Security

splunk show-decrypted command usage

GaetanVP
Contributor

Hello Splunkers,

I am used to use the following command to decrypt $7 Splunk configuration password such as pass4SymmKey or sslConfig.

 

splunk show-decrypted --value '<encrypted_value>'

 

 I have several questions regarding this command : 

1/ Do you ever find any official documentation about it ? I was  looking here but not result : https://docs.splunk.com/Documentation/Splunk/9.1.0/Admin/CLIadmincommands

2/ Is it possible to use this command for $6 encrypted (hased ?) string, like the one stored for admin password stored in $SPLUNK_HOME/etc/passwd. I suppose it's not possible since it's a password and it should not be "reversible" for security reason.

3/ This question is related to the previous one. Is it right to say that $7 value has been encrypted since it's possible to revert it and $6 has been hashed because it's impossible to get the clear value back ?

Thanks for your help !
GaetanVP

Labels (1)
Tags (1)
1 Solution

GaetanVP
Contributor

Hello all and @gcusello

Just for information I contacted Splunk support for that, here are some information : 

1/ Indeed there are no official documentation about that command, apparently for security reason... Let's say it is security through obscurity (and I am not a fan of that concept). 

2/  As assumed, it is impossible to revert a $6 value since it has been hashed by a SHA-512 algorithm *just like UNIX based /etc/shadow file). But you can revert $7 value if you have the correct splunk.secret value.

3/ Yes

Thanks,
GaetanVP

View solution in original post

isoutamo
SplunkTrust
SplunkTrust

Hi

it's really weird that this and couple of other are not documented here. Maybe it's good to ask that from doc team? If I recall right those has "published" 7.3 (or 7.2 version)?

At least these are there also without mention on that doc pages:

Probably there are some other undocumented commands too.

Some of those are used e.g. splunk-ansible scripts and there are other documentation on net by someone else than Splunk.

r. Ismo

GaetanVP
Contributor

Hello all and @gcusello

Just for information I contacted Splunk support for that, here are some information : 

1/ Indeed there are no official documentation about that command, apparently for security reason... Let's say it is security through obscurity (and I am not a fan of that concept). 

2/  As assumed, it is impossible to revert a $6 value since it has been hashed by a SHA-512 algorithm *just like UNIX based /etc/shadow file). But you can revert $7 value if you have the correct splunk.secret value.

3/ Yes

Thanks,
GaetanVP

gcusello
SplunkTrust
SplunkTrust

Hi @GaetanVP ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @GaetanVP,

good for you, see next time!

let us know if we can help you more, or, please, accept one answer for the other people of Community.

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

0 Karma

VatsalJagani
SplunkTrust
SplunkTrust

Hi @GaetanVP ,

I'm Vatsal from the Community Moderator team. As I can see you answered your own question. In such scenario if you accept your own answer it will be very useful for future visitors here.

 

Happy Splunking!!!

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @GaetanVP,

sincerely, it's the first time I see this command!

Anyway, here you can find more infos https://community.splunk.com/t5/Security/Forgot-Pass4symmKey/m-p/378993

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...