Published: 23 Jun 2017 - 07:35 -0500
Image showing how to allow users to be able to reset user passwords
Disclaimer: If you are here because you are a helpdesk person, this is a pentest blog, so it’s coming from the mindset of a pentester, but this could just as easily be used for legitmate purposes.
There are a great many things you can do with
rpcclient for examples outside of this blog post see these posts by Chris Gates:
- Enumerating user accounts on Linux and OS X with rpcclient
- More of using rpcclient to find usernames
- more with rpcclient
- From LOW to PWNED  Honorable Mention: Null Sessions
There have been plenty of times on pentests where I have had access to IT or helpdesk related accounts that had limited administrative powers. Almost always I or someone on the team found an internal wiki or share that they did have access to (and then we moved on from there), however they almost always have the ability to reset passwords.
I was unable to find any documentation on how to do this from a Linux host, or at the very least to do it without Active Directory Users and Computers (ADUC), which would require a Windows machine. And figuring out how to run ADUC through a meterpreter sessions wasn’t an hurdle I ever had time for in engagements. :)
Due to me being dumb and resetting a password of my own in my lab to something I couldn’t remember, I finally had the time to figure it out.
If you have Samba client tools (
smbclient) installed, you can use
rpcclient. Out of the gate, you can auth with password or kerberos (this is especially useful in situations where you have dropped into a user that has an active kerberos token or you can make one):
root@kali:~# rpcclient -U helpdesk //192.168.80.10 Enter helpdesk's password: rpcclient $>
If you have the package
passing-the-hash, you can even do this with just a NTLM hash.
In order to change a password you neet to use the
rpcclient $> setuserinfo2 Usage: setuserinfo2 username level password [password_expired] result was NT_STATUS_INVALID_PARAMETER
You will not be able to change the password of anyone with
AdminCount = 1 (aka Domain Admins and other high priv accounts):
rpcclient $> setuserinfo2 ima-domainadmin 23 'ASDqwe123' result: NT_STATUS_ACCESS_DENIED result was NT_STATUS_ACCESS_DENIED rpcclient $>
But you can very easily target users who have alternate admin accounts:
rpcclient $> setuserinfo2 adminuser 23 'ASDqwe123' rpcclient $>
Yes it would be nice if there was any sort of confirmation…
23came from this MSDN article
If you have the package
samba-common-bin you can also do this with the
root@kali:~# net rpc password adminuser -U helpdesk -S 192.168.80.10 Enter new password for adminuser: Enter helpdesk's password: root@kali:~#