-
Notifications
You must be signed in to change notification settings - Fork 13.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add module for adding/deleting computers via MS-SAMR #16677
Add module for adding/deleting computers via MS-SAMR #16677
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @zeroSteiner for this module! I did a first round of tests against a Windows Server 2019 DC and it works great. I will continue testing against other targets/protocol versions. In the meantime, I left a few comments for you to review when you get a chance.
end | ||
|
||
def random_hostname(prefix: 'DESKTOP') | ||
"#{prefix}-#{Rex::Text.rand_base(8, '', ('A'..'Z').to_a + ('0'..'9').to_a)}$" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"#{prefix}-#{Rex::Text.rand_base(8, '', ('A'..'Z').to_a + ('0'..'9').to_a)}$" | |
"#{prefix}-#{Rex::Text.rand_text_alphanumeric(8).upcase}$" |
member: RubySMB::Dcerpc::Samr::SamprUserInternal4InformationNew.new( | ||
i1: { | ||
password_expired: 1, | ||
which_fields: RubySMB::Dcerpc::Samr::USER_ALL_NTPASSWORDPRESENT | RubySMB::Dcerpc::Samr::USER_ALL_PASSWORDEXPIRED |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If I understand it correctly, the i1
's NtPasswordPresent
field will be processed by the server, and since it is set to zero by default, the NtOwfPassword
field will be ignored (here). Any specific reason for this? Not a blocker, but I'm just trying to understand the process.
Simplify the application_key usage, update docs and catch another exception.
Thanks for these updates! Everything looks good to me now. I tested against Windows Server 2019 and verified every ACTIONS work as expected. I'll go ahead and land it. Example output against Windows Server 2019
|
Release NotesThis adds an auxiliary module that can be used to add, lookup and delete computer accounts from an active directory domain. The computer account can offer a sort of foothold into the domain for lateral movements or as a common attack primitive. |
This adds a new auxiliary/admin module that can be used to add, lookup and delete computer accounts from an active directory domain. By default standard AD users can add up to 10 computers to the domain. When a user has access to do this (such as via plaintext credentials at the moment), the computer account can offer a sort of foothold into the domain. It's also becoming a common attack primitive in certain scenarios.
Because there's typically a limited number of computers a user can add, the module's
ADD_COMPUTER
action will fail withSTATUS_DS_MACHINE_ACCOUNT_QUOTA_EXCEEDED
if used repeatedly. Also, while a standard user can create a computer account, additional privileges are required to delete it.This requires the changes from rapid7/ruby_smb#231
Verification
List the steps needed to make sure this thing works
msfconsole
use auxiliary/admin/dcerpc/samr_computer
RHOSTS
,SMBUser
andSMBPass
options (SMBDomain
is only required if the target has more than one domain on it)ADD_COMPUTER
actioncreds
)COMPUTER_NAME
to the name of the new computer accountLOOKUP_COMPUTER
action, see that the computer exists, and the SID is resolvedDELETE_COMPUTER
action, see that the computer is deleted (this action requires more privileges, use a DA or other elevated account)LOOKUP_COMPUTER
action, see that the computer does not exist any moreThe
ADD_COMPUTER
action makes a DCERPC request to set the password that uses application-layer encryption using either the session key or the application key from the underlying SMB transport. I tested this action using SMB 2, and SMB 3 both with and without transport-level encryption. The application key is only set for SMBv3 dialects. The module will use the application key when it's generated otherwise it'll use the session key. The SMB version and encryption settings can be configured through theSMB::ProtocolVersion
andSMB::AlwaysEncrypt
advanced datastore options.Demo