4.0 KiB
Vulnerable Application
Add, lookup and delete computer accounts via MS-SAMR. By default standard active directory users can add up to 10 new computers to the domain. Administrative privileges however are required to delete the created accounts.
Verification Steps
- From msfconsole
- Do:
use auxiliary/admin/dcerpc/samr_computer - Set the
RHOSTS,SMBUserandSMBPassoptions- Set the
COMPUTER_NAMEoption forDELETE_COMPUTERandLOOKUP_COMPUTERactions
- Set the
- Run the module and see that a new machine account was added
Options
SMBDomain
The Windows domain to use for authentication. The domain will automatically be identified if this option is left in its default value.
COMPUTER_NAME
The computer name to add, lookup or delete. This option is optional for the ADD_COMPUTER action, and required for the
LOOKUP_COMPUTER and DELETE_COMPUTER actions.
COMPUTER_PASSWORD
The password for the new computer. This option is only used for the ADD_COMPUTER action. If left blank, a random value
will be generated.
Actions
ADD_COMPUTER
Add a new computer to the domain. This action will fail with status STATUS_DS_MACHINE_ACCOUNT_QUOTA_EXCEEDED if the
user has exceeded the maximum number of computer accounts that they are allowed to create.
After the computer account is created, the password will be set for it. If COMPUTER_NAME is set, that value will be
used and the module will fail if the selected name is already in use. If COMPUTER_NAME is not set, a random value
will be used.
DELETE_COMPUTER
Delete a computer from the domain. This action requires that the COMPUTER_NAME option be set.
LOOKUP_COMPUTER
Lookup a computer in the domain. This action verifies that the specified computer exists, and looks up its security ID (SID), which includes the relative ID (RID) as the last component.
Scenarios
Windows Server 2019
First, a new computer account is created and its details are logged to the database.
msf6 auxiliary(admin/dcerpc/samr_computer) > set RHOSTS 192.168.159.96
RHOSTS => 192.168.159.96
msf6 auxiliary(admin/dcerpc/samr_computer) > set SMBUser aliddle
SMBUser => aliddle
msf6 auxiliary(admin/dcerpc/samr_computer) > set SMBPass Password1
SMBPass => Password1
msf6 auxiliary(admin/dcerpc/samr_computer) > show options
Module options (auxiliary/admin/dcerpc/samr_computer):
Name Current Setting Required Description
---- --------------- -------- -----------
COMPUTER_NAME no The computer name
COMPUTER_PASSWORD no The password for the new computer
RHOSTS 192.168.159.96 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 445 yes The target port (TCP)
SMBDomain . no The Windows domain to use for authentication
SMBPass Password1 no The password for the specified username
SMBUser aliddle no The username to authenticate as
Auxiliary action:
Name Description
---- -----------
ADD_COMPUTER Add a computer account
msf6 auxiliary(admin/dcerpc/samr_computer) > run
[*] Running module against 192.168.159.96
[*] 192.168.159.96:445 - Using automatically identified domain: MSFLAB
[+] 192.168.159.96:445 - Successfully created MSFLAB\DESKTOP-2X8F54QG$ with password MCoDkNALd3SdGR1GoLhqniEkWa8Me9FY
[*] Auxiliary module execution completed
msf6 auxiliary(admin/dcerpc/samr_computer) > creds
Credentials
===========
host origin service public private realm private_type JtR Format
---- ------ ------- ------ ------- ----- ------------ ----------
192.168.159.96 192.168.159.96 445/tcp (smb) DESKTOP-2X8F54QG$ MCoDkNALd3SdGR1GoLhqniEkWa8Me9FY MSFLAB Password
msf6 auxiliary(admin/dcerpc/samr_computer) >