Does anybody have any idea how we can duplicate the Python password hashing code in .NET or PowerShell? We’re trying to duplicate the API calls using PowerShell so we don’t have to deploy Python everywhere or package up the Python commands into individual executables. We’ve been able to get connected to the API but still can’t login as we can’t get the password hash to match.
Can you add a link to the powershell script version which works up to the login?
I just want to let you know this adapted from the script that NexusIT posted here Silent client install using Powershell. At the top of the script make sure you enter a value for $global:sever_url, $server_username, and $server_password.
UrBackup.zip (2.5 KB)
Holy crap! I have been so busy with other life issues this project took a back burner for me. Your efforts are incredible and a huge help to all of those who use UrBackup on Windows.
I’ll be testing this today on a few clients. Awesome work!
Don’t praise yet, we still don’t have successful login since we can’t duplicate the hashed password We’re to the point we may try to nab the hash out of the DB and just use that directly instead of a password. It would only be used on an internal network so in the end it probably doesn’t matter what we use. Just have to be careful with it.
It seems PowerShell doesn’t have a build-in PBKDF2 key derivation function with SHA256. Someone will have to program this because I couldn’t find any. The method you are using won’t work. Here is the spec: https://www.ietf.org/rfc/rfc2898.txt (5.2).
Thanks, yeah, and it seems .NET’s PBKDF2 only supports SHA1. Maybe I’ll try deciphering that spec and writing one.
Interestingly though I tried cheating a little and I grabbed the SHA256 hash straight from the DB, ran the last MD5 on it and still couldn’t login. Oddly, at the point Python runs the final MD5, each time I rerun it with the same password it spits out a different hash. I would have thought it would be the same each time.
So, its been a few years:
Looks like this guy did something useful…
I am going to try and make this work, but I am really bad at this kind of thing, so we will see how it goes:
Each time you open a new session (i.e. try to log in) server generates and sends you a random string which must be included in the hash.
Very much a work in progress: node-urbackup-server-api
W.r.t. to self-container executable see https://installercreator.urbackup.org . The source code for that is at GitHub - uroni/urbackup_installer_creator: Web app to create server specific UrBackup client installers
(It’s using golang).
@uroni I wasn’t even aware that this tool exists, thanks, it’s very useful.