LM hash {0}'.format(hash) lm = {'plain': plain, 'count': 0} lm_db.set(hash.upper(), json.dumps(lm)) def add_nt_hash(hash, plain): # print 'Adding NT hash {0}'.format(hash) nt = {'plain': plain, 'count': 0} nt_db.set(hash.upper(), json.dumps(nt)) for line in open(sys.argv[1] ): line = line.rstrip('\r\n') print 'Adding ' + line # LM truncates at 14 characters. if len(line) <= 14: add_lm_hash(smbpasswd.lmhash(line), line) add_nt_hash(smbpasswd.nthash(line), line)
#!/usr/bin/env python import smbpasswd import sys passwd = sys.argv[1] print 'LANMAN hash is', smbpasswd.lmhash(passwd) print 'NT hash is', smbpasswd.nthash(passwd) print 'both hashes at once = %s:%s (lm:nt)' % smbpasswd.hash(passwd)