Creating an NT-Password value with python
Hi list, I am trying to figure out how to create an NT-Password hash for the authentication database using python. I found the package python_ntlm which seems to be able to do the job. http://code.google.com/p/python-ntlm/source/browse/trunk/python26/ntlm/ntlm.... I think it needs a modification however, because currently the hash returned looks like this:
from ntlm.ntlm import create_NT_hashed_password_v1 create_NT_hashed_password_v1('test') '\xdb4mi\x1dz\xccM\xc2b]\xb1\x9f\x9e?R'
I then proceed to add the user in mysql: insert into radcheck (username,attribute,value,op) values ('testuser','NT-Password','\xdb4mi\x1dz\xccM\xc2b]\xb1\x9f\x9e?R',':='); Next, when i tried to authenticate using the OSX pptp client, radius debug tells me: [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] Invalid NT-Password [mschap] Told to do MS-CHAPv2 for passman with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect I suppose the hash i get from the create_NT_hashed_password_v1 function isn't correctly formatted. Can anyone point me in the right direction? Thanks, Jon.
jon michaels <joniamasad@gmail.com> writes:
Hi list,
I am trying to figure out how to create an NT-Password hash for the authentication database using python.
I found the package python_ntlm which seems to be able to do the job. http://code.google.com/p/python-ntlm/source/browse/trunk/python26/ntlm/ntlm....
I think it needs a modification however, because currently the hash returned looks like this:
from ntlm.ntlm import create_NT_hashed_password_v1 create_NT_hashed_password_v1('test') '\xdb4mi\x1dz\xccM\xc2b]\xb1\x9f\x9e?R'
I then proceed to add the user in mysql: insert into radcheck (username,attribute,value,op) values ('testuser','NT-Password','\xdb4mi\x1dz\xccM\xc2b]\xb1\x9f\x9e?R',':=');
You'll have to insert the actual octets as produced by create_NT_hashed_password_v1 and not the weird display format used by python for printing the unprintable. If you insert mysql> insert into radcheck (username,attribute,value,op) values -> ('testuser','NT-Password','\xdb4mi\x1dz\xccM\xc2b]\xb1\x9f\x9e?R',':='); Query OK, 1 row affected (0.00 sec) then you get: mysql> select * from radcheck; +----+----------+-------------+----+--------------------------------+ | id | username | attribute | op | value | +----+----------+-------------+----+--------------------------------+ | 1 | testuser | NT-Password | := | xdb4mix1dzxccMxc2b]xb1x9fx9e?R | +----+----------+-------------+----+--------------------------------+ 1 row in set (0.00 sec) which is invalid. I suggest you use python to insert the value into mysql, *as it is returned* from create_NT_hashed_password_v1. For testing, you can probably get away with something like mysql> insert into radcheck (username,attribute,value,op) values ('testuser','NT-Password', concat(0xdb, "4mi", 0x1d, "z", 0xcc, "M", 0xc2, "b]", 0xb1, 0x9f, 0x9e, "?R"),':='); Bjørn
Thanks for your quick response, Bjørn. On Sat, Nov 21, 2009 at 4:09 PM, Bjørn Mork <bjorn@mork.no> wrote:
I then proceed to add the user in mysql: insert into radcheck (username,attribute,value,op) values ('testuser','NT-Password','\xdb4mi\x1dz\xccM\xc2b]\xb1\x9f\x9e?R',':=');
You'll have to insert the actual octets as produced by create_NT_hashed_password_v1 and not the weird display format used by python for printing the unprintable.
If you insert
mysql> insert into radcheck (username,attribute,value,op) values -> ('testuser','NT-Password','\xdb4mi\x1dz\xccM\xc2b]\xb1\x9f\x9e?R',':='); Query OK, 1 row affected (0.00 sec)
then you get:
mysql> select * from radcheck; +----+----------+-------------+----+--------------------------------+ | id | username | attribute | op | value | +----+----------+-------------+----+--------------------------------+ | 1 | testuser | NT-Password | := | xdb4mix1dzxccMxc2b]xb1x9fx9e?R | +----+----------+-------------+----+--------------------------------+ 1 row in set (0.00 sec)
which is invalid.
I suggest you use python to insert the value into mysql, *as it is returned* from create_NT_hashed_password_v1.
For testing, you can probably get away with something like mysql> insert into radcheck (username,attribute,value,op) values ('testuser','NT-Password', concat(0xdb, "4mi", 0x1d, "z", 0xcc, "M", 0xc2, "b]", 0xb1, 0x9f, 0x9e, "?R"),':=');
I tried your example, and did the same using python My user entries look like this now: | 13 | tester | NT-Password | := | ?4miz?M?b]????R | | 12 | testuser | NT-Password | := | ?4miz?M?b]????R | Radius also seems to like this a lot more than the initial test. It now shows [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] Found NT-Password [mschap] Told to do MS-CHAPv2 for testuser with NT-Password [mschap] FAILED: MS-CHAP2-Response is incorrect vs [mschap] Invalid NT-Password shown during the first attempt. However, I didn't manage to authenticate either of the two. It seems that so far radius likes the value enough to not complain that its invalid. Is the format correct, or is there something else i need to change in my configuration for the MS-CHAPv2 response to be correct? Cheers, Jon.
On Sat, Nov 21, 2009 at 6:15 PM, jon michaels <joniamasad@gmail.com> wrote:
However, I didn't manage to authenticate either of the two. It seems that so far radius likes the value enough to not complain that its invalid. Is the format correct, or is there something else i need to change in my configuration for the MS-CHAPv2 response to be correct?
Perhaps a good first step is to establish if the hash is indeed of the correct type, since there are a few hashing functions in ntlm. More than one type of hash is accepted as NT-Password value by freeradius. Does anyone know a tool i can use to create the right type of NT-Password hash expected by radius? Cheers, Jon.
jon michaels wrote:
Does anyone know a tool i can use to create the right type of NT-Password hash expected by radius?
It's an MD4 hash of the password, written as a 32-character hex string. That's it. Using the *binary* form of the MD4 hash is wrong. There are embedded NULs, CRs, LFs, etc. that cause the SQL DB stomach pains. Use the hex version of the password: NT-Password := 0x0102030405060708... Alan DeKok.
On Sat, Nov 21, 2009 at 10:08 PM, Alan DeKok <aland@deployingradius.com> wrote:
Use the hex version of the password:
NT-Password := 0x0102030405060708...
Alan DeKok.
Thanks, that worked like a charm. As it turns out, i don't even need python_ntlm for more than the right line of code. This snippet will create a NT-Password hash that both mysql and radius are happy with: Python 2.5.2 (r252:60911, Jul 22 2009, 15:35:03)
import hashlib nt_password = hashlib.new('md4', 'test'.encode('utf-16le')).hexdigest() nt_password '0cb6948805f797bf2a82807973b89537'
In the example, 'test' is the password. Cheers, Jon.
participants (3)
-
Alan DeKok -
Bjørn Mork -
jon michaels