Jump to content

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Find out more here. X
X


Photo

Tickle Expired Passwords


  • Please log in to reply
6 replies to this topic

#1 spudw2k

spudw2k

    passionately misinformed

  • Active Members
  • PipPipPipPipPipPip
  • 1,283 posts

Posted 26 March 2009 - 04:53 PM

At my job we get scanned frequently for vulnerabilities, and it is considered a vulnerability to have an account with a password that never expires. We have service accounts that we rely on being automated and we can't get ourselves into the business of changing service password on a reg basis; so what I have here is a way to trick the domain into believing an accounts password has not expired (we dubbed it tickling around here).

Basically how it works is an Active Directory domain has a property for expired passwords (last time pwd was set). When the property becomes a 0 that means the password has expired and must be changed. Upon changing the password this property gets set to the time of change. I'm not sure if this is documented, but if you set this property to -1 (if it is set to 0), it sets the current date/time as the last pwd changed time. If you set the property to -1 and the property is not 0, then nothing happens. So, we created an OU just for these service accounts and I made a script to do the rest. Here's my implementation.
 

#RequireAdmin #AutoIt3Wrapper_Change2CUI=y $objRootDSE = ObjGet("LDAP://RootDSE") $strDNSDomain = $objRootDSE.Get("DefaultNamingContext") $strContainer = "OU=Service.Accounts,OU=Domain Users," & $strDNSDomain $objOU = ObjGet("LDAP://" & $strContainer ) For $objUser in $objOU     If $objUser.class = "user" Then         $objUsr = ObjGet("LDAP://" & $objUser.name & "," & $strContainer)         ConsoleWrite($objUsr.sAMAccountName & @CRLF)         $objUsr.Put("PwdLastSet", 0)         $objUsr.SetInfo         $objUsr.Put("PwdLastSet", -1)         $objUsr.SetInfo     EndIf Next

Here's one that works for Local Accounts.

#AutoIt3Wrapper_Change2CUI=y $objOU = ObjGet("WinNT://" & @ComputerName & "/Administrators") For $objUser in $objOU.Members     ConsoleWrite($objUser.name & @CRLF)     $objUsr = ObjGet("WinNT://" & @ComputerName & "/" & $objUser.name)     If IsObj($objUsr) Then         $objUsr.Put("PasswordExpired",1)         $objUsr.SetInfo         $objUsr.Put("PasswordExpired",0)         $objUsr.SetInfo     EndIf Next

edit: added check for user in LDAP method.


Edited by spudw2k, 08 January 2014 - 01:43 PM.








#2 gseller

gseller

    Universalist

  • Active Members
  • PipPipPipPipPipPip
  • 1,057 posts

Posted 26 March 2009 - 06:12 PM

Awesome!! I have done some work on trying to make a web watch keep alive at my work. We use a site minder on our intranet and I would love to get it to keep alive the session once opened for at least 8 hrs for our day. I have sadly been unsuccessful. I will share the code I have if anyone needs it just pm me.

#3 spudw2k

spudw2k

    passionately misinformed

  • Active Members
  • PipPipPipPipPipPip
  • 1,283 posts

Posted 26 March 2009 - 06:54 PM

Awesome!! I have done some work on trying to make a web watch keep alive at my work. We use a site minder on our intranet and I would love to get it to keep alive the session once opened for at least 8 hrs for our day. I have sadly been unsuccessful. I will share the code I have if anyone needs it just pm me.

Interesting. I don't see how this is related, but hey...it's a public forum

#4 Jos

Jos

    ...

  • Developers
  • 23,176 posts

Posted 26 March 2009 - 07:08 PM

Just curious: Is there any reason you set the PwdLastSet to 0 (Don't Expire) before setting it to 1 (Set last password change to today)

Jos

Visit the SciTE4AutoIt3 Download page for the latest versions                                                                 Forum Rules
 
Live for the present,
Dream of the future,
Learn from the past.
  :)


#5 spudw2k

spudw2k

    passionately misinformed

  • Active Members
  • PipPipPipPipPipPip
  • 1,283 posts

Posted 26 March 2009 - 07:34 PM

Just curious: Is there any reason you set the PwdLastSet to 0 (Don't Expire) before setting it to 1 (Set last password change to today)

Jos

0 means expired, not don't expire.
If it's not 0 to begin with then -1 does nothing.

Edited by spudw2k, 26 March 2009 - 07:45 PM.


#6 Jos

Jos

    ...

  • Developers
  • 23,176 posts

Posted 26 March 2009 - 07:55 PM

0 means expired, not don't expire.

You're right... Thats what I meant to say... :D

If it's not 0 to begin with then -1 does nothing.

Never tried it thats why I was curious.

Visit the SciTE4AutoIt3 Download page for the latest versions                                                                 Forum Rules
 
Live for the present,
Dream of the future,
Learn from the past.
  :)


#7 spudw2k

spudw2k

    passionately misinformed

  • Active Members
  • PipPipPipPipPipPip
  • 1,283 posts

Posted 26 March 2009 - 10:28 PM

Never tried it thats why I was curious.

Yea, I thought this was interesting too. Here's the webpage that inspired me. Last post.

edit: was perusing my old posts and found that the link above no longer shows the thread content I referenced. Oh well

Edited by spudw2k, 01 May 2013 - 07:26 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users