Skip to content

Added Kerberos support for SMBPasswd.py, fixes #1156#1177

Closed
p0dalirius wants to merge 2 commits intofortra:masterfrom
p0dalirius:added_kerberos_support_smbpasswd
Closed

Added Kerberos support for SMBPasswd.py, fixes #1156#1177
p0dalirius wants to merge 2 commits intofortra:masterfrom
p0dalirius:added_kerberos_support_smbpasswd

Conversation

@p0dalirius
Copy link
Copy Markdown
Contributor

@p0dalirius p0dalirius commented Oct 6, 2021
edited
Loading

We checked with @ShutdownRepo, and it is not possible to perform a password change with SamrUnicodeChangePasswordUser2 using Kerberos when the current password is expired (STATUS_PASSWORD_EXPIRED), since the bypass relies on a null session, which cannot be obtained through Kerberos.

However we submitted a pull request to smbpasswd.py and it is now possible to authenticate using Kerberos (only when password is not expired).

Here is a demo:

image

p0dalirius and others added 2 commits October 6, 2021 12:49
@0xdeaddood 0xdeaddood added the in review This issue or pull request is being analyzed label Oct 7, 2021
@Alef-Burzmali Alef-Burzmali mentioned this pull request Oct 16, 2021
Closed
alexisbalbachan
alexisbalbachan reviewed Feb 1, 2023
View reviewed changes
examples/smbpasswd.py
Comment on lines +49 to +51
def __init__(self, domain='', username='', oldPassword='', newPassword='',
oldPwdHashLM='', oldPwdHashNT='', newPwdHashLM='', newPwdHashNT='',
hostname='', doKerberos=False, kdcHost=None):
Copy link
Copy Markdown
Collaborator

@alexisbalbachan alexisbalbachan Feb 1, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Default values for parameters are not necessary, all of the parameters are passed to SMBPasswd at main, SMBPasswd is not used anywhere else.

alexisbalbachan
alexisbalbachan reviewed Feb 1, 2023
View reviewed changes
examples/smbpasswd.py
Comment on lines +133 to +136
group = parser.add_mutually_exclusive_group()
group.add_argument('-oldpass', action='store', default=None, help='old SMB password')
group.add_argument('-oldhashes', action='store', default=None, metavar='LMHASH:NTHASH', help='old NTLM hashes, format is LMHASH:NTHASH (the user will be asked to change their password at next logon)')

Copy link
Copy Markdown
Collaborator

@alexisbalbachan alexisbalbachan Feb 1, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

alexisbalbachan
alexisbalbachan reviewed Feb 1, 2023
View reviewed changes
examples/smbpasswd.py

group = parser.add_argument_group('authentication')
group.add_argument('-hashes', action='store', default=None, metavar='LMHASH:NTHASH', help='NTLM hashes, format is LMHASH:NTHASH')
group.add_argument('-no-pass', action="store_true", help='don\'t ask for password (useful for -k)')
Copy link
Copy Markdown
Collaborator

@alexisbalbachan alexisbalbachan Feb 1, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This argument is not being used, (am i missing something?)

alexisbalbachan
alexisbalbachan reviewed Feb 1, 2023
View reviewed changes
examples/smbpasswd.py
group.add_argument('-hashes', action='store', default=None, metavar='LMHASH:NTHASH', help='NTLM hashes, format is LMHASH:NTHASH')
group.add_argument('-no-pass', action="store_true", help='don\'t ask for password (useful for -k)')
group.add_argument('-k', action="store_true", help='Use Kerberos authentication. Grabs credentials from ccache file (KRB5CCNAME) based on target parameters. If valid credentials cannot be found, it will use the ones specified in the command line')
group.add_argument('-aesKey', action="store", metavar = "hex key", help='AES key to use for Kerberos Authentication (128 or 256 bits)')
Copy link
Copy Markdown
Collaborator

@alexisbalbachan alexisbalbachan Feb 1, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  • aesKey is only being used to set doKerberos flag
  • The actual aesKey value is not used when setting credentials of the SMBTransport: smbpasswd.py#L67-L70

alexisbalbachan
alexisbalbachan reviewed Feb 1, 2023
View reviewed changes
examples/smbpasswd.py
Comment on lines +157 to +158
if oldPassword == '' and options.oldpass is not None:
oldPassword = options.oldpass
Copy link
Copy Markdown
Collaborator

@alexisbalbachan alexisbalbachan Feb 1, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not necessary, see first comment

alexisbalbachan
alexisbalbachan requested changes Feb 1, 2023
View reviewed changes
Copy link
Copy Markdown
Collaborator

@alexisbalbachan alexisbalbachan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The core functionality is OK
There are some conflicting parameters while others are not being used

@alexisbalbachan alexisbalbachan added waiting for response Further information is needed from people who opened the issue or pull request and removed in review This issue or pull request is being analyzed labels Feb 1, 2023
Alef-Burzmali added a commit to Alef-Burzmali/impacket that referenced this pull request May 21, 2023
@Alef-Burzmali
Add changepasswd.py example
29ee67b 
This example combines the different protocols that can change a user's
password in an AD environment.

- smbpasswd.py features from edef71f
  Authors: @snovvcrash, @bransh, @Alef-Burzmali
- Kerberos authentication for smbpasswd.py from bbcd2d8
  Author: @p0dalirius (PR fortra#1177)
- MS-RPC transport for SAMR (rpcpasswd.py) from a1d0cc9
  Author: @Oddvarmoe (PR fortra#1304)
- Kerberos Change and Set Password (kpasswd.py) from 9aea200
  Author: @Alef-Burzmali
@Alef-Burzmali Alef-Burzmali mentioned this pull request May 21, 2023
Merged
Alef-Burzmali added a commit to Alef-Burzmali/impacket that referenced this pull request May 29, 2023
@Alef-Burzmali
Add changepasswd.py example
9f31b8f 
This example combines the different protocols that can change a user's

password in an AD environment.

- smbpasswd.py features from edef71f
  Authors: @snovvcrash, @bransh, @Alef-Burzmali
- Kerberos authentication for smbpasswd.py from bbcd2d8
  Author: @p0dalirius (PR fortra#1177)
- MS-RPC transport for SAMR (rpcpasswd.py) from a1d0cc9
  Author: @Oddvarmoe (PR fortra#1304)
- Kerberos Change and Set Password (kpasswd.py) from 9aea200
  Author: @Alef-Burzmali
Alef-Burzmali added a commit to Alef-Burzmali/impacket that referenced this pull request May 29, 2023
@Alef-Burzmali
Add changepasswd.py example
ecf7b7c 
This example combines the different protocols that can change a user's

password in an AD environment.

- smbpasswd.py features from edef71f
  Authors: @snovvcrash, @bransh, @Alef-Burzmali
- Kerberos authentication for smbpasswd.py from bbcd2d8
  Author: @p0dalirius (PR fortra#1177)
- MS-RPC transport for SAMR (rpcpasswd.py) from a1d0cc9
  Author: @Oddvarmoe (PR fortra#1304)
- Kerberos Change and Set Password (kpasswd.py) from 9aea200
  Author: @Alef-Burzmali
@0xdeaddood
Copy link
Copy Markdown
Collaborator

0xdeaddood commented Jul 28, 2023

Added to changepasswd.py. Closing.

Thanks @p0dalirius for your contribution!!

@0xdeaddood 0xdeaddood closed this Jul 28, 2023
@anadrianmanrique anadrianmanrique removed the waiting for response Further information is needed from people who opened the issue or pull request label Aug 17, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@alexisbalbachan alexisbalbachan alexisbalbachan requested changes

Assignees

@alexisbalbachan alexisbalbachan

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@p0dalirius @0xdeaddood @alexisbalbachan @peteribi @anadrianmanrique @mcoco-sa