MachineAccountQuota

PreviousSecurity groups NextPre-Windows 2000 computers

Last updated 1 year ago

Was this helpful?

MachineAccountQuota

Theory

MachineAccountQuota (MAQ) is a domain level attribute that by default permits unprivileged users to attach up to 10 computers to an Active Directory (AD) domain ()

Practice

There are multiple ways attackers can leverage that power.

, to domain controllers using LDAPS, and take advantage of authenticated sessions to create a domain computer account. This account can then be used as a foothold on the AD domain to operate authenticated recon (i.e. for example)
Create a computer account and use it for when leveraging owned accounts with sufficient permissions (i.e. ACEs like GenericAll, GenericWrite or WriteProperty) against a target machine
Create a computer account and use it for a attack when leveraging owned accounts with sufficient permissions (i.e. the SeEnableDelegationPrivilege user right)
Profit from special rights that members of the Domain Computers group could inherit
Profit from special rights that could automatically be applied to new domain computers based on their account name

Check the value

The module (for (Python)) can be used to check the value of the MachineAccountQuota attribute:

nxc ldap $DOMAIN_CONTROLLER -d $DOMAIN -u $USER -p $PASSWORD -M maq

Alternatively, it can be done manually with the Python library ():

import ldap3

target_dn = "DC=domain,DC=local" # change this
domain = "domain" # change this
username = "username" # change this
password = "password" # change this

user = "{}\\{}".format(domain, username)
server = ldap3.Server(domain)
connection = ldap3.Connection(server = server, user = user, password = password, authentication = ldap3.NTLM)
connection.bind()
connection.search(target_dn,"(objectClass=*)", attributes=['ms-DS-MachineAccountQuota'])
print(connection.entries[0])

With (Python):

bloodyad -d $DOMAIN -u $USER -p $PASSWORD --host $DOMAIN_CONTROLLER get object 'DC=acme,DC=local' --attr ms-DS-MachineAccountQuota

With (Python):

ldeep ldap -d $DOMAIN -u $USER -p $PASSWORD -s $DOMAIN_CONTROLLER search '(objectclass=domain)' | jq '.[]."ms-DS-MachineAccountQuota"'

With ldapsearch (openldap (C)):

ldapsearch -x -H ldap://$DOMAIN_CONTROLLER -b 'DC=acme,DC=local' -D "$USER@$DOMAIN" -W -s sub "(objectclass=domain)" | grep ms-DS-MachineAccountQuota

Get-ADDomain | Select-Object -ExpandProperty DistinguishedName | Get-ADObject -Properties 'ms-DS-MachineAccountQuota'

StandIn.exe --object ms-DS-MachineAccountQuota=*

Create a computer account

addcomputer.py -computer-name 'SomeName$' -computer-pass 'SomePassword' -dc-host "$DC_HOST" -domain-netbios "$DOMAIN" "$DOMAIN"/"$USER":"$PASSWORD"

addcomputer.py also has an option -computer-group for adding a group to which the account will be added. Because if omitted, the group CN=Computers will be used by default.

KrbRestrictedHost/hostname
KrbRestrictedHost/hostname.domain_fqdn
Host/hostname
Host/hostname.domain_fqdn

bloodyad -d "$DOMAIN" -u "$USER" -p "$PASSWORD" --host "$DC_HOST" add computer 'SomeName$' 'SomePassword'

ldeep ldap -u "$USER" -p "$PASSWORD" -d "$DOMAIN" -s ldap://"$DC_HOST" create_computer 'SomeName$' 'SomePassword'

certipy account create -username "$USER"@"$DOMAIN" -password "$PASSWORD" -dc-ip "$DC_HOST" -user 'SomeName$' -pass 'SomePassword' -dns 'SomeDNS'

Certipy also offers option to set the UPN (-upn), SAM account name (-sam), SPNS (-spns) while creating the computer.

$password = ConvertTo-SecureString 'SomePassword' -AsPlainText -Force
New-MachineAccount -MachineAccount 'PENTEST01' -Password $($password) -Verbose

While the machine account can only be deleted by domian administrators, it can be deactivated by the creator account with the following command using the Powermad module.

Disable-MachineAccount -MachineAccount 'PENTEST01' -Verbose

# Create the account
StandIn.exe --computer 'PENTEST01' --make

# Disable the account
StandIn.exe --computer 'PENTEST01' --disable

# Delete the account (requires elevated rights)
StandIn.exe --computer 'PENTEST01' --delete

Testers need to be aware that the MAQ attribute set to a non-zero value doesn't necessarily mean the users can create machine accounts. The right to add workstations to a domain can in fact be changed in the Group Policies. Group Policy Management Console (gpmc.msc) > Domain Controllers OU > Domain Controllers Policy > Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assigments > Add workstations to domain

Resources

PreviousSecurity groups NextPre-Windows 2000 computers

Last updated 1 year ago

Was this helpful?