Is there a way to extract privileged user passwords from the PIM database?
Privileged Identity Manager 12.8, 12.9, or 14.0
Yes, there is a tool called pwextractor located on the Enterprise Management server which can be used to extract PUPM/SAM users and passwords from the backend database.
The tool is located in the following directory by default.
C:\Program Files\CA\AccessControlServer\IAM Suite\Access Control\tools\pwextractor
In order to use the tool, the following information is required.
- Database server hostname
- Database username
- Database password
- Database name/schema
- Database type (mssql/oracle)
- Location of FIPSkey.dat
The tool will connect directly to the database and perform a query to retrieve all privileged user accounts. The tool will then write the output to a specified filename. The tool can output the passwords to the text file as either encrypted or decrypted passwords.
Here is an example from a test system:
---------------------------------------------------------------------------
>pwextractor -backup -account_pwd -cleartext -h localhost -r 1433 -d entm -l ac -p memco123 -t mssql -f C:\backup3.txt -k jboss
CA PUPM Password extractor.
Successfully parsed the following options:
Hostname : localhost
DB/Schema : entm
DB Type : mssql
Login name : ac
Password : memco123
Output file : C:\backup3.txt
FIPS key file : C:\jboss-4.2.3.GA\server\default\deploy\IdentityMinder.ear\config\com\netegrity\config\keys\FIPS
key.dat
Successfully connected to database
Starting passwords extraction for ACCOUNT_PASSWORD......
Completed exporting current user passwords to file: C:\backup3.txt
Starting passwords extraction of ACCOUNT_PASSWORD_HISTORY......
Successfully completed password extraction to file is: C:\backup3.txt
Signed file successfully to C:\backup3.txt.sig
Press any key to continue . . .
---------------------------------------------------------------------------
The content in C:\backup3.txt looks like the following:
3@!~1@!~4@!~eTDYNAccountName=root,eTDYNAccountContainerName=SSH Accounts,eTDYNDirectoryName=example.com,eTNamespaceName=SSH Device,dc=xx,dc=xxxxx@!~memco123@!~CN=Administrator,CN=Users,DC=xxxxxxx,DC=local@!~26/09/2013 07:02:40
For the above account, the password is "memco123". Each field is preceeded by: @!~
For more information, please refer to the documentation link below.