Ldap Change Password module #19671
Merged
Ldap Change Password module #19671
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
smashery
force-pushed
the
ldap_change_pw
branch
from
facd93f to
ae61d0a
Compare
smcintyre-r7
requested changes
Nov 27, 2024
smashery
force-pushed
the
ldap_change_pw
branch
from
5de68a5 to
75a334c
Compare
smcintyre-r7
approved these changes
Dec 6, 2024
There was a problem hiding this comment.
I pushed up a commit fixing a super minor typo that was throwing off msftidy. I then completed my testing by authenticating with Kerberos and resetting the password for an account and checking an invalid account. Everything is looking good to me so if the tests pass, I'll get this landed.
Thanks a lot for your work on this!
Testing Output
metasploit-framework.pr (S:0 J:0) auxiliary(admin/ldap/change_password) > run
[*] Running module against 192.168.159.10
[-] Auxiliary aborted due to failure: bad-config: The LDAP::Rhostname option is required when using Kerberos authentication.
[*] Auxiliary module execution completed
metasploit-framework.pr (S:0 J:0) auxiliary(admin/ldap/change_password) > set LDAP::Rhostname dc.msflab.local
LDAP::Rhostname => dc.msflab.local
metasploit-framework.pr (S:0 J:0) auxiliary(admin/ldap/change_password) > run
[*] Running module against 192.168.159.10
[+] 192.168.159.10:88 - Received a valid TGT-Response
[*] 192.168.159.10:389 - TGT MIT Credential Cache ticket saved to /home/smcintyre/.msf4/loot/20241206164448_default_192.168.159.10_mit.kerberos.cca_407813.bin
[+] 192.168.159.10:88 - Received a valid TGS-Response
[*] 192.168.159.10:389 - TGS MIT Credential Cache ticket saved to /home/smcintyre/.msf4/loot/20241206164448_default_192.168.159.10_mit.kerberos.cca_408381.bin
[+] 192.168.159.10:88 - Received a valid delegation TGS-Response
[+] 192.168.159.10:88 - Received AP-REQ. Extracting session key...
[+] Successfully bound to the LDAP server!
[*] Discovering base DN automatically
[*] 192.168.159.10:389 Discovered base DN: DC=msflab,DC=local
[+] Successfully reset password for mhatter.
[*] Auxiliary module execution completed
metasploit-framework.pr (S:0 J:0) auxiliary(admin/ldap/change_password) > set NEW_PASSWORD ItsBeer30!
NEW_PASSWORD => ItsBeer30!
metasploit-framework.pr (S:0 J:0) auxiliary(admin/ldap/change_password) > run
[*] Running module against 192.168.159.10
[*] Using cached credential for ldap/[email protected] [email protected]
[+] 192.168.159.10:88 - Received AP-REQ. Extracting session key...
[+] Successfully bound to the LDAP server!
[*] Discovering base DN automatically
[*] 192.168.159.10:389 Discovered base DN: DC=msflab,DC=local
[+] Successfully reset password for mhatter.
[*] Auxiliary module execution completed
metasploit-framework.pr (S:0 J:0) auxiliary(admin/ldap/change_password) > set TARGET_USER doesnotexist
TARGET_USER => doesnotexist
metasploit-framework.pr (S:0 J:0) auxiliary(admin/ldap/change_password) > run
[*] Running module against 192.168.159.10
[*] Using cached credential for ldap/[email protected] [email protected]
[+] 192.168.159.10:88 - Received AP-REQ. Extracting session key...
[+] Successfully bound to the LDAP server!
[*] Discovering base DN automatically
[*] 192.168.159.10:389 Discovered base DN: DC=msflab,DC=local
[-] Auxiliary aborted due to failure: not-found: Failed to find sAMAccountName: doesnotexist
[*] Auxiliary module execution completed
metasploit-framework.pr (S:0 J:0) auxiliary(admin/ldap/change_password) >
</details>
Release NotesThis adds a module that is able to change a user's password knowing the current value or reset a user's password given the necessary permissions using LDAP. |
smcintyre-r7
added
the
rn-modules
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This adds a module,
auxiliary/admin/ldap/change_password, for changing/resetting AD passwords over the LDAP protocol.Actions:
CHANGE: Changing an existing (known password).RESET: Forcing a password reset by having privileges over the target account.Works on both standard 389 and SSL-encrypted on 636 (since we use GSS-API encryption)
Verification
Do the test cases below with:
Main use cases: