Lucene search
K

Windows Manage Change Password

🗓️ 15 Apr 2014 20:05:06Reported by Ben Campbell <[email protected]>Type 
metasploit
 metasploit
🔗 www.rapid7.com👁 69 Views

This module attempts to change the password of a targeted account on a Windows host to avoid the 'System error 1907 has occurred' caused by enforcing a password change before next login

Code
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Post

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Windows Manage Change Password',
        'Description' => %q{
          This module will attempt to change the password of the targeted account.
          The typical usage is to change a newly created account's password on a
          remote host to avoid the error, 'System error 1907 has occurred,' which
          is caused when the account policy enforces a password change before the
          next login.
        },
        'License' => MSF_LICENSE,
        'Platform' => ['win'],
        'SessionTypes' => ['meterpreter'],
        'Author' => ['Ben Campbell'],
        'Compat' => {
          'Meterpreter' => {
            'Commands' => %w[
              stdapi_railgun_api
            ]
          }
        }
      )
    )

    register_options(
      [
        OptString.new('SMBDomain', [false, 'Domain or Host to change password on, if not set will use the current login domain', nil], fallbacks: ['DOMAIN']),
        OptString.new('SMBUser', [true, 'Username to change password of'], fallbacks: ['PASSWORD']),
        OptString.new('OLD_PASSWORD', [true, 'Original password' ]),
        OptString.new('NEW_PASSWORD', [true, 'New password' ]),
      ]
    )
  end

  def run
    unless client.railgun
      print_error('This module requires a native Windows payload that supports Railgun.')
      return
    end

    domain = datastore['SMBDomain']
    username = datastore['SMBUser']
    old_password = datastore['OLD_PASSWORD']
    new_password = datastore['NEW_PASSWORD']
    print_status("Changing #{domain}\\#{username} password to #{new_password}...")
    result = client.railgun.netapi32.NetUserChangePassword(
      domain,
      username,
      old_password,
      new_password
    )

    case result['return']
    when 0x05
      err_msg = 'ERROR_ACCESS_DENIED'
    when 0x56
      err_msg = 'ERROR_INVALID_PASSWORD'
    when 0x92f
      err_msg = 'NERR_InvalidComputer'
    when 0x8b2
      err_msg = 'NERR_NotPrimary'
    when 0x8ad
      err_msg = 'NERR_UserNotFound'
    when 0x8c5
      err_msg = 'NERR_PasswordTooShort'
    when 0
      print_good('Password change successful.')
    else
      err_msg = "unknown error code: #{result['return']}"
    end

    if err_msg
      print_error("Password change failed, #{err_msg}.")
    end
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

08 Feb 2023 13:47Current
7.5High risk
Vulners AI Score7.5
69