Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/ghostpack/rubeus/llms.txt

Use this file to discover all available pages before exploring further.

The changepw command implements the Kerberos password-change protocol described in RFC 3244 (commonly called AoratoPw or Kpasswd). It uses a valid TGT to obtain a short-lived kadmin/changepw service ticket from the KDC and then submits the new password over an authenticated, encrypted channel to the domain controller on UDP/TCP port 464. Because the operation is handled entirely through Kerberos, it requires no LDAP write access and does not trigger the standard LDAP password-reset audit trail.

Flags

/ticket
string
required
A base64-encoded .kirbi blob or path to a .kirbi file containing the TGT for the target account. The TGT must belong to the account whose password you want to change.
/new
string
required
The new plaintext password to set for the account.
/dc
string
The hostname or IP address of the domain controller to contact. Defaults to the domain’s primary DC when omitted.
/targetuser
string
Explicit DOMAIN\username of the target account. Required when performing an administrative password reset (i.e. changing another user’s password using a privileged TGT rather than the account’s own TGT).
The new password must satisfy the domain password policy (minimum length, complexity, history). The KDC will return an error if the policy is not met, but the error message may not be descriptive.

Examples

Change the current user’s own password

Use the account’s own TGT. The KDC will enforce that the TGT belongs to the same account as the target.
Rubeus.exe changepw /ticket:C:\tickets\jdoe.kirbi /new:NewP@ssw0rd!

Change another user’s password with their TGT

If you have obtained a TGT for a target account (e.g. via asktgt after credential capture), you can reset that account’s password without any LDAP privileges.
Rubeus.exe changepw /ticket:C:\tickets\victim.kirbi /new:NewP@ssw0rd! /targetuser:CORP\victim

Target a specific domain controller

Specify a DC by hostname when you want to avoid relying on automatic DC discovery, or when the default DC is unreachable.
Rubeus.exe changepw /ticket:C:\tickets\jdoe.kirbi /new:NewP@ssw0rd! /dc:dc01.corp.local
To obtain an appropriate TGT for a target account when you already know its credentials or hash, use Rubeus.exe asktgt first. The resulting .kirbi can then be passed directly to changepw /ticket.

Build docs developers (and LLMs) love