[changepw] Added support for resetting any user account with the /tar…

…getuser argument
opoet7 · Jun 3, 2021 · 84610f1 · 84610f1
1 parent 2380319
commit 84610f1
Show file tree

Hide file tree

Showing 4 changed files with 28 additions and 10 deletions.
diff --git a/Rubeus/Asn1/AsnElt.cs b/Rubeus/Asn1/AsnElt.cs
@@ -2109,6 +2109,7 @@ public static AsnElt MakeString(int type, string str)
 		case GeneralizedTime:
 		case IA5String:
 		case TeletexString:
+		case GeneralString:
 			buf = EncodeMono(str);
 			break;
 		case UTF8String:

diff --git a/Rubeus/Commands/Changepw.cs b/Rubeus/Commands/Changepw.cs
@@ -15,6 +15,7 @@ public void Execute(Dictionary<string, string> arguments)
 
             string newPassword = "";
             string dc = "";
+            string targetUser = null;
 
             if (arguments.ContainsKey("/new"))
             {
@@ -31,6 +32,10 @@ public void Execute(Dictionary<string, string> arguments)
                 dc = arguments["/dc"];
             }
 
+            if (arguments.ContainsKey("/targetuser")) {
+                targetUser = arguments["/targetuser"];
+            }
+
             if (arguments.ContainsKey("/ticket"))
             {
                 string kirbi64 = arguments["/ticket"];
@@ -39,13 +44,13 @@ public void Execute(Dictionary<string, string> arguments)
                 {
                     byte[] kirbiBytes = Convert.FromBase64String(kirbi64);
                     KRB_CRED kirbi = new KRB_CRED(kirbiBytes);
-                    Reset.UserPassword(kirbi, newPassword, dc);
+                    Reset.UserPassword(kirbi, newPassword, dc, targetUser);
                 }
                 else if (File.Exists(kirbi64))
                 {
                     byte[] kirbiBytes = File.ReadAllBytes(kirbi64);
                     KRB_CRED kirbi = new KRB_CRED(kirbiBytes);
-                    Reset.UserPassword(kirbi, newPassword, dc);
+                    Reset.UserPassword(kirbi, newPassword, dc, targetUser);
                 }
                 else
                 {

diff --git a/Rubeus/lib/Reset.cs b/Rubeus/lib/Reset.cs
@@ -19,7 +19,7 @@ enum PasswordProperties {
             RefusePasswordChange = 0x20
         }
 
-        public static void UserPassword(KRB_CRED kirbi, string newPassword, string domainController = "")
+        public static void UserPassword(KRB_CRED kirbi, string newPassword, string domainController = "", string targetUser = null)
         {
             // implements the Kerberos-based password reset originally disclosed by Aorato
             //      This function is misc::changepw in Kekeo
@@ -35,7 +35,12 @@ public static void UserPassword(KRB_CRED kirbi, string newPassword, string domai
             string userName = kirbi.enc_part.ticket_info[0].pname.name_string[0];
             string userDomain = kirbi.enc_part.ticket_info[0].prealm;
 
-            Console.WriteLine("[*] Changing password for user: {0}@{1}", userName, userDomain);
+            if (targetUser == null) {
+                Console.WriteLine("[*] Changing password for user: {0}@{1}", userName, userDomain);
+            } else {
+                Console.WriteLine("[*] Resetting password for target user: {0}", targetUser);
+            }
+
             Console.WriteLine("[*] New password value: {0}", newPassword);
 
             // build the AP_REQ using the user ticket's keytype and key
@@ -81,7 +86,16 @@ public static void UserPassword(KRB_CRED kirbi, string newPassword, string domai
             KRB_PRIV changePriv = new KRB_PRIV(randKeyEtype, randKeyBytes);
 
             // the new password to set for the user
-            changePriv.enc_part = new EncKrbPrivPart(newPassword, "lol");
+            if (targetUser != null) {
+                var userParts = targetUser.Split('\\');
+                if(userParts.Length != 2) {
+                    Console.WriteLine("[X] /targetuser should be in the format domain.com\\username!");
+                    return;
+                }
+                changePriv.enc_part = new EncKrbPrivPart(userParts[1], userParts[0].ToUpper(), newPassword, "lol");
+            } else {
+                changePriv.enc_part = new EncKrbPrivPart(newPassword, "lol");
+            }
 
             // now build the final MS Kpasswd request
             byte[] apReqBytes = ap_req.Encode().Encode();

diff --git a/Rubeus/lib/krb_structures/EncKrbPrivPart.cs b/Rubeus/lib/krb_structures/EncKrbPrivPart.cs
@@ -54,17 +54,15 @@ public AsnElt Encode()
             else {
 
                 PrincipalName principal = new PrincipalName(username);
-                AsnElt principalAsn = AsnElt.MakeImplicit(AsnElt.CONTEXT, 1, principal.Encode());
 
                 new_passwordSeq = AsnElt.Make(AsnElt.SEQUENCE, new AsnElt[] { 
                     AsnElt.MakeExplicit(AsnElt.CONTEXT, 0, new_passwordAsn), 
-                    AsnElt.MakeExplicit(AsnElt.CONTEXT, 1, principalAsn),
-                    AsnElt.MakeExplicit(AsnElt.CONTEXT, 2, AsnElt.MakeString(AsnElt.IA5String, realm)),
+                    AsnElt.MakeImplicit(AsnElt.CONTEXT, 1, principal.Encode()),
+                    AsnElt.MakeExplicit(AsnElt.CONTEXT, 2, AsnElt.MakeString(AsnElt.GeneralString, realm)),
                 });
             }
 
-            byte[] data = new_passwordSeq.Encode();
-            new_passwordSeq = AsnElt.MakeExplicit(AsnElt.CONTEXT, 0, AsnElt.MakeBlob(data));
+            new_passwordSeq = AsnElt.MakeExplicit(AsnElt.CONTEXT, 0, AsnElt.MakeBlob(new_passwordSeq.Encode()));
 
             // seq-number      [3] UInt32 OPTIONAL
             AsnElt seq_numberAsn = AsnElt.MakeInteger(seq_number);