Reset AD user password with Linux

Image showing how to allow users to be able to reset user passwords

Disclaimer: If you are here because you are a helpdesk person, this is a pentest blog, so it’s coming from the mindset of a pentester, but this could just as easily be used for legitmate purposes.

There are a great many things you can do with rpcclient for examples outside of this blog post see these posts by Chris Gates:

• Enumerating user accounts on Linux and OS X with rpcclient
• More of using rpcclient to find usernames
• more with rpcclient
• From LOW to PWNED [5] Honorable Mention: Null Sessions

There have been plenty of times on pentests where I have had access to IT or helpdesk related accounts that had limited administrative powers. Almost always I or someone on the team found an internal wiki or share that they did have access to (and then we moved on from there), however they almost always have the ability to reset passwords.

I was unable to find any documentation on how to do this from a Linux host, or at the very least to do it without Active Directory Users and Computers (ADUC), which would require a Windows machine. And figuring out how to run ADUC through a meterpreter sessions wasn’t an hurdle I ever had time for in engagements. :)

Due to me being dumb and resetting a password of my own in my lab to something I couldn’t remember, I finally had the time to figure it out.

If you have Samba client tools (smbclient) installed, you can use rpcclient. Out of the gate, you can auth with password or kerberos (this is especially useful in situations where you have dropped into a user that has an active kerberos token or you can make one):

1
2
3

root@kali:~# rpcclient -U helpdesk //192.168.80.10
Enter helpdesk's password:
rpcclient $>

If you have the package passing-the-hash, you can even do this with just a NTLM hash.

In order to change a password you neet to use the setuserinfo2 command:

1
2
3

rpcclient $> setuserinfo2
Usage: setuserinfo2 username level password [password_expired]
result was NT_STATUS_INVALID_PARAMETER

You will not be able to change the password of anyone with AdminCount = 1 (aka Domain Admins and other high priv accounts):

1
2
3
4

rpcclient $> setuserinfo2 ima-domainadmin 23 'ASDqwe123'
result: NT_STATUS_ACCESS_DENIED
result was NT_STATUS_ACCESS_DENIED
rpcclient $>

But you can very easily target users who have alternate admin accounts:

1
2

rpcclient $> setuserinfo2 adminuser 23 'ASDqwe123'
rpcclient $>

Yes it would be nice if there was any sort of confirmation…

The 23 came from this MSDN article

If you have the package samba-common-bin you can also do this with the net command:

1
2
3
4

root@kali:~# net rpc password adminuser -U helpdesk -S 192.168.80.10
Enter new password for adminuser:
Enter helpdesk's password:
root@kali:~#

Huge thanks for Beto Solino of Impacket fame for his help figuring this out.