-
Notifications
You must be signed in to change notification settings - Fork 14.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Change/Reset passwords over SMB #19666
Conversation
45635d9
to
946de63
Compare
946de63
to
cec793f
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I tested quite a few cases and only found a couple of issues. One was that PTH should probably be filtered out for the CHANGE
and CHANGE_NTLM
actions since they need the plaintext password. The second was that I've been unable to get the CHANGE_NTLM
action to work where a user should be able to change their own password, given knowledge of its existing plaintext value, to a new NTLM hash. Is there any trick to getting this to work? I seem to just be getting STATUS_PASSWORD_RESTRICTION
each time I try.
Tested:
- DA to reset the password of an account
- DA to reset the NTLM hash of an account
- User to reset their own password
) | ||
end | ||
|
||
def connect_samr |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We have a method in our Msf::Exploit::Remote::MsSamr
module that'll do this and open the domain handle after looking up the sid. I see in #get_user_handle
you're getting the domain handle, so you could remove quite a bit of that code as well and use the handle the mixin returns.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I tried using that, but it created issues when using the CHANGE
action. When passwords are expired, we get ACCESS_DENIED
if trying to get a server handle with the anonymous bind. When trying to make this change, I found I needed to have a separate code path to do all the connecting anyway, which undermined the refactoring.
Ah, I got this too, and it took me a while to figure out why my code was failing. Windows has a "minimum password age" restriction, which prevents changing multiple times in a day by default. https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/minimum-password-age Set that to 0 days, and hopefully it'll resolve 🤞 |
Cool, thanks for fixing PTH authentication, I was able to confirm that's working now.
I was also able to get |
Release NotesThis adds a module that is able to change a user's password knowing the current value or reset a user's password given the necessary permissions using SMB. |
This supports changing/resetting passwords over the SMB protocol. Requires the changes over at rapid7/ruby_smb#279
New module:
modules/auxiliary/admin/smb/change_password
Actions:
CHANGE
: Changing an existing (known password).CHANGE_NTLM
: Changing an existing (known password), to an NTLM value.RESET
: Forcing a password reset by having privileges over the target account.RESET_NTLM
: Forcing a password reset to an NTLM value, by having privileges over the target account.Verification
Do the test cases below with:
Test cases: