TheDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/ghostpack/rubeus/llms.txt
Use this file to discover all available pages before exploring further.
changepw command implements the Kerberos password-change protocol described in RFC 3244 (commonly called AoratoPw or Kpasswd). It uses a valid TGT to obtain a short-lived kadmin/changepw service ticket from the KDC and then submits the new password over an authenticated, encrypted channel to the domain controller on UDP/TCP port 464. Because the operation is handled entirely through Kerberos, it requires no LDAP write access and does not trigger the standard LDAP password-reset audit trail.
Flags
A base64-encoded
.kirbi blob or path to a .kirbi file containing the TGT for the target account. The TGT must belong to the account whose password you want to change.The new plaintext password to set for the account.
The hostname or IP address of the domain controller to contact. Defaults to the domain’s primary DC when omitted.
Explicit
DOMAIN\username of the target account. Required when performing an administrative password reset (i.e. changing another user’s password using a privileged TGT rather than the account’s own TGT).Examples
Change the current user’s own password
Use the account’s own TGT. The KDC will enforce that the TGT belongs to the same account as the target.Change another user’s password with their TGT
If you have obtained a TGT for a target account (e.g. viaasktgt after credential capture), you can reset that account’s password without any LDAP privileges.
Target a specific domain controller
Specify a DC by hostname when you want to avoid relying on automatic DC discovery, or when the default DC is unreachable.To obtain an appropriate TGT for a target account when you already know its credentials or hash, use
Rubeus.exe asktgt first. The resulting .kirbi can then be passed directly to changepw /ticket.