From d2c21746bb1fa52029fa33becd08ce7b9d0bf66a Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Tue, 5 Nov 2024 21:19:30 +0100 Subject: [PATCH] Machine Account Quota --- .../ad-adcs-certificate-services.md | 4 +- .../ad-adds-machineaccountquota.md | 49 +++++++++++++++++++ docs/methodology/vulnerability-reports.md | 3 +- 3 files changed, 53 insertions(+), 3 deletions(-) create mode 100644 docs/active-directory/ad-adds-machineaccountquota.md diff --git a/docs/active-directory/ad-adcs-certificate-services.md b/docs/active-directory/ad-adcs-certificate-services.md index d28b93d..00cd3d0 100644 --- a/docs/active-directory/ad-adcs-certificate-services.md +++ b/docs/active-directory/ad-adcs-certificate-services.md @@ -427,8 +427,8 @@ Members : {} **Requirements** -* **Template Schema Version 1** -* **ENROLLEE_SUPPLIES_SUBJECT** = True +* **Template Schema** Version 1 +* **ENROLLEE_SUPPLIES_SUBJECT** = `True` **Exploitation**: diff --git a/docs/active-directory/ad-adds-machineaccountquota.md b/docs/active-directory/ad-adds-machineaccountquota.md new file mode 100644 index 0000000..fd3005b --- /dev/null +++ b/docs/active-directory/ad-adds-machineaccountquota.md @@ -0,0 +1,49 @@ +# Active Directory - Machine Account Quota + +In Active Directory (AD), the `MachineAccountQuota` is a limit set on how many computer accounts a specific user or group can create in the domain. + +When a user attempts to create a new computer account, AD checks the current number of computer accounts that the user has already created against the defined quota for that user or group. + +However, Active Directory does not store the current count of created machine accounts directly in a user attribute. Instead, you would need to perform a query to count the machine accounts that were created by a specific user. + + +## Machine Account Quota Process + +1. **Quota Definition**: The `MachineAccountQuota` is defined at the domain level and can be set for individual users or groups. By default, it is set to **10** for the "Domain Admins" group and to 0 for standard users, limiting their capability to create computer accounts. + + ```powershell + nxc ldap -u user -p pass -M maq + ``` + +2. **Creation Process**: When a user attempts to create a new computer account (for example, by using the "Add Computer" option in Active Directory Users and Computers or via PowerShell), the account creation request is made to the domain controllers (DCs). + + ```powershell + impacket@linux> addcomputer.py -computer-name 'ControlledComputer$' -computer-pass 'ComputerPassword' -dc-host DC01 -domain-netbios domain 'domain.local/user1:complexpassword' + ``` + +3. **Quota Evaluation**: Before the account is created, Active Directory checks the current count of computer accounts created by that user. This is done by querying the `msDS-CreatorSID` attribute, which holds the SID of the user who created that object. +The system compares this count to the `MachineAccountQuota` value set for that user. If the count is less than the quota, the creation proceeds; if it equals or exceeds the quota, the creation is denied, and an error is returned. + + ```powershell + # Replace DOMAIN\username with the actual domain and user name + $user = "DOMAIN\username" + + # Get the user's SID + $userSID = (Get-ADUser -Identity $user).SID + + # Count the number of computer accounts created by this user + $computerCount = (Get-ADComputer -Filter { msDS-CreatorSID -eq $userSID }).Count + + # Display the count + $computerCount + ``` + +4. **Failure Handling**: + - If the quota is exceeded, the user attempting to create the account will receive an error message indicating that they cannot create a new computer account because they have reached their quota limit. + + +## References + +* [MachineAccountQuota - The Hacker Recipes - 24/10/2024](https://www.thehacker.recipes/ad/movement/builtins/machineaccountquota) +* [MachineAccountQuota is USEFUL Sometimes: Exploiting One of Active Directory's Oddest Settings - Kevin Robertson - March 6, 2019](https://www.netspi.com/blog/technical-blog/network-penetration-testing/machineaccountquota-is-useful-sometimes/) +* [Machine Account Quota - NetExec - 13/09/2023](https://www.netexec.wiki/ldap-protocol/machine-account-quota) \ No newline at end of file diff --git a/docs/methodology/vulnerability-reports.md b/docs/methodology/vulnerability-reports.md index fc8cd43..cd2d021 100644 --- a/docs/methodology/vulnerability-reports.md +++ b/docs/methodology/vulnerability-reports.md @@ -12,9 +12,10 @@ Tools to help you collaborate and generate your reports. List of penetration test reports and templates. -* [reconmap/pentest-reports](https://github.com/reconmap/pentest-reports) - Collection of penetration test reports and pentest report templates +* [reconmap/pentest-reports](https://github.com/reconmap/pentest-reports) - Collection of penetration test reports and pentest report templates. * [juliocesarfort/public-pentesting-reports](https://github.com/juliocesarfort/public-pentesting-reports) - A list of public penetration test reports published by several consulting firms and academic security groups. * [xanhacks/web-pentest-reports](https://gitlab.com/xanhacks/web-pentest-reports) - List of template vulnerability reports for web pentesting. +* [noraj/OSCP-Exam-Report-Template-Markdown](https://github.com/noraj/OSCP-Exam-Report-Template-Markdown) - Markdown Templates for Offensive Security OSCP, OSWE, OSCE, OSEE, OSWP exam report. ## Vulnerability Report Structure