Security

Forgot Pass4symmKey

nerelluk
New Member

Hi All,

Is their any way to decrypt splunk encrypted-pass4symmkey or else will splunk team support for the
plain text pass4symmkey

Thanks

Labels (1)
Tags (1)
0 Karma
1 Solution

p_gurav
Champion

Hi ,

Its better if you change pass4symmkey and stored it securely somewhere for future use.

Although below blog give script to decrypt password, you can give a try:
https://www.hurricanelabs.com/splunk-tutorials/make-splunk-do-it-how-to-decrypt-passwords-encrypted-...

View solution in original post

0 Karma

verbal_666
Communicator

An alternative solution for Pre 7.2.2, as i did in fast way,

 

  • Install SPL Free >= 7.2.2 in a Test Environment (i used a 8.x version)
  • Copy the old Env key inside */etc/auth/splunk.secret into the new Test Env
  • Launch in the new Test Env the
    splunk show-decrypted --value '< pass4SymmKey >'
    using the crypted pass4SymmKey of the old server.conf Env
  • You can now fast decrypt the key and use it in old Env

👍

mshen_splunk
Splunk Employee
Splunk Employee

When use ./splunk show-decrypted --value , you need to change the $ -> \$ otherwise Linux will think this is a variable. for example $7$abc -> \$7\$abc. Then it will work.

rvany
Communicator

You are too late - this one was solved already four month ago 😉

But thank you for pointing this out - for some reason I thought, that putting single quotes around the password (see above) belongs to the syntax of the "--decrypt"-command. But of course - it's just the shell escape.

0 Karma

mshen_splunk
Splunk Employee
Splunk Employee

Ya, I know. I by chance saw this so would like to share the information and anyone who encounter this later can leverage this. I actually used a python script at very beginning to do it. call splunk.entity to create a new password entry, get the clear text password and then delete that entry 🙂

0 Karma

scheng_splunk
Splunk Employee
Splunk Employee

From Splunk version 7.2.2 and above, you may run below command to decrypt the encrypted password to find the original clear text password on the same splunk instance:
*./splunk show-decrypted --value '< pass4SymmKey >' *

https://docs.splunk.com/Documentation/Splunk/7.2.2/Security/ConfigureS2Sonnewcipher

Pre 7.2.2:
You may obtain a clear text password for pass4SymmKey through below steps:

1) Create passwords.conf in $SPLUNK_HOME/etc/apps/search/local folder

2) Copy encrypted pass4SymmKey under each stanza in server.conf from CM into passwords.conf:

Example passwords.conf

$SPLUNK_HOME/etc/apps/search/local/passwords.conf

[credential:general]
password = $1$q5jsBxheBw==

[credential:clustering]
password = $1$q5jsBxheBw==

[credential:license]
password = $1$q5jsBxheBw==

[credential:shclustering]
password = $1$q5jsBxheBw==

3) Run http(s)://server:mgmt_port/en-US/debug/refresh to read the new configuration

4) Run http(s)://server:mgmt_port/services/storage/passwords and look for clear_password for each stanza

You can also use following format of REST API either through Splunk web or Splunk search:

http(s)://<server>:<mgmt_port>/servicesNS/-/-/storage/passwords
OR
| rest /servicesNS/-/-/storage/passwords
| rest /services/storage/passwords

skumar777
Loves-to-Learn

Hi,

Current splunk version is 7.0.0, I am trying to decrypt password with copying the pass4symkey in passwords.conf file but after running http(s)://server:mgmt_port/services/storage/passwords and look for clear_password 

but clear_password is blank.

0 Karma

thambisetty
Super Champion

Hi scheng,

I tired below on Splunk Enterprise version 7.2.5 not working.
./splunk show-decrypted --value < pass4SymmKey >

But other method copying pass4SymmKey to passwords.conf is working.

————————————
If this helps, give a like below.

myudkowsky
Communicator

When I try the pre-7.x recovery method on version 6.5.x, step 3 does work but step 4 does not: I get a response of
The path '/en-US/services/storage/password' was not found.
Note that the '/en-US' was added automatically by Splunk, not me.

The alternate version of '/servicesNS/-/-/storage/passwords' gives a similar error. '| rest' does not work either when run on the Splunk index head.

I'm trying to recover the password using a non-critical server; I'd rather not have to use the index head.

0 Karma

scheng_splunk
Splunk Employee
Splunk Employee

you have to run the REST API with the passwords.conf on the same Splunk instance which you're trying to decrypt the pass4SymmKey since the splunk.secret key file used for encryption is different on each Splunk instance. It's autogenerated during splunk installation.

You can test the procedure on a dev instance first with same procedure before doing so in production.

0 Karma

myudkowsky
Communicator

First and foremost, thank you for your update.

I tried the REST API on the same Splunk instance I had passwords.conf installed, and I got no response at all.

In addition, the URL
http(s)://server:mgmt_port/services/storage/passwords
on my installation immediately add an en-US and does not display anything.

I will try some variations on this; I have a suspicion that I may need to run this on the licensing master.

If I figure this out I'll post my comments here.

0 Karma

myudkowsky
Communicator

After putting this aside for a while -- some urgent projects -- I have tried again today, and it still does not work for me.

I've tried this several times -- on the same server that has the passwords I want to decipher -- and I still can't get it to work. Password refresh does work, that is, debug/refresh gives me a results page, and I do see:

Refreshing admin/passwords OK
on the page that comes up.

When I try "services/storage/passwords" I get the same error as before: an added "/en-US" in the path and a 404. When I try to use the rest API via search, I get no errors but no results.

I find that no /services APIs work. E.g., /services/server/health_report and similar innocuous REST API attempts, both via HTTP and via "|rest", all fail. /server/info fails. /search/apps/local does work via '| rest.'

I am now trying to figure out why /server and /services both fail. I wonder if it's related to a privilege issue, but I'm logging in as admin.

0 Karma

rvany
Communicator

Just to cut this out: which port are you using as management port?

0 Karma

myudkowsky
Communicator

My management port is 9997; I'm running Splunk 6.2.1 that was installed as part of an Aspect install of Prophecy.

After a great deal of additional attempts, I now find that the REST API works:
| rest /services/storage
gives the result

author  id  published   splunk_server   title   updated
system  https://127.0.0.1/services/storage/collections      <deleted>   collections     2019-12-03T15:34:19+00:00
system  https://127.0.0.1/services/storage/passwords        <deleted>   passwords   2019-12-03T15:34:19+00:00 

but asking for the passwords via "| rest /services/storage/passwords" fails, and I wonder if it 's related to lack of HTTPS access.

0 Karma

rvany
Communicator

9997 - in a default installation - is the port you use for incoming data, e.g. from your Universal Forwarders. The management port - in a default installation - which you use to access the REST API using your browser is 8089. Using that no "en-US" will be added to your URL.

0 Karma

myudkowsky
Communicator

Thanks! You are entirely correct! I had the wrong port.

My particular setup used port 9997 for the GUI, and looking around further I found the value of mgmtHostPort in my local/web.conf. Using that value, I can get the REST API to work from a console.

I do get XML responses about passwords, but no passwords. I used, e.g., /servicesNS/-/-/storage/passwords/. I also tried to access /servicesNS/-/-/storage/passwords/general and /servicesNS/-/-/storage/passwords/:general:, but got a "could not find" response.

At this point, however, I have to put this aside since I have the answer I was seeking by using the script I reference above.

I suspect that part of the problem following the original recipe may be that I am running 6.3.2; the file passwords.conf was only created in 6.5.2 and above.

Thanks again, rvany and scheng both, for your invaluable help solving this puzzle.

0 Karma

rvany
Communicator

Glad you have a solution. Some points to consider:

  • you really should think about using the default ports, especially don't use 9997 - which is normally used for ingesting data - as the web gui port (which normally is 8000) - it makes things unnecessary confusing while reading docs or ask questions e.g. at answers.splunk.com 😉
  • as v8.0.1 is out all versions 6.x are at the end of life; so it seems to be the right time to upgrade your installation to something more current, e.g. 7.3.3; have a look here for details
0 Karma

myudkowsky
Communicator

I admit you are completely correct.

Unfortunately, my Splunk installation is tightly bundled with a different application, and I don't (at present) have the time to untangle the two. In fact, as much as I'd like to upgrade to 8.x, I'm don't believe that I can... if I can figure out how to to download the latest Splunk and find time for a test installation, perhaps I can try to get it licensed -- the licenses come through the vendor of the other app -- and see if I can persuade them to work together.

Thanks again for the help and advice.

0 Karma

myudkowsky
Communicator

And now I have HTTPS running, and it makes no difference. I also added list_storage_passwords to authorize.conf -- it was not there before -- but regardless I cannot access the passwords from either search or over the net.

I have a strong suspicion that it's been disabled somehow.

0 Karma

myudkowsky
Communicator

This tool works perfectly: https://pypi.org/project/splunksecrets/

0 Karma

rvany
Communicator

You have to put single quotes around the key - and in one attempt I had to remove the trailing equal-signs.

BTW - there's also a splunk show-encrypted --value 'topsecret' - which creates strings starting with "$7$" - but I have no idea how/where to use it.