Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add module for adding/deleting computers via MS-SAMR #16677

Merged
merged 8 commits into from Jun 30, 2022
Merged

Add module for adding/deleting computers via MS-SAMR #16677

merged 8 commits into from Jun 30, 2022

Conversation

zeroSteiner
Copy link
Contributor

@zeroSteiner zeroSteiner commented Jun 15, 2022
edited

This adds a new auxiliary/admin module that can be used to add, lookup and delete computer accounts from an active directory domain. By default standard AD users can add up to 10 computers to the domain. When a user has access to do this (such as via plaintext credentials at the moment), the computer account can offer a sort of foothold into the domain. It's also becoming a common attack primitive in certain scenarios.

Because there's typically a limited number of computers a user can add, the module's ADD_COMPUTER action will fail with STATUS_DS_MACHINE_ACCOUNT_QUOTA_EXCEEDED if used repeatedly. Also, while a standard user can create a computer account, additional privileges are required to delete it.

This requires the changes from rapid7/ruby_smb#231

Verification

List the steps needed to make sure this thing works

  • Start msfconsole
  • use auxiliary/admin/dcerpc/samr_computer
  • Set the RHOSTS, SMBUser and SMBPass options (SMBDomain is only required if the target has more than one domain on it)
  • Run the ADD_COMPUTER action
    • A new computer will be created in the domain, the password printed to the screen and stored in the credentials table (as visible with creds)
  • Set COMPUTER_NAME to the name of the new computer account
  • Run the LOOKUP_COMPUTER action, see that the computer exists, and the SID is resolved
  • Run the DELETE_COMPUTER action, see that the computer is deleted (this action requires more privileges, use a DA or other elevated account)
  • Run the LOOKUP_COMPUTER action, see that the computer does not exist any more

The ADD_COMPUTER action makes a DCERPC request to set the password that uses application-layer encryption using either the session key or the application key from the underlying SMB transport. I tested this action using SMB 2, and SMB 3 both with and without transport-level encryption. The application key is only set for SMBv3 dialects. The module will use the application key when it's generated otherwise it'll use the session key. The SMB version and encryption settings can be configured through the SMB::ProtocolVersion and SMB::AlwaysEncrypt advanced datastore options.

Demo

msf6 auxiliary(admin/dcerpc/samr_computer) > set RHOSTS 192.168.159.96
RHOSTS => 192.168.159.96
msf6 auxiliary(admin/dcerpc/samr_computer) > set SMBUser aliddle
SMBUser => aliddle
msf6 auxiliary(admin/dcerpc/samr_computer) > set SMBPass Password1
SMBPass => Password1
msf6 auxiliary(admin/dcerpc/samr_computer) > show options 
Module options (auxiliary/admin/dcerpc/samr_computer):
   Name           Current Setting  Required  Description
   ----           ---------------  --------  -----------
   COMPUTER_NAME                   no        The computer name
   RHOSTS         192.168.159.96   yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
   RPORT          445              yes       The target port (TCP)
   SMBDomain      .                no        The Windows domain to use for authentication
   SMBPass        Password1        no        The password for the specified username
   SMBUser        aliddle          no        The username to authenticate as
Auxiliary action:
   Name          Description
   ----          -----------
   ADD_COMPUTER  Add a computer account
msf6 auxiliary(admin/dcerpc/samr_computer) > run
[*] Running module against 192.168.159.96
[*] 192.168.159.96:445 - Using automatically identified domain: MSFLAB
[+] 192.168.159.96:445 - Successfully created MSFLAB\DESKTOP-2X8F54QG$ with password MCoDkNALd3SdGR1GoLhqniEkWa8Me9FY
[*] Auxiliary module execution completed
msf6 auxiliary(admin/dcerpc/samr_computer) > creds
Credentials
===========
host            origin          service        public             private                           realm   private_type  JtR Format
----            ------          -------        ------             -------                           -----   ------------  ----------
192.168.159.96  192.168.159.96  445/tcp (smb)  DESKTOP-2X8F54QG$  MCoDkNALd3SdGR1GoLhqniEkWa8Me9FY  MSFLAB  Password      
msf6 auxiliary(admin/dcerpc/samr_computer) >

@smcintyre-r7 smcintyre-r7 added module docs blocked Blocked by one or more additional tasks rn-modules release notes for new or majorly enhanced modules labels Jun 15, 2022
@smashery smashery assigned smashery and unassigned smashery Jun 20, 2022
@cdelafuente-r7 cdelafuente-r7 self-assigned this Jun 24, 2022
cdelafuente-r7
cdelafuente-r7 reviewed Jun 27, 2022
View reviewed changes
Copy link
Contributor

@cdelafuente-r7 cdelafuente-r7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @zeroSteiner for this module! I did a first round of tests against a Windows Server 2019 DC and it works great. I will continue testing against other targets/protocol versions. In the meantime, I left a few comments for you to review when you get a chance.

documentation/modules/auxiliary/admin/dcerpc/samr_computer.md Show resolved Hide resolved
documentation/modules/auxiliary/admin/dcerpc/samr_computer.md Outdated Show resolved Hide resolved
modules/auxiliary/admin/dcerpc/samr_computer.rb
end

def random_hostname(prefix: 'DESKTOP')
"#{prefix}-#{Rex::Text.rand_base(8, '', ('A'..'Z').to_a + ('0'..'9').to_a)}$"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
"#{prefix}-#{Rex::Text.rand_base(8, '', ('A'..'Z').to_a + ('0'..'9').to_a)}$"
"#{prefix}-#{Rex::Text.rand_text_alphanumeric(8).upcase}$"

documentation/modules/auxiliary/admin/dcerpc/samr_computer.md Outdated Show resolved Hide resolved
modules/auxiliary/admin/dcerpc/samr_computer.rb Outdated Show resolved Hide resolved
modules/auxiliary/admin/dcerpc/samr_computer.rb
member: RubySMB::Dcerpc::Samr::SamprUserInternal4InformationNew.new(
i1: {
password_expired: 1,
which_fields: RubySMB::Dcerpc::Samr::USER_ALL_NTPASSWORDPRESENT | RubySMB::Dcerpc::Samr::USER_ALL_PASSWORDEXPIRED
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If I understand it correctly, the i1's NtPasswordPresent field will be processed by the server, and since it is set to zero by default, the NtOwfPassword field will be ignored (here). Any specific reason for this? Not a blocker, but I'm just trying to understand the process.

modules/auxiliary/admin/dcerpc/samr_computer.rb Outdated Show resolved Hide resolved
@zeroSteiner
Address PR feedback
41ba2d2 
Simplify the application_key usage, update docs and catch another
exception.
@smcintyre-r7 smcintyre-r7 removed the blocked Blocked by one or more additional tasks label Jun 29, 2022
@cdelafuente-r7
Copy link
Contributor

Thanks for these updates! Everything looks good to me now. I tested against Windows Server 2019 and verified every ACTIONS work as expected. I'll go ahead and land it.

Example output against Windows Server 2019

  • LOOKUP_COMPUTER
msf6 auxiliary(admin/dcerpc/samr_computer) > set action LOOKUP_COMPUTER
action => LOOKUP_COMPUTER
msf6 auxiliary(admin/dcerpc/samr_computer) > run RHOSTS=192.168.0.98 SMBUser=msfuser SMBPass=123456 verbose=true COMPUTER_NAME=WINDESKTOP$
[*] Running module against 192.168.0.98

[*] 192.168.0.98:445 - Connecting to Security Account Manager (SAM) Remote Protocol
[*] 192.168.0.98:445 - Binding to \samr...
[+] 192.168.0.98:445 - Bound to \samr
[*] 192.168.0.98:445 - Using automatically identified domain: MYLAB
[+] 192.168.0.98:445 - Found MYLAB\WINDESKTOP$ (SID: S-1-5-21-783017734-0986766-0746634251-2610)
[*] Auxiliary module execution completed
  • ADD_COMPUTER
msf6 auxiliary(admin/dcerpc/samr_computer) > set action ADD_COMPUTER
action => ADD_COMPUTER
msf6 auxiliary(admin/dcerpc/samr_computer) > run RHOSTS=192.168.0.98 SMBUser=msfuser SMBPass=123456 verbose=true COMPUTER_NAME=newcomputer$ COMPUTER_PASSWORD=123456
[*] Running module against 192.168.0.98

[*] 192.168.0.98:445 - Connecting to Security Account Manager (SAM) Remote Protocol
[*] 192.168.0.98:445 - Binding to \samr...
[+] 192.168.0.98:445 - Bound to \samr
[*] 192.168.0.98:445 - Using automatically identified domain: MYLAB
[+] 192.168.0.98:445 - Successfully created MYLAB\newcomputer$ with password 123456
[*] Auxiliary module execution completed

msf6 auxiliary(admin/dcerpc/samr_computer) > set action LOOKUP_COMPUTER
action => LOOKUP_COMPUTER
msf6 auxiliary(admin/dcerpc/samr_computer) > run RHOSTS=192.168.0.98 SMBUser=msfuser SMBPass=123456 verbose=true COMPUTER_NAME=newcomputer$
[*] Running module against 192.168.0.98

[*] 192.168.0.98:445 - Connecting to Security Account Manager (SAM) Remote Protocol
[*] 192.168.0.98:445 - Binding to \samr...
[+] 192.168.0.98:445 - Bound to \samr
[*] 192.168.0.98:445 - Using automatically identified domain: MYLAB
[+] 192.168.0.98:445 - Found MYLAB\newcomputer$ (SID: S-1-5-21-783017734-0986766-0746634251-2612)
[*] Auxiliary module execution completed

msf6 auxiliary(admin/dcerpc/samr_computer) > creds
Credentials
===========

host             origin           service                public        private  realm  private_type  JtR Format
----             ------           -------                ------        -------  -----  ------------  ----------
192.168.144.224  192.168.144.224  445/tcp (smb)          newcomputer$  123456   MYLAB  Password
  • DELETE_COMPUTER
msf6 auxiliary(admin/dcerpc/samr_computer) > set action DELETE_COMPUTER
action => DELETE_COMPUTER
msf6 auxiliary(admin/dcerpc/samr_computer) > run RHOSTS=192.168.0.98 SMBUser=msfuser SMBPass=123456 verbose=true COMPUTER_NAME=newcomputer$
[*] Running module against 192.168.0.98

[*] 192.168.0.98:445 - Connecting to Security Account Manager (SAM) Remote Protocol
[*] 192.168.0.98:445 - Binding to \samr...
[+] 192.168.0.98:445 - Bound to \samr
[*] 192.168.0.98:445 - Using automatically identified domain: MYLAB
[+] 192.168.0.98:445 - The specified computer has been deleted.
[*] Auxiliary module execution completed

msf6 auxiliary(admin/dcerpc/samr_computer) > set action LOOKUP_COMPUTER
action => LOOKUP_COMPUTER
msf6 auxiliary(admin/dcerpc/samr_computer) > run RHOSTS=192.168.0.98 SMBUser=msfuser SMBPass=123456 verbose=true COMPUTER_NAME=newcomputer$
[*] Running module against 192.168.0.98

[*] 192.168.0.98:445 - Connecting to Security Account Manager (SAM) Remote Protocol
[*] 192.168.0.98:445 - Binding to \samr...
[+] 192.168.0.98:445 - Bound to \samr
[*] 192.168.0.98:445 - Using automatically identified domain: MYLAB
[-] 192.168.0.98:445 - The specified computer was not found.
[*] Auxiliary module execution completed

@cdelafuente-r7 cdelafuente-r7 merged commit 0d19e47 into rapid7:master Jun 30, 2022
@cdelafuente-r7
Copy link
Contributor

Release Notes

This adds an auxiliary module that can be used to add, lookup and delete computer accounts from an active directory domain. The computer account can offer a sort of foothold into the domain for lateral movements or as a common attack primitive.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cdelafuente-r7 cdelafuente-r7 cdelafuente-r7 approved these changes

Assignees

@cdelafuente-r7 cdelafuente-r7

Labels
docs module rn-modules release notes for new or majorly enhanced modules
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@zeroSteiner @cdelafuente-r7 @smashery @smcintyre-r7