2014-04-15 20:05:06 +00:00
|
|
|
##
|
|
|
|
# This module requires Metasploit: http//metasploit.com/download
|
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
|
|
|
##
|
|
|
|
|
|
|
|
require 'msf/core'
|
|
|
|
|
|
|
|
class Metasploit3 < Msf::Post
|
|
|
|
|
|
|
|
def initialize(info={})
|
|
|
|
super(update_info(info,
|
|
|
|
'Name' => "Windows Manage Change Password",
|
|
|
|
'Description' => %q{
|
2014-04-21 19:00:03 +00:00
|
|
|
This module will attempt to change the password of the targeted account.
|
|
|
|
The typical usage is to change a newly created account's password on a
|
|
|
|
remote host to avoid the error, 'System error 1907 has occurred,' which
|
|
|
|
is caused when the account policy enforces a password change before the
|
|
|
|
next login.
|
2014-04-15 20:05:06 +00:00
|
|
|
},
|
|
|
|
'License' => MSF_LICENSE,
|
|
|
|
'Platform' => ['win'],
|
|
|
|
'SessionTypes' => ['meterpreter'],
|
|
|
|
'Author' => ['Ben Campbell']
|
|
|
|
))
|
|
|
|
|
|
|
|
register_options(
|
|
|
|
[
|
|
|
|
OptString.new('SMBDomain', [false, 'Domain or Host to change password on, if not set will use the current login domain', nil]),
|
|
|
|
OptString.new('SMBUser', [true, 'Username to change password of']),
|
|
|
|
OptString.new('OLD_PASSWORD', [true, 'Original password' ]),
|
|
|
|
OptString.new('NEW_PASSWORD', [true, 'New password' ]),
|
|
|
|
], self.class)
|
|
|
|
end
|
|
|
|
|
|
|
|
def run
|
|
|
|
unless client.railgun
|
2014-04-21 19:00:03 +00:00
|
|
|
print_error('This module requires a native Windows payload that supports Railgun.')
|
2014-04-15 20:05:06 +00:00
|
|
|
return
|
|
|
|
end
|
|
|
|
|
|
|
|
domain = datastore['SMBDomain']
|
|
|
|
username = datastore['SMBUser']
|
|
|
|
old_password = datastore['OLD_PASSWORD']
|
|
|
|
new_password = datastore['NEW_PASSWORD']
|
|
|
|
print_status("Changing #{domain}\\#{username} password to #{new_password}...")
|
|
|
|
result = client.railgun.netapi32.NetUserChangePassword(
|
|
|
|
domain,
|
|
|
|
username,
|
|
|
|
old_password,
|
|
|
|
new_password
|
|
|
|
)
|
|
|
|
|
|
|
|
case result['return']
|
|
|
|
when 0x05
|
|
|
|
err_msg = 'ERROR_ACCESS_DENIED'
|
|
|
|
when 0x56
|
|
|
|
err_msg = 'ERROR_INVALID_PASSWORD'
|
|
|
|
when 0x92f
|
|
|
|
err_msg = 'NERR_InvalidComputer'
|
|
|
|
when 0x8b2
|
|
|
|
err_msg = 'NERR_NotPrimary'
|
|
|
|
when 0x8ad
|
|
|
|
err_msg = 'NERR_UserNotFound'
|
|
|
|
when 0x8c5
|
|
|
|
err_msg = 'NERR_PasswordTooShort'
|
|
|
|
when 0
|
|
|
|
print_good('Password change successful.')
|
|
|
|
else
|
|
|
|
err_msg = "unknown error code: #{result['return']}"
|
|
|
|
end
|
|
|
|
|
|
|
|
if err_msg
|
|
|
|
print_error("Password change failed, #{err_msg}.")
|
|
|
|
end
|
|
|
|
|
|
|
|
end
|
|
|
|
|
|
|
|
end
|
|
|
|
|