Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Change/Reset passwords over SMB #19666

Merged
merged 12 commits into from
Dec 9, 2024
Merged

Conversation

smashery
Copy link
Contributor

@smashery smashery commented Nov 20, 2024

This supports changing/resetting passwords over the SMB protocol. Requires the changes over at rapid7/ruby_smb#279

New module: modules/auxiliary/admin/smb/change_password

Actions:

  • CHANGE: Changing an existing (known password).
  • CHANGE_NTLM: Changing an existing (known password), to an NTLM value.
  • RESET: Forcing a password reset by having privileges over the target account.
  • RESET_NTLM: Forcing a password reset to an NTLM value, by having privileges over the target account.

Verification

Do the test cases below with:

  • SMB auth
  • Existing SMB session (mostly meaningful for the Reset behaviour, but technically you can run Change from an existing session, as long as you know and set the password)
  • Kerberos auth

Test cases:

  • Change password for user
  • Change password for user with expired/must-change password (will anonymous bind)
  • Change-ntlm for user
  • Change-ntlm for user with expired/must-change password (should fail)
  • Reset password for user
  • Reset-ntlm for user

@smcintyre-r7 smcintyre-r7 self-assigned this Nov 20, 2024
@smashery smashery marked this pull request as ready for review November 20, 2024 20:29
Copy link
Contributor

@smcintyre-r7 smcintyre-r7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I tested quite a few cases and only found a couple of issues. One was that PTH should probably be filtered out for the CHANGE and CHANGE_NTLM actions since they need the plaintext password. The second was that I've been unable to get the CHANGE_NTLM action to work where a user should be able to change their own password, given knowledge of its existing plaintext value, to a new NTLM hash. Is there any trick to getting this to work? I seem to just be getting STATUS_PASSWORD_RESTRICTION each time I try.

Tested:

  • DA to reset the password of an account
  • DA to reset the NTLM hash of an account
  • User to reset their own password

)
end

def connect_samr
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We have a method in our Msf::Exploit::Remote::MsSamr module that'll do this and open the domain handle after looking up the sid. I see in #get_user_handle you're getting the domain handle, so you could remove quite a bit of that code as well and use the handle the mixin returns.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I tried using that, but it created issues when using the CHANGE action. When passwords are expired, we get ACCESS_DENIED if trying to get a server handle with the anonymous bind. When trying to make this change, I found I needed to have a separate code path to do all the connecting anyway, which undermined the refactoring.

modules/auxiliary/admin/smb/change_password.rb Outdated Show resolved Hide resolved
modules/auxiliary/admin/smb/change_password.rb Outdated Show resolved Hide resolved
@smashery
Copy link
Contributor Author

smashery commented Dec 6, 2024

I've been unable to get the CHANGE_NTLM action to work where a user should be able to change their own password, given knowledge of its existing plaintext value, to a new NTLM hash. Is there any trick to getting this to work? I seem to just be getting STATUS_PASSWORD_RESTRICTION each time I try.

Ah, I got this too, and it took me a while to figure out why my code was failing. Windows has a "minimum password age" restriction, which prevents changing multiple times in a day by default. https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/minimum-password-age

Set that to 0 days, and hopefully it'll resolve 🤞

@smcintyre-r7
Copy link
Contributor

Cool, thanks for fixing PTH authentication, I was able to confirm that's working now.

metasploit-framework.pr (S:0 J:0) auxiliary(admin/smb/change_password) > run
[*] Running module against 192.168.159.10

[*] 192.168.159.10:445 - Changing password
[*] 192.168.159.10:445 - Connecting to Security Account Manager (SAM) Remote Protocol
[*] 192.168.159.10:445 - Binding to \samr...
[+] 192.168.159.10:445 - Bound to \samr
[+] 192.168.159.10:445 - Successfully changed password for smcintyre
[*] Auxiliary module execution completed
metasploit-framework.pr (S:0 J:0) auxiliary(admin/smb/change_password) > show options 

Module options (auxiliary/admin/smb/change_password):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   CHOST                     no        The local client address
   CPORT                     no        The local client port
   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]


   When ACTION is one of CHANGE,RESET:

   Name          Current Setting  Required  Description
   ----          ---------------  --------  -----------
   NEW_PASSWORD  SpaceWorld1990!  no        The new password to change to


   When ACTION is one of CHANGE_NTLM,RESET_NTLM:

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   NEW_NTLM                   no        The new NTLM hash to change to. Can be either an NT hash or a colon-delimited NTLM hash


   When ACTION is one of RESET,RESET_NTLM:

   Name         Current Setting  Required  Description
   ----         ---------------  --------  -----------
   TARGET_USER                   no        The user to reset the password of.


   Used when connecting via an existing SESSION:

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SESSION                   no        The session to run this module on


   Used when making a new connection via RHOSTS:

   Name       Current Setting                                                    Required  Description
   ----       ---------------                                                    --------  -----------
   RHOSTS     192.168.159.10                                                     no        The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT      445                                                                no        The target port (TCP)
   SMBDomain  msflab.local                                                       no        The Windows domain to use for authentication
   SMBPass    aad3b435b51404eeaad3b435b51404ee:90936ED94234B9F23B6420AFC0C0CD68  no        The password for the specified username
   SMBUser    smcintyre                                                          no        The username to authenticate as


Auxiliary action:

   Name    Description
   ----    -----------
   CHANGE  Change the password, knowing the existing one. New AES kerberos keys will be generated.



View the full module info with the info, or info -d command.

metasploit-framework.pr (S:0 J:0) auxiliary(admin/smb/change_password) >

I was also able to get CHANGE_NTLM working as well once I made a couple of tweaks. With those two tests having passed now I think this is ready to go. I've landed the RubySMB side, so I'll release a new build of the gem now and then we can get this landed.

@smcintyre-r7 smcintyre-r7 merged commit d060312 into rapid7:master Dec 9, 2024
81 checks passed
@smcintyre-r7
Copy link
Contributor

Release Notes

This adds a module that is able to change a user's password knowing the current value or reset a user's password given the necessary permissions using SMB.

@smcintyre-r7 smcintyre-r7 added the rn-modules release notes for new or majorly enhanced modules label Dec 9, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
module rn-modules release notes for new or majorly enhanced modules
Projects
Archived in project
Development

Successfully merging this pull request may close these issues.

2 participants