Skip to main content

Overview

Change a user’s password using the Kerberos password change protocol. This command leverages the Kerberos change password service to modify user passwords when current credentials are known.

Syntax

Rubeus.exe changepw /user:USER /current:CURRENT_PASS /new:NEW_PASS [options]

Required Parameters

user
string
required
Target username for password change
current
string
required
Current password for the user
new
string
required
New password to set for the user

Optional Parameters

domain
string
Target domain (default: current domain)
dc
string
Domain controller to target

Examples

# Change password for current user
Rubeus.exe changepw /user:testuser /current:oldpass123 /new:newpass456

# Change password in specific domain
Rubeus.exe changepw /user:admin /current:current_pass /new:new_pass /domain:corp.local

# Target specific domain controller
Rubeus.exe changepw /user:serviceaccount /current:old /new:new /dc:dc01.corp.local

Use Cases

Password Rotation:
  • Routine password changes for compromised accounts
  • Service account credential rotation
  • Security policy compliance
  • Credential lifecycle management
Operational Security:
  • Change passwords after compromise detection
  • Rotate service account credentials
  • Maintain access while changing credentials
  • Support long-term operations

Technical Requirements

Current Credentials:
  • Valid current password required
  • User must have password change permissions
  • Account must not be locked or disabled
  • Domain connectivity required
Service Requirements:
  • Kerberos password change service available
  • Domain controller accessibility
  • Proper network connectivity
  • No blocking security policies

Integration Workflows

Complete Workflow:
# 1. Change compromised password
Rubeus.exe changepw /user:compromised_user /current:known_pass /new:secure_pass

# 2. Request new TGT with updated password
Rubeus.exe asktgt /user:compromised_user /password:secure_pass

# 3. Continue operations with new credentials
# Use updated password for subsequent operations
  • asktgt - Use new password for TGT requests
  • hash - Generate hash from new password