Solved: splunk show-decrypted command usage

GaetanVP · ‎08-28-2023

Hello Splunkers,

I am used to use the following command to decrypt $7 Splunk configuration password such as pass4SymmKey or sslConfig.

splunk show-decrypted --value '<encrypted_value>'

I have several questions regarding this command :

1/ Do you ever find any official documentation about it ? I was looking here but not result : https://docs.splunk.com/Documentation/Splunk/9.1.0/Admin/CLIadmincommands

2/ Is it possible to use this command for $6 encrypted (hased ?) string, like the one stored for admin password stored in $SPLUNK_HOME/etc/passwd. I suppose it's not possible since it's a password and it should not be "reversible" for security reason.

3/ This question is related to the previous one. Is it right to say that $7 value has been encrypted since it's possible to revert it and $6 has been hashed because it's impossible to get the clear value back ?

Thanks for your help !
GaetanVP

GaetanVP · ‎08-31-2023

Hello all and @gcusello,

Just for information I contacted Splunk support for that, here are some information :

1/ Indeed there are no official documentation about that command, apparently for security reason... Let's say it is security through obscurity (and I am not a fan of that concept).

2/ As assumed, it is impossible to revert a $6 value since it has been hashed by a SHA-512 algorithm *just like UNIX based /etc/shadow file). But you can revert $7 value if you have the correct splunk.secret value.

3/ Yes

Thanks,
GaetanVP

View solution in original post

isoutamo · ‎08-31-2023

Hi

it's really weird that this and couple of other are not documented here. Maybe it's good to ask that from doc team? If I recall right those has "published" 7.3 (or 7.2 version)?

At least these are there also without mention on that doc pages:

splunk show-encrypted --value 'changeme'
splunk hash-passwd changeme
splunk gen-random-passwd
splunk gen-cc-splunk-secret (see: https://docs.splunk.com/Documentation/Splunk/9.1.0/CommonCriteria/Commoncriteriainstallationandconfi...)

Probably there are some other undocumented commands too.

Some of those are used e.g. splunk-ansible scripts and there are other documentation on net by someone else than Splunk.

r. Ismo

GaetanVP · ‎08-31-2023

Hello all and @gcusello,

Just for information I contacted Splunk support for that, here are some information :

1/ Indeed there are no official documentation about that command, apparently for security reason... Let's say it is security through obscurity (and I am not a fan of that concept).

2/ As assumed, it is impossible to revert a $6 value since it has been hashed by a SHA-512 algorithm *just like UNIX based /etc/shadow file). But you can revert $7 value if you have the correct splunk.secret value.

3/ Yes

Thanks,
GaetanVP

gcusello · ‎09-05-2023

Hi @GaetanVP ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

gcusello · ‎08-31-2023

Hi @GaetanVP,

good for you, see next time!

let us know if we can help you more, or, please, accept one answer for the other people of Community.

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

VatsalJagani · ‎08-31-2023

Hi @GaetanVP ,

I'm Vatsal from the Community Moderator team. As I can see you answered your own question. In such scenario if you accept your own answer it will be very useful for future visitors here.

Happy Splunking!!!

gcusello · ‎08-28-2023

Hi @GaetanVP,

sincerely, it's the first time I see this command!

Anyway, here you can find more infos https://community.splunk.com/t5/Security/Forgot-Pass4symmKey/m-p/378993

Ciao.

Giuseppe

splunk show-decrypted command usage

encryption

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation