Updated text to be clearer about the AES kerberos behaviour

smashery · smashery · commit 7c46d4d02d79 · 2024-12-06T14:28:44.000+11:00
diff --git a/documentation/modules/auxiliary/admin/smb/change_password.md b/documentation/modules/auxiliary/admin/smb/change_password.md
@@ -11,10 +11,10 @@ This module works with existing sessions (or relaying), especially for Reset use
 
 ## Actions
 
-- `RESET` - Reset the target's password without knowing the existing one (requires appropriate permissions)
-- `RESET_NTLM` - Reset the target's NTLM hash, without knowing the existing password. This will not update kerberos keys.
-- `CHANGE` - Change the password, knowing the existing one.
-- `CHANGE_NTLM` - Change the password to a NTLM hash value, knowing the existing password. This will not update kerberos keys.
+- `RESET` - Reset the target's password without knowing the existing one (requires appropriate permissions). New AES kerberos keys will be generated.
+- `RESET_NTLM` - Reset the target's NTLM hash, without knowing the existing password. AES kerberos authentication will not work until a standard password change occurs.
+- `CHANGE` - Change the password, knowing the existing one. New AES kerberos keys will be generated.
+- `CHANGE_NTLM` - Change the password to a NTLM hash value, knowing the existing password. AES kerberos authentication will not work until a standard password change occurs.
 
 ## Options
 
diff --git a/modules/auxiliary/admin/smb/change_password.rb b/modules/auxiliary/admin/smb/change_password.rb
@@ -31,10 +31,10 @@ def initialize(info = {})
           'SideEffects' => [ IOC_IN_LOGS ]
         },
         'Actions' => [
-          [ 'RESET', { 'Description' => "Reset the target's password without knowing the existing one (requires appropriate permissions)" } ],
-          [ 'RESET_NTLM', { 'Description' => "Reset the target's NTLM hash, without knowing the existing password. This will not update kerberos keys." } ],
-          [ 'CHANGE', { 'Description' => 'Change the password, knowing the existing one.' } ],
-          [ 'CHANGE_NTLM', { 'Description' => 'Change the password to a NTLM hash value, knowing the existing password. This will not update kerberos keys.' } ]
+          [ 'RESET', { 'Description' => "Reset the target's password without knowing the existing one (requires appropriate permissions). New AES kerberos keys will be generated." } ],
+          [ 'RESET_NTLM', { 'Description' => "Reset the target's NTLM hash, without knowing the existing password. AES kerberos authentication will not work until a standard password change occurs." } ],
+          [ 'CHANGE', { 'Description' => 'Change the password, knowing the existing one. New AES kerberos keys will be generated.' } ],
+          [ 'CHANGE_NTLM', { 'Description' => 'Change the password to a NTLM hash value, knowing the existing password. AES kerberos authentication will not work until a standard password change occurs.' } ]
         ],
         'DefaultAction' => 'RESET'
       )
