New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Implement kpasswd #1189
Implement kpasswd #1189
Conversation
Seems to be not working correctly when using the KRB5CCNAME
Klist:
|
Figured out the issue, target in the help needs to be updated:
Where as the examples give an actual host for a target:
|
Thanks for noticing that. The DC could be an optional parameter (it was originally but I changed to parse_target instead of parse_credentials, causing the bug). However, I think it is better to be coherent with smbpasswd parameters. |
Implement the Kerberos Change Password and Set Password protocols. The authentication uses Kerberos (cleartext password, hash or TGT). The new password must be specified in cleartext and password policies are enforced.
56cc280
to
9aea200
Compare
Rebasing to latest master as this PR received some attention for CVE-2022-32744 |
We should wait for #1177 to be merged before reviewing this pull request. |
#1177 does not implement the same protocol. It uses SamrChangePasswordUser, with Kerberos autentication, whereas my PR implements the kpasswd protocol. Some additional info here on the different protocols. Mine is 3. and 4., #1177 is 1. |
fingers crossed to see this one added |
Is there anything more I can do to help with the review of this PR, since it has been assigned? |
Hello, If I understand correctly all these PR, we have:
It would make sense from an exploitation perspective to regroup all of these similar features in the same script. However, from an example code perspective, the script would be harder to understand if not planned correctly, especially because we would mix 3 different transport protocols. Up to you to decide if you prefer focusing on "ease of use for attackers" or "clarity of example scripts for developers". If you want to go ahead on a single "changepasswd.py" script that merge all these PR, I'd be happy to give it a try in a new PR if no one is already working on it. I'd suggest an interface like this one:
|
Wow that's really great and helpful feedback! We haven't started merging those PRs yet |
Cherry-picked from branch changepasswd (PR fortra#1559) Add the possibility to request a TGT for another SPN Request a TGT with the kadmin/changepw SPN Apply black and flake8 formatting
As #1559 was merged and is a superset of this PR, I am closing this one. |
Implement the Kerberos Change Password and Set Password protocols.
It fixes the second request of #1156.
As it is a completely different protocol than what smbpasswd.py is using, with different properties and constraints, I have created a new example script. It may be possible to merge the two, let me know if you would prefer it that way.
It differs from #1177 because it is not using SamrUnicodeChangePasswordUser2 to change the password, but the Kerberos Change Password protocol.