|
| 1 | +## Introduction |
| 2 | + |
| 3 | +Allows changing or resetting users' passwords. |
| 4 | + |
| 5 | +"Changing" refers to situations where you know the value of the existing password, and send that to the server as part of the password modification. |
| 6 | +"Resetting" refers to situations where you may not know the value of the existing password, but by virtue of your permissions over the target account, you can force-change the password without necessarily knowing it. |
| 7 | + |
| 8 | +Note that users can typically not reset their own passwords (unless they have very high privileges). |
| 9 | + |
| 10 | +This module works with existing sessions (or relaying), especially for Reset use cases, wherein the target's password is not required. |
| 11 | + |
| 12 | +## Actions |
| 13 | + |
| 14 | +- `RESET` - Reset the target's password without knowing the existing one (requires appropriate permissions) |
| 15 | +- `RESET_NTLM` - Reset the target's NTLM hash, without knowing the existing password. This will not update kerberos keys. |
| 16 | +- `CHANGE` - Change the password, knowing the existing one. |
| 17 | +- `CHANGE_NTLM` - Change the password to a NTLM hash value, knowing the existing password. This will not update kerberos keys. |
| 18 | + |
| 19 | +## Options |
| 20 | + |
| 21 | +The required options are based on the action being performed: |
| 22 | + |
| 23 | +- When resetting a password, you must specify the `TARGET_USER` |
| 24 | +- When changing a password, you must specify the `SMBUser` and `SMBPass`, even if using an existing session (since the API requires both of these to be specified, even for open SMB sessions) |
| 25 | +- When resetting or changing a password, you must specify `NEW_PASSWORD` |
| 26 | +- When resetting or changing an NTLM hash, you must specify `NEW_NTLM` |
| 27 | + |
| 28 | +**SMBUser** |
| 29 | + |
| 30 | +The username to use to authenticate to the server. Required for changing a password, even if using an existing session. |
| 31 | + |
| 32 | +**SMBPass** |
| 33 | + |
| 34 | +The password to use to authenticate to the server, prior to performing the password modification. Required for changing a password, even if using an existing session (since the server requires proof that you know the existing password). |
| 35 | + |
| 36 | +**TARGET_USER** |
| 37 | + |
| 38 | +For resetting passwords, the user account for which to reset the password. The authenticated account (SMBUser) must have privileges over the target user (e.g. Ownership, or the `User-Force-Change-Password` extended right) |
| 39 | + |
| 40 | +**NEW_PASSWORD** |
| 41 | + |
| 42 | +The new password to set for `RESET` and `CHANGE` actions. |
| 43 | + |
| 44 | +**NEW_NTLM** |
| 45 | + |
| 46 | +The new NTLM hash to set for `RESET_NTLM` and `CHANGE_NTLM` actions. This can either be an NT hash, or a colon-delimited NTLM hash. |
0 commit comments