CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/post/windows/manage/change_password.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Post

7


8
  def initialize(info = {})

9
    super(

10
      update_info(

11
        info,

12
        'Name' => 'Windows Manage Change Password',

13
        'Description' => %q{

14
          This module will attempt to change the password of the targeted account.

15
          The typical usage is to change a newly created account's password on a

16
          remote host to avoid the error, 'System error 1907 has occurred,' which

17
          is caused when the account policy enforces a password change before the

18
          next login.

19
        },

20
        'License' => MSF_LICENSE,

21
        'Platform' => ['win'],

22
        'SessionTypes' => ['meterpreter'],

23
        'Author' => ['Ben Campbell'],

24
        'Compat' => {

25
          'Meterpreter' => {

26
            'Commands' => %w[

27
              stdapi_railgun_api

28
            ]

29
          }

30
        }

31
      )

32
    )

33


34
    register_options(

35
      [

36
        OptString.new('SMBDomain', [false, 'Domain or Host to change password on, if not set will use the current login domain', nil], fallbacks: ['DOMAIN']),

37
        OptString.new('SMBUser', [true, 'Username to change password of'], fallbacks: ['PASSWORD']),

38
        OptString.new('OLD_PASSWORD', [true, 'Original password' ]),

39
        OptString.new('NEW_PASSWORD', [true, 'New password' ]),

40
      ]

41
    )

42
  end

43


44
  def run

45
    unless client.railgun

46
      print_error('This module requires a native Windows payload that supports Railgun.')

47
      return

48
    end

49


50
    domain = datastore['SMBDomain']

51
    username = datastore['SMBUser']

52
    old_password = datastore['OLD_PASSWORD']

53
    new_password = datastore['NEW_PASSWORD']

54
    print_status("Changing #{domain}\\#{username} password to #{new_password}...")

55
    result = client.railgun.netapi32.NetUserChangePassword(

56
      domain,

57
      username,

58
      old_password,

59
      new_password

60
    )

61


62
    case result['return']

63
    when 0x05

64
      err_msg = 'ERROR_ACCESS_DENIED'

65
    when 0x56

66
      err_msg = 'ERROR_INVALID_PASSWORD'

67
    when 0x92f

68
      err_msg = 'NERR_InvalidComputer'

69
    when 0x8b2

70
      err_msg = 'NERR_NotPrimary'

71
    when 0x8ad

72
      err_msg = 'NERR_UserNotFound'

73
    when 0x8c5

74
      err_msg = 'NERR_PasswordTooShort'

75
    when 0

76
      print_good('Password change successful.')

77
    else

78
      err_msg = "unknown error code: #{result['return']}"

79
    end

80


81
    if err_msg

82
      print_error("Password change failed, #{err_msg}.")

83
    end

84
  end

85
end

86


87