Merge pull request rapid7#19666 from smashery/smb_change_pw

Change/Reset passwords over SMB

Author: smcintyre-r7

Gemfile.lock

@@ -499,7 +499,7 @@ GEM
     ruby-progressbar (1.13.0)
     ruby-rc4 (0.1.5)
     ruby2_keywords (0.0.5)
-    ruby_smb (3.3.11)
+    ruby_smb (3.3.13)
       bindata (= 2.4.15)
       openssl-ccm
       openssl-cmac

LICENSE_GEMS

@@ -181,7 +181,7 @@ ruby-prof, 1.4.2, "Simplified BSD"
 ruby-progressbar, 1.13.0, MIT
 ruby-rc4, 0.1.5, MIT
 ruby2_keywords, 0.0.5, "ruby, Simplified BSD"
-ruby_smb, 3.3.11, "New BSD"
+ruby_smb, 3.3.13, "New BSD"
 rubyntlm, 0.6.5, MIT
 rubyzip, 2.3.2, "Simplified BSD"
 sawyer, 0.9.2, MIT

documentation/modules/auxiliary/admin/smb/change_password.md

@@ -0,0 +1,46 @@
+## Introduction
+
+Allows changing or resetting users' passwords.
+
+"Changing" refers to situations where you know the value of the existing password, and send that to the server as part of the password modification.
+"Resetting" refers to situations where you may not know the value of the existing password, but by virtue of your permissions over the target account, you can force-change the password without necessarily knowing it.
+
+Note that users can typically not reset their own passwords (unless they have very high privileges).
+
+This module works with existing sessions (or relaying), especially for Reset use cases, wherein the target's password is not required.
+
+## Actions
+
+- `RESET` - Reset the target's password without knowing the existing one (requires appropriate permissions). New AES kerberos keys will be generated.
+- `RESET_NTLM` - Reset the target's NTLM hash, without knowing the existing password. AES kerberos authentication will not work until a standard password change occurs.
+- `CHANGE` - Change the password, knowing the existing one. New AES kerberos keys will be generated.
+- `CHANGE_NTLM` - Change the password to a NTLM hash value, knowing the existing password. AES kerberos authentication will not work until a standard password change occurs.
+
+## Options
+
+The required options are based on the action being performed:
+
+- When resetting a password, you must specify the `TARGET_USER`
+- When changing a password, you must specify the `SMBUser` and `SMBPass`, even if using an existing session (since the API requires both of these to be specified, even for open SMB sessions)
+- When resetting or changing a password, you must specify `NEW_PASSWORD`
+- When resetting or changing an NTLM hash, you must specify `NEW_NTLM`
+
+**SMBUser**
+
+The username to use to authenticate to the server. Required for changing a password, even if using an existing session.
+
+**SMBPass**
+
+The password to use to authenticate to the server, prior to performing the password modification. Required for changing a password, even if using an existing session (since the server requires proof that you know the existing password).
+
+**TARGET_USER**
+
+For resetting passwords, the user account for which to reset the password. The authenticated account (SMBUser) must have privileges over the target user (e.g. Ownership, or the `User-Force-Change-Password` extended right)
+
+**NEW_PASSWORD**
+
+The new password to set for `RESET` and `CHANGE` actions. 
+
+**NEW_NTLM**
+
+The new NTLM hash to set for `RESET_NTLM` and `CHANGE_NTLM` actions. This can either be an NT hash, or a colon-delimited NTLM hash.

lib/msf/core/exploit/remote/smb/client.rb

@@ -149,10 +149,19 @@ def unicode(str)
       # You should call {#connect} before calling this
       #
       # @param simple_client [Rex::Proto::SMB::SimpleClient] Optional SimpleClient instance to use
+      # @param opts [Hash] Options to override the datastore options
+      # @option :username [String] Override SMBUser datastore option
+      # @option :domain [String] Override SMBDomain datastore option
+      # @option :password [String] Override SMBPass datastore option
+      # @option :auth_protocol [String] Override SMB::Auth datastore option
       # @return [void]
-      def smb_login(simple_client = self.simple)
+      def smb_login(simple_client = self.simple, opts: {})
+        username = opts.fetch(:username) {datastore['SMBUser']}
+        domain = opts.fetch(:domain) {datastore['SMBDomain']}
+        password = opts.fetch(:password) {datastore['SMBPass']}
+        smb_auth = opts.fetch(:auth_protocol) {datastore['SMB::Auth']}
         # Override the default RubySMB capabilities with Kerberos authentication
-        if datastore['SMB::Auth'] == Msf::Exploit::Remote::AuthOption::KERBEROS
+        if smb_auth == Msf::Exploit::Remote::AuthOption::KERBEROS
           fail_with(Msf::Exploit::Failure::BadConfig, 'The Smb::Rhostname option is required when using Kerberos authentication.') if datastore['Smb::Rhostname'].blank?
           fail_with(Msf::Exploit::Failure::BadConfig, 'The SMBDomain option is required when using Kerberos authentication.') if datastore['SMBDomain'].blank?
           offered_etypes = Msf::Exploit::Remote::AuthOption.as_default_offered_etypes(datastore['Smb::KrbOfferedEncryptionTypes'])
@@ -162,9 +171,9 @@ def smb_login(simple_client = self.simple)
             host: datastore['DomainControllerRhost'].blank? ? nil : datastore['DomainControllerRhost'],
             hostname: datastore['Smb::Rhostname'],
             proxies: datastore['Proxies'],
-            realm: datastore['SMBDomain'],
-            username: datastore['SMBUser'],
-            password: datastore['SMBPass'],
+            realm: domain,
+            username: username,
+            password: password,
             framework: framework,
             framework_module: self,
             cache_file: datastore['Smb::Krb5Ccname'].blank? ? nil : datastore['Smb::Krb5Ccname'],
@@ -178,9 +187,9 @@ def smb_login(simple_client = self.simple)
 
         simple_client.login(
           datastore['SMBName'],
-          datastore['SMBUser'],
-          datastore['SMBPass'],
-          datastore['SMBDomain'],
+          username,
+          password,
+          domain,
           datastore['SMB::VerifySignature'],
           datastore['NTLM::UseNTLMv2'],
           datastore['NTLM::UseNTLM2_session'],