Le Tuesday 13 May 2014 17:32:36, Clément OUDOT a écrit : > 2014-05-13 17:09 GMT+02:00 DER-KRIKORIAN Anthony < > > [email protected]>: > > Hi lsc members > > > > I’ve a question concerning Active Directory password hash > > > > > > > > Is there a way to extract AD password hash (officially, without hack !) > > and to synchronize it in another directory for example ? > > No, it is not possible. > > > I know Microsoft Azure DirSync is capable to do that ! > > Well, good to know, but their balck magic is still prorietary. I would be > happy to know how this works. > > > I also know the old technique of Password Filter which requires you to > > install a component on each domain controller to get the password in > > Clear Text which I don’t like… > > This is the only solution we have for the moment. > > > Clément.
Just a few words : "watching" the password somewhere in the software path is the best way to get it. The Password Filter is a mechanism that looks like it. Another possible hack, if the passwords go through the network in clear text (no SSL, no challenge-response), you can easely program a network filter with the pcap library to get the passwords (perl and Net::Pcap in my case). 20 lines of code or something like that ? When we deployed a new AD domain, the accounts where coming from LDAP and sync'ed by LSC. I used that technique to initialize the passwords in AD. Or if your user authenticates directly against a web application, you can add a hook in the app. Another way, if your AD is poorly configured and stores the LM hash or NTLM hash, you can try to recover the original password. HTH, -- Xavier Montagutelli Responsable Service Infrastructure Direction du Systeme d'Information - Pôle Ressources Université de Limoges 123, avenue Albert Thomas - 87060 Limoges cedex Tel : 05 87 08 08 30 (interne : 3830) _______________________________________________________________ Ldap Synchronization Connector (LSC) - http://lsc-project.org lsc-users mailing list [email protected] http://lists.lsc-project.org/listinfo/lsc-users
