Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/post/windows/manage/change_password.rb
19612 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Post
7
8
def initialize(info = {})
9
super(
10
update_info(
11
info,
12
'Name' => 'Windows Manage Change Password',
13
'Description' => %q{
14
This module will attempt to change the password of the targeted account.
15
The typical usage is to change a newly created account's password on a
16
remote host to avoid the error, 'System error 1907 has occurred,' which
17
is caused when the account policy enforces a password change before the
18
next login.
19
},
20
'License' => MSF_LICENSE,
21
'Platform' => ['win'],
22
'SessionTypes' => ['meterpreter'],
23
'Author' => ['Ben Campbell'],
24
'Compat' => {
25
'Meterpreter' => {
26
'Commands' => %w[
27
stdapi_railgun_api
28
]
29
}
30
},
31
'Notes' => {
32
'Stability' => [CRASH_SAFE],
33
'SideEffects' => [CONFIG_CHANGES],
34
'Reliability' => []
35
}
36
)
37
)
38
39
register_options(
40
[
41
OptString.new('SMBDomain', [false, 'Domain or Host to change password on, if not set will use the current login domain', nil], fallbacks: ['DOMAIN']),
42
OptString.new('SMBUser', [true, 'Username to change password of'], fallbacks: ['PASSWORD']),
43
OptString.new('OLD_PASSWORD', [true, 'Original password' ]),
44
OptString.new('NEW_PASSWORD', [true, 'New password' ]),
45
]
46
)
47
end
48
49
def run
50
unless client.railgun
51
print_error('This module requires a native Windows payload that supports Railgun.')
52
return
53
end
54
55
domain = datastore['SMBDomain']
56
username = datastore['SMBUser']
57
old_password = datastore['OLD_PASSWORD']
58
new_password = datastore['NEW_PASSWORD']
59
print_status("Changing #{domain}\\#{username} password to #{new_password}...")
60
result = client.railgun.netapi32.NetUserChangePassword(
61
domain,
62
username,
63
old_password,
64
new_password
65
)
66
67
case result['return']
68
when 0x05
69
err_msg = 'ERROR_ACCESS_DENIED'
70
when 0x56
71
err_msg = 'ERROR_INVALID_PASSWORD'
72
when 0x92f
73
err_msg = 'NERR_InvalidComputer'
74
when 0x8b2
75
err_msg = 'NERR_NotPrimary'
76
when 0x8ad
77
err_msg = 'NERR_UserNotFound'
78
when 0x8c5
79
err_msg = 'NERR_PasswordTooShort'
80
when 0
81
print_good('Password change successful.')
82
else
83
err_msg = "unknown error code: #{result['return']}"
84
end
85
86
if err_msg
87
print_error("Password change failed, #{err_msg}.")
88
end
89
end
90
end
91
92