metasploit-framework/modules/post/windows/manage/change_password.rb

80 lines
2.3 KiB
Ruby

##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Post
def initialize(info={})
super(update_info(info,
'Name' => "Windows Manage Change Password",
'Description' => %q{
This module will attempt to change the password of the targeted account.
The typical usage is to change a newly created account's password on a
remote host to avoid the error, 'System error 1907 has occurred,' which
is caused when the account policy enforces a password change before the
next login.
},
'License' => MSF_LICENSE,
'Platform' => ['win'],
'SessionTypes' => ['meterpreter'],
'Author' => ['Ben Campbell']
))
register_options(
[
OptString.new('SMBDomain', [false, 'Domain or Host to change password on, if not set will use the current login domain', nil]),
OptString.new('SMBUser', [true, 'Username to change password of']),
OptString.new('OLD_PASSWORD', [true, 'Original password' ]),
OptString.new('NEW_PASSWORD', [true, 'New password' ]),
], self.class)
end
def run
unless client.railgun
print_error('This module requires a native Windows payload that supports Railgun.')
return
end
domain = datastore['SMBDomain']
username = datastore['SMBUser']
old_password = datastore['OLD_PASSWORD']
new_password = datastore['NEW_PASSWORD']
print_status("Changing #{domain}\\#{username} password to #{new_password}...")
result = client.railgun.netapi32.NetUserChangePassword(
domain,
username,
old_password,
new_password
)
case result['return']
when 0x05
err_msg = 'ERROR_ACCESS_DENIED'
when 0x56
err_msg = 'ERROR_INVALID_PASSWORD'
when 0x92f
err_msg = 'NERR_InvalidComputer'
when 0x8b2
err_msg = 'NERR_NotPrimary'
when 0x8ad
err_msg = 'NERR_UserNotFound'
when 0x8c5
err_msg = 'NERR_PasswordTooShort'
when 0
print_good('Password change successful.')
else
err_msg = "unknown error code: #{result['return']}"
end
if err_msg
print_error("Password change failed, #{err_msg}.")
end
end
end