Windows Manage Change Password - Metasploit
This page contains detailed information about how to use the post/windows/manage/change_password metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: Windows Manage Change Password
Module: post/windows/manage/change_password
Source code: modules/post/windows/manage/change_password.rb
Disclosure date: -
Last modification time: 2021-10-06 13:43:31 +0000
Supported architecture(s): -
Supported platform(s): Windows
Target service / protocol: -
Target network port(s): -
List of CVEs: -
This module will attempt to change the password of the targeted account. The typical usage is to change a newly created account's password on a remote host to avoid the error, 'System error 1907 has occurred,' which is caused when the account policy enforces a password change before the next login.
Module Ranking and Traits
Module Ranking:
- normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.
Basic Usage
There are two ways to execute this post module.
From the Meterpreter prompt
The first is by using the "run" command at the Meterpreter prompt. It allows you to run the post module against that specific session:
meterpreter > run post/windows/manage/change_password
From the msf prompt
The second is by using the "use" command at the msf prompt. You will have to figure out which session ID to set manually. To list all session IDs, you can use the "sessions" command.
msf > use post/windows/manage/change_password
msf post(change_password) > show options
... show and set options ...
msf post(change_password) > set SESSION session-id
msf post(change_password) > exploit
If you wish to run the post against all sessions from framework, here is how:
1 - Create the following resource script:
framework.sessions.each_pair do |sid, session|
run_single("use post/windows/manage/change_password")
run_single("set SESSION #{sid}")
run_single("run")
end
2 - At the msf prompt, execute the above resource script:
msf > resource path-to-resource-script
Required Options
SESSION: The session to run this module on.
SMBUser: Username to change password of
OLD_PASSWORD: Original password
NEW_PASSWORD: New password
Go back to menu.
Msfconsole Usage
Here is how the windows/manage/change_password post exploitation module looks in the msfconsole:
msf6 > use post/windows/manage/change_password
msf6 post(windows/manage/change_password) > show info
Name: Windows Manage Change Password
Module: post/windows/manage/change_password
Platform: Windows
Arch:
Rank: Normal
Provided by:
Ben Campbell <[email protected]>
Compatible session types:
Meterpreter
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
NEW_PASSWORD yes New password
OLD_PASSWORD yes Original password
SESSION yes The session to run this module on.
SMBDomain no Domain or Host to change password on, if not set will use the current login domain
SMBUser yes Username to change password of
Description:
This module will attempt to change the password of the targeted
account. The typical usage is to change a newly created account's
password on a remote host to avoid the error, 'System error 1907 has
occurred,' which is caused when the account policy enforces a
password change before the next login.
Module Options
This is a complete list of options available in the windows/manage/change_password post exploitation module:
msf6 post(windows/manage/change_password) > show options
Module options (post/windows/manage/change_password):
Name Current Setting Required Description
---- --------------- -------- -----------
NEW_PASSWORD yes New password
OLD_PASSWORD yes Original password
SESSION yes The session to run this module on.
SMBDomain no Domain or Host to change password on, if not set will use the current login domain
SMBUser yes Username to change password of
Advanced Options
Here is a complete list of advanced options supported by the windows/manage/change_password post exploitation module:
msf6 post(windows/manage/change_password) > show advanced
Module advanced options (post/windows/manage/change_password):
Name Current Setting Required Description
---- --------------- -------- -----------
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Post Actions
This is a list of all post exploitation actions which the windows/manage/change_password module can do:
msf6 post(windows/manage/change_password) > show actions
Post actions:
Name Description
---- -----------
Evasion Options
Here is the full list of possible evasion options supported by the windows/manage/change_password post exploitation module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 post(windows/manage/change_password) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
Go back to menu.
Error Messages
This module may fail with the following error messages:
Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.
System error 1907 has occurred,
Here is a relevant code snippet related to the "System error 1907 has occurred," error message:
11: info,
12: 'Name' => "Windows Manage Change Password",
13: 'Description' => %q{
14: This module will attempt to change the password of the targeted account.
15: The typical usage is to change a newly created account's password on a
16: remote host to avoid the error, 'System error 1907 has occurred,' which
17: is caused when the account policy enforces a password change before the
18: next login.
19: },
20: 'License' => MSF_LICENSE,
21: 'Platform' => ['win'],
This module requires a native Windows payload that supports Railgun.
Here is a relevant code snippet related to the "This module requires a native Windows payload that supports Railgun." error message:
34: )
35: end
36:
37: def run
38: unless client.railgun
39: print_error('This module requires a native Windows payload that supports Railgun.')
40: return
41: end
42:
43: domain = datastore['SMBDomain']
44: username = datastore['SMBUser']
ERROR_ACCESS_DENIED
Here is a relevant code snippet related to the "ERROR_ACCESS_DENIED" error message:
52: new_password
53: )
54:
55: case result['return']
56: when 0x05
57: err_msg = 'ERROR_ACCESS_DENIED'
58: when 0x56
59: err_msg = 'ERROR_INVALID_PASSWORD'
60: when 0x92f
61: err_msg = 'NERR_InvalidComputer'
62: when 0x8b2
ERROR_INVALID_PASSWORD
Here is a relevant code snippet related to the "ERROR_INVALID_PASSWORD" error message:
54:
55: case result['return']
56: when 0x05
57: err_msg = 'ERROR_ACCESS_DENIED'
58: when 0x56
59: err_msg = 'ERROR_INVALID_PASSWORD'
60: when 0x92f
61: err_msg = 'NERR_InvalidComputer'
62: when 0x8b2
63: err_msg = 'NERR_NotPrimary'
64: when 0x8ad
unknown error code: <RETURN>
Here is a relevant code snippet related to the "unknown error code: <RETURN>" error message:
66: when 0x8c5
67: err_msg = 'NERR_PasswordTooShort'
68: when 0
69: print_good('Password change successful.')
70: else
71: err_msg = "unknown error code: #{result['return']}"
72: end
73:
74: if err_msg
75: print_error("Password change failed, #{err_msg}.")
76: end
Password change failed, <ERR_MSG>.
Here is a relevant code snippet related to the "Password change failed, <ERR_MSG>." error message:
68: when 0
69: print_good('Password change successful.')
70: else
71: err_msg = "unknown error code: #{result['return']}"
72: end
73:
74: if err_msg
75: print_error("Password change failed, #{err_msg}.")
76: end
77: end
78: end
Go back to menu.
Related Pull Requests
- #8716 Merged Pull Request: Print_Status -> Print_Good (And OCD bits 'n bobs)
- #8338 Merged Pull Request: Fix msf/core and self.class msftidy warnings
- #6655 Merged Pull Request: use MetasploitModule as a class name
- #6648 Merged Pull Request: Change metasploit class names
- #3286 Merged Pull Request: Description and print_status fixes for release
- #3265 Merged Pull Request: Windows Post Manage Change Password
Go back to menu.
See Also
Check also the following modules related to this module:
- post/windows/manage/add_user
- post/windows/manage/archmigrate
- post/windows/manage/clone_proxy_settings
- post/windows/manage/delete_user
- post/windows/manage/dell_memory_protect
- post/windows/manage/download_exec
- post/windows/manage/driver_loader
- post/windows/manage/enable_rdp
- post/windows/manage/enable_support_account
- post/windows/manage/exec_powershell
- post/windows/manage/execute_dotnet_assembly
- post/windows/manage/forward_pageant
- post/windows/manage/hashcarve
- post/windows/manage/ie_proxypac
- post/windows/manage/inject_ca
- post/windows/manage/inject_host
- post/windows/manage/install_python
- post/windows/manage/install_ssh
- post/windows/manage/killav
- post/windows/manage/migrate
- post/windows/manage/mssql_local_auth_bypass
- post/windows/manage/multi_meterpreter_inject
- post/windows/manage/nbd_server
- post/windows/manage/peinjector
- post/windows/manage/persistence_exe
- post/windows/manage/portproxy
- post/windows/manage/pptp_tunnel
- post/windows/manage/priv_migrate
- post/windows/manage/pxeexploit
- post/windows/manage/reflective_dll_inject
- post/windows/manage/remove_ca
- post/windows/manage/remove_host
- post/windows/manage/rid_hijack
- post/windows/manage/rollback_defender_signatures
- post/windows/manage/rpcapd_start
- post/windows/manage/run_as
- post/windows/manage/run_as_psh
- post/windows/manage/sdel
- post/windows/manage/shellcode_inject
- post/windows/manage/sshkey_persistence
- post/windows/manage/sticky_keys
- post/windows/manage/vmdk_mount
- post/windows/manage/vss
- post/windows/manage/vss_create
- post/windows/manage/vss_list
- post/windows/manage/vss_mount
- post/windows/manage/vss_set_storage
- post/windows/manage/vss_storage
- post/windows/manage/wdigest_caching
- post/windows/manage/webcam
Authors
- Ben Campbell
Version
This page has been produced using Metasploit Framework version 6.1.24-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.