Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/post/windows/manage/change_password.rb
19639 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Post

7


8
  def initialize(info = {})

9
    super(

10
      update_info(

11
        info,

12
        'Name' => 'Windows Manage Change Password',

13
        'Description' => %q{

14
          This module will attempt to change the password of the targeted account.

15
          The typical usage is to change a newly created account's password on a

16
          remote host to avoid the error, 'System error 1907 has occurred,' which

17
          is caused when the account policy enforces a password change before the

18
          next login.

19
        },

20
        'License' => MSF_LICENSE,

21
        'Platform' => ['win'],

22
        'SessionTypes' => ['meterpreter'],

23
        'Author' => ['Ben Campbell'],

24
        'Compat' => {

25
          'Meterpreter' => {

26
            'Commands' => %w[

27
              stdapi_railgun_api

28
            ]

29
          }

30
        },

31
        'Notes' => {

32
          'Stability' => [CRASH_SAFE],

33
          'SideEffects' => [CONFIG_CHANGES],

34
          'Reliability' => []

35
        }

36
      )

37
    )

38


39
    register_options(

40
      [

41
        OptString.new('SMBDomain', [false, 'Domain or Host to change password on, if not set will use the current login domain', nil], fallbacks: ['DOMAIN']),

42
        OptString.new('SMBUser', [true, 'Username to change password of'], fallbacks: ['PASSWORD']),

43
        OptString.new('OLD_PASSWORD', [true, 'Original password' ]),

44
        OptString.new('NEW_PASSWORD', [true, 'New password' ]),

45
      ]

46
    )

47
  end

48


49
  def run

50
    unless client.railgun

51
      print_error('This module requires a native Windows payload that supports Railgun.')

52
      return

53
    end

54


55
    domain = datastore['SMBDomain']

56
    username = datastore['SMBUser']

57
    old_password = datastore['OLD_PASSWORD']

58
    new_password = datastore['NEW_PASSWORD']

59
    print_status("Changing #{domain}\\#{username} password to #{new_password}...")

60
    result = client.railgun.netapi32.NetUserChangePassword(

61
      domain,

62
      username,

63
      old_password,

64
      new_password

65
    )

66


67
    case result['return']

68
    when 0x05

69
      err_msg = 'ERROR_ACCESS_DENIED'

70
    when 0x56

71
      err_msg = 'ERROR_INVALID_PASSWORD'

72
    when 0x92f

73
      err_msg = 'NERR_InvalidComputer'

74
    when 0x8b2

75
      err_msg = 'NERR_NotPrimary'

76
    when 0x8ad

77
      err_msg = 'NERR_UserNotFound'

78
    when 0x8c5

79
      err_msg = 'NERR_PasswordTooShort'

80
    when 0

81
      print_good('Password change successful.')

82
    else

83
      err_msg = "unknown error code: #{result['return']}"

84
    end

85


86
    if err_msg

87
      print_error("Password change failed, #{err_msg}.")

88
    end

89
  end

90
end

91


92