-
Notifications
You must be signed in to change notification settings - Fork 763
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
changepw does not work with kadmin/changepw TGS or tgtdeleg TGT #155
Comments
Microsoft extension to Kerberos for changepw requires that the ticket be an initial one. A delegated ticket is not one with that option and it can not be used for changing a password. You would need to use an Overpass technique with either password or AES Key to get an initial one or dump the users ticket and use that one from an interactive logon. |
So there is no way to accomplish this without any elevation, whatsoever? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I want to use the
changepw
command with a TGS for the kadmin/changepw service issued for my own user, but it does not work (however, it does work with a "normal" TGT, but this is not what i want to accomplish).Environment
Reproduction
Executing User:
LSC\lsc01
(Domain User)./Rubeus.exe asktgt /user:LSC\lsc01 /password:<redacted> /nowrap
→ TGT (success)./Rubeus.exe asktgs /ticket:<tgt-from-step-1> /service:kadmin/changepw /nowrap
→ TGS (success)./Rubeus.exe changepw /ticket:<tgs-from-step-2 /new:<new-password>
→ see image belowWhen adding the
/targetuser:LSC\lsc01
option to Step 3, I get the following error message:I've confirmed several times, that
<new-password>
complies with my password policy, so this is not the problem. I've also checked twice that all TGTs and TGSs are inside the validity timeframe when used in subsequent commands.When replacing the value of the
/ticket:
option with a TGT issued viatgtdeleg
the call also fails with the same errors.Am I missing flags or anything? Thanks for your help in advance!
The text was updated successfully, but these errors were encountered: