Compromised AD Computer object

Ever asked yourself what a computer object in a normal windows environment really can do?
Is it troublesome if somebody dumps the credentials and uses them for further attacks? (hint yes)

This article explores ways a computer object can be used in an AD enumeration engagement.

TLDR; give me a table!

Working tools/protocols

Protocol/Tools Works Note
LDAP(s) x bind only with TGT
RPC x
Powershell (RSAT) x
Powerview x
crackMapExec x *ldap & smb tested

Working logon Types

Type Works
2: Interactive -
3: Network x
4: Batch ~
5: Service ~
7: Unlock -
8: NetworkCleartext x
9: NewCredentials x
10: RemoteInteractive -
11: CachedInteractive -

Getting everything ready

To simulate a compromised machine we'll create a new computer object on AD with a fixed password.
This could be the case in a real situation since the defaults allow the computer object creation on AD.

Another way would be to dump the hash through mimikatz and use it for further attacks.

Creating a computer object with impacket

impacket-addcomputer -computer-name testcomputer01 -computer-password hunter2 -dc-ip 10.0.0.100 heimat.erde/administrator

Creating a computer as computer?

Active directory allows common users to join up to 10 machines to the domain but does this also work with computer accounts?

impacket-addcomputer -computer-name testcomputer02 -computer-password hunter2 -dc-ip 10.0.0.100 heimat.erde/testcomputer01$
...
[*] Successfully added machine account testcomputer02$ with password hunter2.

LDAP Requests

Let's see if we can use the computer object for regular enumeration.

Attacker:

ldapsearch -LLL -x -H ldaps://heimat.erde -D "[email protected]" -w hunter2 -b '' "(objectClass=user)" sAMAccountName userPrincipalName memberOf

On the domain server:

0xC00001999 STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT

According to Microsoft this happens if a computer object uses NTLM for authentication binding.

What if we get a TGT and try it over Kerberos?

$ impacket-getTGT -dc-ip 10.0.0.100 heimat.erde/testcomputer01
$ export KRB5CCNAME=./testcomputer01.ccache
$ ldapsearch -Y GSSAPI -H ldap://heimat.erde -D "testcomputer01" -b 'DC=heimat,DC=erde' 'objectclass=user' SAMAccountName userPrincipalName memberOf 

ldapsearch_kerb

It's works!

  • If you get an error like KRB_AP_ERR_SKEW(Clock skew too great) you need to synchronize your time with the KDC ntpdate 10.0.0.100 or get the time through other means.
  • You'll probably have to install libsasl2-modules-gssapi-mit to use GSSAPI
  • If you get an error like Cannot find KDC for realm "{domain}" make sure your system points to the ADDC for DNS.

RPC

RPC calls to the ADDCS work without any additional configuration.

RPC

From here you can just use regular rpcclient commands to enumerate further.

Powerview

Works great since it also uses Logon type 3 and connects through LDAP without a bind.

Powerview

$creds is set over Get-Credentials and then just the computer object credentials.

Crackmapexec

CrackmapExec can be used with valid credentials for further exploitation.

For a really great documentation visit CME.

I didn't check MSSQL or WINRM since I don't have a MSSQL instance running
and WINRM requires local admin (without JEA anyway..

LDAP

ASREPRoast
ASREPRoast

Kerberoast
Kerberoast

Unconstrained delegation
Unconstrained delegation

So yeah I'm gonna stop here since it's clear that it would work :)

SMB

noPac
Zerologon

My system is already patched against CVE-2020-1472 but it certainly looks like it would work.

Share enumeration
shares

Domain user enumeration
DomainUsers

Domain user groups
Domain groups

Local groups
local_groups

Execution does not work since this would require local admin permissions.

Logons

Type 2: Interactive

What if we try to logon directly to the machine physically?
interactive

Not surprisingly this fails.

In the eventlog this would look like this:
interactive log

Type 3: Network

Network logons occur through SMB connections or printer access (which also uses SMB usually).

smb

Not too surprising that this works since SYSVOL also needs to be accessible by computer objects for GPOs.

Network Auth

Important to know is that the group Authenticated Users includes ALL objects.
Yes this includes computers as well.

Type 4: Batch

This type is typically used by scheduled tasks to run an action in a user defined context.

There is no way to define computer objects through the GUI.

no clicky

What about building a service through powershell directly?

no lucky

Maybe it is possible with a third-party scheduler but not with the built-in one.

Type 5: Service

Creating a quick service

New-Service -Name "All your base are belong to us" -BinaryPathName '"C:\Windows\System32\cmd.exe /C whoami"'

Service creation works.

works

But starting the service fails.

works

fail log

Type 7: Unlock

n/a

Type 8: NetworkCleartext

Pretty easy to accomplish. You can either use directly the basic auth prompt through your browser or use curl.

curl -u "testcomputer01$:hunter2" falke.heimat.erde/new/test.txt

basic_auth

Type 9: NewCredentials

Type 9 occurs if somebody executes runas /netonly.
This flag tells Windows to start the application locally with the same account that ran it but use the defined account for all network connections.

logon 9 sucess

Type 10: RemoteInteractive

RemoteInteractive gives us an error that testcomputer01$ is not allowed for this logon type.

nla

And through mstsc.exe

mstsc

Type 11: CachedInteractive

n/a