Change/Reset passwords over SMB

[smashery]

This supports changing/resetting passwords over the SMB protocol. Requires the changes over at rapid7/ruby_smb#279

New module: modules/auxiliary/admin/smb/change_password

Actions:

• CHANGE: Changing an existing (known password).
• CHANGE_NTLM: Changing an existing (known password), to an NTLM value.
• RESET: Forcing a password reset by having privileges over the target account.
• RESET_NTLM: Forcing a password reset to an NTLM value, by having privileges over the target account.

Verification

Do the test cases below with:

• SMB auth
• Existing SMB session (mostly meaningful for the Reset behaviour, but technically you can run Change from an existing session, as long as you know and set the password)
• Kerberos auth

Test cases:

• Change password for user
• Change password for user with expired/must-change password (will anonymous bind)
• Change-ntlm for user
• Change-ntlm for user with expired/must-change password (should fail)
• Reset password for user
• Reset-ntlm for user

[smcintyre-r7]

I tested quite a few cases and only found a couple of issues. One was that PTH should probably be filtered out for the CHANGE and CHANGE_NTLM actions since they need the plaintext password. The second was that I've been unable to get the CHANGE_NTLM action to work where a user should be able to change their own password, given knowledge of its existing plaintext value, to a new NTLM hash. Is there any trick to getting this to work? I seem to just be getting STATUS_PASSWORD_RESTRICTION each time I try.

Tested:

• DA to reset the password of an account
• DA to reset the NTLM hash of an account
• User to reset their own password

[smcintyre-r7]

We have a method in our Msf::Exploit::Remote::MsSamr module that'll do this and open the domain handle after looking up the sid. I see in #get_user_handle you're getting the domain handle, so you could remove quite a bit of that code as well and use the handle the mixin returns.

[smashery]

I tried using that, but it created issues when using the CHANGE action. When passwords are expired, we get ACCESS_DENIED if trying to get a server handle with the anonymous bind. When trying to make this change, I found I needed to have a separate code path to do all the connecting anyway, which undermined the refactoring.

[smashery]

I've been unable to get the CHANGE_NTLM action to work where a user should be able to change their own password, given knowledge of its existing plaintext value, to a new NTLM hash. Is there any trick to getting this to work? I seem to just be getting STATUS_PASSWORD_RESTRICTION each time I try.

Ah, I got this too, and it took me a while to figure out why my code was failing. Windows has a "minimum password age" restriction, which prevents changing multiple times in a day by default. https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/minimum-password-age

Set that to 0 days, and hopefully it'll resolve 🤞

[smcintyre-r7]

Cool, thanks for fixing PTH authentication, I was able to confirm that's working now.

metasploit-framework.pr (S:0 J:0) auxiliary(admin/smb/change_password) > run
[*] Running module against 192.168.159.10

[*] 192.168.159.10:445 - Changing password
[*] 192.168.159.10:445 - Connecting to Security Account Manager (SAM) Remote Protocol
[*] 192.168.159.10:445 - Binding to \samr...
[+] 192.168.159.10:445 - Bound to \samr
[+] 192.168.159.10:445 - Successfully changed password for smcintyre
[*] Auxiliary module execution completed
metasploit-framework.pr (S:0 J:0) auxiliary(admin/smb/change_password) > show options 

Module options (auxiliary/admin/smb/change_password):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   CHOST                     no        The local client address
   CPORT                     no        The local client port
   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]


   When ACTION is one of CHANGE,RESET:

   Name          Current Setting  Required  Description
   ----          ---------------  --------  -----------
   NEW_PASSWORD  SpaceWorld1990!  no        The new password to change to


   When ACTION is one of CHANGE_NTLM,RESET_NTLM:

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   NEW_NTLM                   no        The new NTLM hash to change to. Can be either an NT hash or a colon-delimited NTLM hash


   When ACTION is one of RESET,RESET_NTLM:

   Name         Current Setting  Required  Description
   ----         ---------------  --------  -----------
   TARGET_USER                   no        The user to reset the password of.


   Used when connecting via an existing SESSION:

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SESSION                   no        The session to run this module on


   Used when making a new connection via RHOSTS:

   Name       Current Setting                                                    Required  Description
   ----       ---------------                                                    --------  -----------
   RHOSTS     192.168.159.10                                                     no        The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT      445                                                                no        The target port (TCP)
   SMBDomain  msflab.local                                                       no        The Windows domain to use for authentication
   SMBPass    aad3b435b51404eeaad3b435b51404ee:90936ED94234B9F23B6420AFC0C0CD68  no        The password for the specified username
   SMBUser    smcintyre                                                          no        The username to authenticate as


Auxiliary action:

   Name    Description
   ----    -----------
   CHANGE  Change the password, knowing the existing one. New AES kerberos keys will be generated.



View the full module info with the info, or info -d command.

metasploit-framework.pr (S:0 J:0) auxiliary(admin/smb/change_password) >

I was also able to get CHANGE_NTLM working as well once I made a couple of tweaks. With those two tests having passed now I think this is ready to go. I've landed the RubySMB side, so I'll release a new build of the gem now and then we can get this landed.

[smcintyre-r7]

Release Notes

This adds a module that is able to change a user's password knowing the current value or reset a user's password given the necessary permissions using SMB.