Prepare for release 4.11

Documentation/CHANGELOG.md

@@ -3,6 +3,18 @@
 # Changelog
 All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
+## [4.11] - 2023-10-01
+
+### Added
+
+- Added the [Get-ADDBServiceAccount](PowerShell/Get-ADDBServiceAccount.md#get-addbserviceaccount) cmdlet for offline managed password derivation.
+- Implemented the [Unlock-ADDBAccount](PowerShell/Unlock-ADDBAccount.md#unlock-addbaccount) cmdlet that can perform offline account unlock.
+
+### Fixed
+
+- Fixed Kerberos PBKDF2 salt derivation for service accounts in the [ConvertTo-KerberosKey](PowerShell/ConvertTo-KerberosKey.md#convertto-kerberoskey) cmdlet and the corresponding 
+[KerberosKeyDerivation](../Src/DSInternals.Common/Cryptography/KerberosKeyDerivation.cs) class.
+
 ## [4.10] - 2023-09-16
 
 ### Added
@@ -471,7 +483,8 @@ This is a [Chocolatey](https://chocolatey.org/packages/dsinternals-psmodule)-onl
 ## 1.0 - 2015-01-20
 Initial release!
 
-[Unreleased]: https://github.com/MichaelGrafnetter/DSInternals/compare/v4.10...HEAD
+[Unreleased]: https://github.com/MichaelGrafnetter/DSInternals/compare/v4.11...HEAD
+[4.11]: https://github.com/MichaelGrafnetter/DSInternals/compare/v4.10...v4.11
 [4.10]: https://github.com/MichaelGrafnetter/DSInternals/compare/v4.9...v4.10
 [4.9]: https://github.com/MichaelGrafnetter/DSInternals/compare/v4.8...v4.9
 [4.8]: https://github.com/MichaelGrafnetter/DSInternals/compare/v4.7...v4.8

Src/DSInternals.Common/DSInternals.Common.nuspec

@@ -14,7 +14,8 @@
     <description>This package is shared between all other DSInternals packages. Its main features are Azure AD Graph API and ADSI clients for for retrieval of cryptographic material. It contains implementations of common hash functions used by Windows, including NT hash, LM hash and OrgId hash. It also contains methods for SysKey/BootKey retrieval.</description>
     <summary>This package is shared between all other DSInternals packages.</summary>
     <releaseNotes>
-      - Updated dependencies.
+- Implemented managed password calculation.
+- Fixed Kerberos PBKDF2 salt derivation for service accounts.
     </releaseNotes>
     <copyright>Copyright (c) 2015-2023 Michael Grafnetter. All rights reserved.</copyright>
     <tags>ActiveDirectory Security AD AAD Identity Active Directory</tags>

Src/DSInternals.Common/Data/Principals/DSAccount.cs

@@ -271,7 +271,6 @@ public bool AdminCount
         /// <summary>
         /// List of principal names used for mutual authentication with an instance of a service.
         /// </summary>
-
         public string[] ServicePrincipalName
         {
             get;

Src/DSInternals.Common/Properties/AssemblyInfo.cs

@@ -5,8 +5,8 @@
 // set of attributes. Change these attribute values to modify the information
 // associated with an assembly.
 [assembly: AssemblyTitle("DSInternals Common Library")]
-[assembly: AssemblyVersion("4.8")]
-[assembly: AssemblyFileVersion("4.8")]
+[assembly: AssemblyVersion("4.11")]
+[assembly: AssemblyFileVersion("4.11")]
 [assembly: AssemblyDescription("")]
 [assembly: AssemblyConfiguration("")]
 [assembly: AssemblyCompany("")]

Src/DSInternals.DataStore/DSInternals.DataStore.nuspec

@@ -14,8 +14,8 @@
     <description>DSInternals DataStore is an advanced framework for offline ntds.dit file manipulation. It can be used to extract password hashes from Active Directory backups or to modify the sIDHistory and primaryGroupId attributes.</description>
     <summary>DSInternals DataStore is an advanced framework for offline ntds.dit file manipulation.</summary>
     <releaseNotes>
-- Fixed a rare security descriptor parsing issue.
-- Parallel reading of multiple databases is now supported.
+- Added the capability to retrieve information about group managed service accounts (gMSAs) from database files and to calculate their current passwords.
+- Implemented the offline account unlock feature.
     </releaseNotes>
     <copyright>Copyright (c) 2015-2023 Michael Grafnetter. All rights reserved.</copyright>
     <tags>ActiveDirectory Security NTDS AD Identity Active Directory</tags>

Src/DSInternals.DataStore/Properties/AssemblyInfo.cs

@@ -5,8 +5,8 @@
 // set of attributes. Change these attribute values to modify the information
 // associated with an assembly.
 [assembly: AssemblyTitle("DSInternals DataStore Library")]
-[assembly: AssemblyVersion("4.10")]
-[assembly: AssemblyFileVersion("4.10")]
+[assembly: AssemblyVersion("4.11")]
+[assembly: AssemblyFileVersion("4.11")]
 [assembly: AssemblyDescription("")]
 [assembly: AssemblyConfiguration("")]
 [assembly: AssemblyCompany("")]

Src/DSInternals.PowerShell/Chocolatey/dsinternals-psmodule.nuspec

@@ -3,7 +3,7 @@
 <package xmlns="http://schemas.microsoft.com/packaging/2015/06/nuspec.xsd">
   <metadata>
     <id>DSInternals-PSModule</id>
-    <version>4.10</version>
+    <version>4.11</version>
     <packageSourceUrl>https://github.com/MichaelGrafnetter/DSInternals/tree/master/Src/DSInternals.PowerShell/Chocolatey</packageSourceUrl>
     <owners>MichaelGrafnetter</owners>
     <title>DSInternals PowerShell Module</title>
@@ -18,9 +18,9 @@
     <bugTrackerUrl>https://github.com/MichaelGrafnetter/DSInternals/issues</bugTrackerUrl>
     <tags>admin dsinternals powershell activedirectory ad security ntds passwords dpapi lsa sam audit</tags>
     <summary>The DSInternals PowerShell Module exposes several internal features of Active Directory. These include offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation.</summary>
-    <description>The DSInternals PowerShell Module has these main features:
-
-* [Azure Active Directory FIDO2 key auditing](../Documentation/PowerShell/Get-AzureADUserEx.md#get-azureaduserex) and retrieval of system information about all user-registered key credentials.
+    <description>
+The DSInternals PowerShell Module has these main features:
+* [Azure Active Directory FIDO2 key auditing](https://github.com/MichaelGrafnetter/DSInternals/blob/master/Documentation/PowerShell/Get-AzureADUserEx.md#get-azureaduserex) and retrieval of system information about all user-registered key credentials.
 * [Active Directory password auditing](https://github.com/MichaelGrafnetter/DSInternals/blob/master/Documentation/PowerShell/Test-PasswordQuality.md) that discovers accounts sharing the same passwords or having passwords in a public database like [HaveIBeenPwned](https://haveibeenpwned.com) or in a custom dictionary.
 * [Bare-metal recovery of domain controllers](https://github.com/MichaelGrafnetter/DSInternals/blob/master/Documentation/PowerShell/New-ADDBRestoreFromMediaScript.md) from just IFM backups (ntds.dit + SYSVOL).
 * Offline ntds.dit file manipulation, including [hash dumping](https://github.com/MichaelGrafnetter/DSInternals/blob/master/Documentation/PowerShell/Get-ADDBAccount.md), [password resets](https://github.com/MichaelGrafnetter/DSInternals/blob/master/Documentation/PowerShell/Set-ADDBAccountPassword.md), [group membership changes](https://github.com/MichaelGrafnetter/DSInternals/blob/master/Documentation/PowerShell/Set-ADDBPrimaryGroup.md), [SID History injection](https://github.com/MichaelGrafnetter/DSInternals/blob/master/Documentation/PowerShell/Add-ADDBSidHistory.md) and [enabling](https://github.com/MichaelGrafnetter/DSInternals/blob/master/Documentation/PowerShell/Enable-ADDBAccount.md)/[disabling](https://github.com/MichaelGrafnetter/DSInternals/blob/master/Documentation/PowerShell/Disable-ADDBAccount.md) accounts.
@@ -37,10 +37,9 @@
 ## Disclaimer
 Features exposed through these tools are not supported by Microsoft. Improper use might cause irreversible damage to domain controllers or negatively impact domain security.</description>
     <releaseNotes>
-* The Test-PasswordQuality cmdlet now checks if a user's password is equal to their SamAccountName attribute.
-* Added support for the ARM64 platform (tested on Windows Dev Kit 2023 / Project Volterra).
-* Fixed a rare security descriptor parsing issue.
-* Parallel reading of multiple databases is now supported.
+* Added the Get-ADDBServiceAccount cmdlet for offline managed password derivation.
+* Implemented the Unlock-ADDBAccount cmdlet that can perform offline account unlock.
+* Fixed Kerberos PBKDF2 salt derivation for service accounts in the ConvertTo-KerberosKey cmdlet.
     </releaseNotes>
     <dependencies>
       <!-- Windows Management Framework 3+. For OS prior to Windows 8 and Windows Server 2012. -->

Src/DSInternals.PowerShell/DSInternals.psd1

@@ -8,7 +8,7 @@
 RootModule = 'DSInternals.Bootstrap.psm1'
 
 # Version number of this module.
-ModuleVersion = '4.10'
+ModuleVersion = '4.11'
 
 # Supported PSEditions
 # CompatiblePSEditions = 'Desktop'
@@ -143,10 +143,9 @@ PrivateData = @{
 
         # ReleaseNotes of this module
         ReleaseNotes = @"
-- The Test-PasswordQuality cmdlet now checks if a user's password is equal to their SamAccountName attribute.
-- Added support for the ARM64 platform (tested on Windows Dev Kit 2023 / Project Volterra).
-- Fixed a rare security descriptor parsing issue.
-- Parallel reading of multiple databases is now supported.
+- Added the Get-ADDBServiceAccount cmdlet for offline managed password derivation.
+- Implemented the Unlock-ADDBAccount cmdlet that can perform offline account unlock.
+- Fixed Kerberos PBKDF2 salt derivation for service accounts in the ConvertTo-KerberosKey cmdlet.
 "@
     } # End of PSData hashtable
 

Src/DSInternals.PowerShell/Properties/AssemblyInfo.cs

@@ -5,8 +5,8 @@
 // set of attributes. Change these attribute values to modify the information
 // associated with an assembly.
 [assembly: AssemblyTitle("DSInternals PowerShell Commands")]
-[assembly: AssemblyVersion("4.10")]
-[assembly: AssemblyFileVersion("4.10")]
+[assembly: AssemblyVersion("4.11")]
+[assembly: AssemblyFileVersion("4.11")]
 [assembly: AssemblyDescription("")]
 [assembly: AssemblyConfiguration("")]
 [assembly: AssemblyCompany("")]