Rubeus icon indicating copy to clipboard operation
Rubeus copied to clipboard
verified publisher icon GhostPack

changepw does not work with kadmin/changepw TGS or tgtdeleg TGT

Open MexHigh opened this issue 2 years ago • 2 comments

I want to use the changepw command with a TGS for the kadmin/changepw service issued for my own user, but it does not work (however, it does work with a "normal" TGT, but this is not what i want to accomplish).

Environment

  • Freshly installed Domain Controller (Windows Server 2022 21H2)
  • Freshly installed Domain Client (Windows 10 21H2)

Reproduction

Executing User: LSC\lsc01 (Domain User)

  1. ./Rubeus.exe asktgt /user:LSC\lsc01 /password:<redacted> /nowrap → TGT (success)
  2. ./Rubeus.exe asktgs /ticket:<tgt-from-step-1> /service:kadmin/changepw /nowrap → TGS (success)
  3. ./Rubeus.exe changepw /ticket:<tgs-from-step-2 /new:<new-password> → see image below

image

When adding the /targetuser:LSC\lsc01 option to Step 3, I get the following error message:

image

I've confirmed several times, that <new-password> complies with my password policy, so this is not the problem. I've also checked twice that all TGTs and TGSs are inside the validity timeframe when used in subsequent commands.

When replacing the value of the /ticket: option with a TGT issued via tgtdeleg the call also fails with the same errors.

Am I missing flags or anything? Thanks for your help in advance!

MexHigh avatar Apr 28 '23 13:04 MexHigh

Microsoft extension to Kerberos for changepw requires that the ticket be an initial one. A delegated ticket is not one with that option and it can not be used for changing a password. You would need to use an Overpass technique with either password or AES Key to get an initial one or dump the users ticket and use that one from an interactive logon.

darkoperator avatar Apr 28 '23 14:04 darkoperator

So there is no way to accomplish this without any elevation, whatsoever?

MexHigh avatar May 02 '23 08:05 MexHigh