Machine Account Quota

main
Swissky 2024-11-05 21:19:30 +01:00
parent 349d75a400
commit d2c21746bb
3 changed files with 53 additions and 3 deletions

View File

@ -427,8 +427,8 @@ Members : {}
**Requirements**
* **Template Schema Version 1**
* **ENROLLEE_SUPPLIES_SUBJECT** = True
* **Template Schema** Version 1
* **ENROLLEE_SUPPLIES_SUBJECT** = `True`
**Exploitation**:

View File

@ -0,0 +1,49 @@
# Active Directory - Machine Account Quota
In Active Directory (AD), the `MachineAccountQuota` is a limit set on how many computer accounts a specific user or group can create in the domain.
When a user attempts to create a new computer account, AD checks the current number of computer accounts that the user has already created against the defined quota for that user or group.
However, Active Directory does not store the current count of created machine accounts directly in a user attribute. Instead, you would need to perform a query to count the machine accounts that were created by a specific user.
## Machine Account Quota Process
1. **Quota Definition**: The `MachineAccountQuota` is defined at the domain level and can be set for individual users or groups. By default, it is set to **10** for the "Domain Admins" group and to 0 for standard users, limiting their capability to create computer accounts.
```powershell
nxc ldap <ip> -u user -p pass -M maq
```
2. **Creation Process**: When a user attempts to create a new computer account (for example, by using the "Add Computer" option in Active Directory Users and Computers or via PowerShell), the account creation request is made to the domain controllers (DCs).
```powershell
impacket@linux> addcomputer.py -computer-name 'ControlledComputer$' -computer-pass 'ComputerPassword' -dc-host DC01 -domain-netbios domain 'domain.local/user1:complexpassword'
```
3. **Quota Evaluation**: Before the account is created, Active Directory checks the current count of computer accounts created by that user. This is done by querying the `msDS-CreatorSID` attribute, which holds the SID of the user who created that object.
The system compares this count to the `MachineAccountQuota` value set for that user. If the count is less than the quota, the creation proceeds; if it equals or exceeds the quota, the creation is denied, and an error is returned.
```powershell
# Replace DOMAIN\username with the actual domain and user name
$user = "DOMAIN\username"
# Get the user's SID
$userSID = (Get-ADUser -Identity $user).SID
# Count the number of computer accounts created by this user
$computerCount = (Get-ADComputer -Filter { msDS-CreatorSID -eq $userSID }).Count
# Display the count
$computerCount
```
4. **Failure Handling**:
- If the quota is exceeded, the user attempting to create the account will receive an error message indicating that they cannot create a new computer account because they have reached their quota limit.
## References
* [MachineAccountQuota - The Hacker Recipes - 24/10/2024](https://www.thehacker.recipes/ad/movement/builtins/machineaccountquota)
* [MachineAccountQuota is USEFUL Sometimes: Exploiting One of Active Directory's Oddest Settings - Kevin Robertson - March 6, 2019](https://www.netspi.com/blog/technical-blog/network-penetration-testing/machineaccountquota-is-useful-sometimes/)
* [Machine Account Quota - NetExec - 13/09/2023](https://www.netexec.wiki/ldap-protocol/machine-account-quota)

View File

@ -12,9 +12,10 @@ Tools to help you collaborate and generate your reports.
List of penetration test reports and templates.
* [reconmap/pentest-reports](https://github.com/reconmap/pentest-reports) - Collection of penetration test reports and pentest report templates
* [reconmap/pentest-reports](https://github.com/reconmap/pentest-reports) - Collection of penetration test reports and pentest report templates.
* [juliocesarfort/public-pentesting-reports](https://github.com/juliocesarfort/public-pentesting-reports) - A list of public penetration test reports published by several consulting firms and academic security groups.
* [xanhacks/web-pentest-reports](https://gitlab.com/xanhacks/web-pentest-reports) - List of template vulnerability reports for web pentesting.
* [noraj/OSCP-Exam-Report-Template-Markdown](https://github.com/noraj/OSCP-Exam-Report-Template-Markdown) - Markdown Templates for Offensive Security OSCP, OSWE, OSCE, OSEE, OSWP exam report.
## Vulnerability Report Structure