Path: blob/master/modules/post/windows/manage/change_password.rb
19612 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Post67def initialize(info = {})8super(9update_info(10info,11'Name' => 'Windows Manage Change Password',12'Description' => %q{13This module will attempt to change the password of the targeted account.14The typical usage is to change a newly created account's password on a15remote host to avoid the error, 'System error 1907 has occurred,' which16is caused when the account policy enforces a password change before the17next login.18},19'License' => MSF_LICENSE,20'Platform' => ['win'],21'SessionTypes' => ['meterpreter'],22'Author' => ['Ben Campbell'],23'Compat' => {24'Meterpreter' => {25'Commands' => %w[26stdapi_railgun_api27]28}29},30'Notes' => {31'Stability' => [CRASH_SAFE],32'SideEffects' => [CONFIG_CHANGES],33'Reliability' => []34}35)36)3738register_options(39[40OptString.new('SMBDomain', [false, 'Domain or Host to change password on, if not set will use the current login domain', nil], fallbacks: ['DOMAIN']),41OptString.new('SMBUser', [true, 'Username to change password of'], fallbacks: ['PASSWORD']),42OptString.new('OLD_PASSWORD', [true, 'Original password' ]),43OptString.new('NEW_PASSWORD', [true, 'New password' ]),44]45)46end4748def run49unless client.railgun50print_error('This module requires a native Windows payload that supports Railgun.')51return52end5354domain = datastore['SMBDomain']55username = datastore['SMBUser']56old_password = datastore['OLD_PASSWORD']57new_password = datastore['NEW_PASSWORD']58print_status("Changing #{domain}\\#{username} password to #{new_password}...")59result = client.railgun.netapi32.NetUserChangePassword(60domain,61username,62old_password,63new_password64)6566case result['return']67when 0x0568err_msg = 'ERROR_ACCESS_DENIED'69when 0x5670err_msg = 'ERROR_INVALID_PASSWORD'71when 0x92f72err_msg = 'NERR_InvalidComputer'73when 0x8b274err_msg = 'NERR_NotPrimary'75when 0x8ad76err_msg = 'NERR_UserNotFound'77when 0x8c578err_msg = 'NERR_PasswordTooShort'79when 080print_good('Password change successful.')81else82err_msg = "unknown error code: #{result['return']}"83end8485if err_msg86print_error("Password change failed, #{err_msg}.")87end88end89end909192