topic Re: Forgot Pass4symmKey in Security

Forgot Pass4symmKey

nerelluk — Sun, 07 Jun 2020 02:16:43 GMT

Hi All,

Is their any way to decrypt splunk encrypted-pass4symmkey or else will splunk team support for the
plain text pass4symmkey

Thanks

Re: Forgot Pass4symmKey

p_gurav — Wed, 26 Dec 2018 04:23:48 GMT

Hi ,

Its better if you change pass4symmkey and stored it securely somewhere for future use.

Although below blog give script to decrypt password, you can give a try:
https://www.hurricanelabs.com/splunk-tutorials/make-splunk-do-it-how-to-decrypt-passwords-encrypted-by-splunk

Re: Forgot Pass4symmKey

nerelluk — Thu, 27 Dec 2018 09:47:27 GMT

Thanks Gurav

It means a lot!!

Re: Forgot Pass4symmKey

p_gurav — Thu, 27 Dec 2018 10:24:00 GMT

Please accept answer if its helpful!! 🙂

Re: Forgot Pass4symmKey

nerelluk — Fri, 28 Dec 2018 05:52:57 GMT

Hi Gurav

when i am adding a new sever to the licensemaster i am getting the following error...

"Splunkd daemon is not responding: ("Error connecting to /services/licenser/localslave/license: ('The read operation timed out',)",)"

i had done for the pass4syymkey...but what about the SSL...?

Hope the issue might reslove

Thanks

Re: Forgot Pass4symmKey

nerelluk — Thu, 03 Jan 2019 06:00:24 GMT

when i am about to accept answer it is throwing an error ..

Re: Forgot Pass4symmKey

scheng_splunk — Thu, 18 Apr 2019 06:54:23 GMT

From Splunk version 7.2.2 and above, you may run below command to decrypt the encrypted password to find the original clear text password on the same splunk instance:
*./splunk show-decrypted --value '< pass4SymmKey >' *

https://docs.splunk.com/Documentation/Splunk/7.2.2/Security/ConfigureS2Sonnewcipher

Pre 7.2.2:
You may obtain a clear text password for pass4SymmKey through below steps:

1) Create passwords.conf in $SPLUNK_HOME/etc/apps/search/local folder

2) Copy encrypted pass4SymmKey under each stanza in server.conf from CM into passwords.conf:

Example passwords.conf

$SPLUNK_HOME/etc/apps/search/local/passwords.conf

[credential:general]
password = $1$q5jsBxheBw==

[credential:clustering]
password = $1$q5jsBxheBw==

[credential:license]
password = $1$q5jsBxheBw==

[credential:shclustering]
password = $1$q5jsBxheBw==

3) Run http(s)://server:mgmt_port/en-US/debug/refresh to read the new configuration

4) Run http(s)://server:mgmt_port/services/storage/passwords and look for clear_password for each stanza

You can also use following format of REST API either through Splunk web or Splunk search:

http(s)://<server>:<mgmt_port>/servicesNS/-/-/storage/passwords
OR
| rest /servicesNS/-/-/storage/passwords
| rest /services/storage/passwords

Re: Forgot Pass4symmKey

thambisetty — Sun, 15 Sep 2019 08:50:40 GMT

Hi scheng,

I tired below on Splunk Enterprise version 7.2.5 not working.
./splunk show-decrypted --value < pass4SymmKey >

But other method copying pass4SymmKey to passwords.conf is working.

Re: Forgot Pass4symmKey

rvany — Fri, 20 Sep 2019 12:54:23 GMT

You have to put single quotes around the key - and in one attempt I had to remove the trailing equal-signs.

BTW - there's also a splunk show-encrypted --value 'topsecret' - which creates strings starting with "$7$" - but I have no idea how/where to use it.

Re: Forgot Pass4symmKey

thambisetty — Fri, 20 Sep 2019 13:04:50 GMT

Thanks for informing that i need to put pass4SymmKey in quotes.

I will try and post the results here.

Re: Forgot Pass4symmKey

myudkowsky — Tue, 12 Nov 2019 15:00:53 GMT

When I try the pre-7.x recovery method on version 6.5.x, step 3 does work but step 4 does not: I get a response of
The path '/en-US/services/storage/password' was not found.
Note that the '/en-US' was added automatically by Splunk, not me.

The alternate version of '/servicesNS/-/-/storage/passwords' gives a similar error. '| rest' does not work either when run on the Splunk index head.

I'm trying to recover the password using a non-critical server; I'd rather not have to use the index head.

Re: Forgot Pass4symmKey

scheng_splunk — Tue, 12 Nov 2019 23:57:33 GMT

you have to run the REST API with the passwords.conf on the same Splunk instance which you're trying to decrypt the pass4SymmKey since the splunk.secret key file used for encryption is different on each Splunk instance. It's autogenerated during splunk installation.

You can test the procedure on a dev instance first with same procedure before doing so in production.

Re: Forgot Pass4symmKey

myudkowsky — Wed, 13 Nov 2019 21:10:02 GMT

First and foremost, thank you for your update.

I tried the REST API on the same Splunk instance I had passwords.conf installed, and I got no response at all.

In addition, the URL
http(s)://server:mgmt_port/services/storage/passwords
on my installation immediately add an en-US and does not display anything.

I will try some variations on this; I have a suspicion that I may need to run this on the licensing master.

If I figure this out I'll post my comments here.

Re: Forgot Pass4symmKey

myudkowsky — Tue, 03 Dec 2019 15:10:09 GMT

After putting this aside for a while -- some urgent projects -- I have tried again today, and it still does not work for me.

I've tried this several times -- on the same server that has the passwords I want to decipher -- and I still can't get it to work. Password refresh does work, that is, debug/refresh gives me a results page, and I do see:

Refreshing admin/passwords OK
on the page that comes up.

When I try "services/storage/passwords" I get the same error as before: an added "/en-US" in the path and a 404. When I try to use the rest API via search, I get no errors but no results.

I find that no /services APIs work. E.g., /services/server/health_report and similar innocuous REST API attempts, both via HTTP and via "|rest", all fail. /server/info fails. /search/apps/local does work via '| rest.'

I am now trying to figure out why /server and /services both fail. I wonder if it's related to a privilege issue, but I'm logging in as admin.

Re: Forgot Pass4symmKey

rvany — Tue, 03 Dec 2019 17:21:53 GMT

Just to cut this out: which port are you using as management port?

Re: Forgot Pass4symmKey

myudkowsky — Tue, 03 Dec 2019 18:15:34 GMT

My management port is 9997; I'm running Splunk 6.2.1 that was installed as part of an Aspect install of Prophecy.

After a great deal of additional attempts, I now find that the REST API works:
| rest /services/storage
gives the result

author  id  published   splunk_server   title   updated
system  https://127.0.0.1/services/storage/collections      <deleted>   collections     2019-12-03T15:34:19+00:00
system  https://127.0.0.1/services/storage/passwords        <deleted>   passwords   2019-12-03T15:34:19+00:00

but asking for the passwords via "| rest /services/storage/passwords" fails, and I wonder if it 's related to lack of HTTPS access.

Re: Forgot Pass4symmKey

myudkowsky — Wed, 30 Sep 2020 03:10:57 GMT

And now I have HTTPS running, and it makes no difference. I also added list_storage_passwords to authorize.conf -- it was not there before -- but regardless I cannot access the passwords from either search or over the net.

I have a strong suspicion that it's been disabled somehow.

Re: Forgot Pass4symmKey

myudkowsky — Tue, 03 Dec 2019 19:58:13 GMT

This tool works perfectly: https://pypi.org/project/splunksecrets/

Re: Forgot Pass4symmKey

rvany — Wed, 04 Dec 2019 05:59:19 GMT

9997 - in a default installation - is the port you use for incoming data, e.g. from your Universal Forwarders. The management port - in a default installation - which you use to access the REST API using your browser is 8089. Using that no "en-US" will be added to your URL.

Re: Forgot Pass4symmKey

myudkowsky — Wed, 04 Dec 2019 14:52:17 GMT

Thanks! You are entirely correct! I had the wrong port.

My particular setup used port 9997 for the GUI, and looking around further I found the value of mgmtHostPort in my local/web.conf. Using that value, I can get the REST API to work from a console.

I do get XML responses about passwords, but no passwords. I used, e.g., /servicesNS/-/-/storage/passwords/. I also tried to access /servicesNS/-/-/storage/passwords/general and /servicesNS/-/-/storage/passwords/:general:, but got a "could not find" response.

At this point, however, I have to put this aside since I have the answer I was seeking by using the script I reference above.

I suspect that part of the problem following the original recipe may be that I am running 6.3.2; the file passwords.conf was only created in 6.5.2 and above.

Thanks again, rvany and scheng both, for your invaluable help solving this puzzle.