Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Added LDAP query searching for likely Pre-Windows-2000 computers #19678

Merged
merged 1 commit into from
Nov 25, 2024
Merged

Added LDAP query searching for likely Pre-Windows-2000 computers #19678

merged 1 commit into from
Nov 25, 2024

Conversation

smashery
Copy link
Contributor

@smashery smashery commented Nov 25, 2024
edited by smcintyre-r7
Loading

This PR implements a search for computer accounts created with the "Assign this computer account as a pre-Windows 2000 computer" checkbox marked. These accounts are initially created with their own computer name (sans dollar-sign, all lowercase) as the password. We also return the logon count attribute; if it's zero, it's highly likely that the password hasn't been changed.

Verification

  • In an AD domain, create a new computer, ticking the "Pre-Windows 2000" checkbox
  • Start msfconsole
  • use ldap_query
  • set action ENUM_PRE_WINDOWS_2000_COMPUTERS
  • run
  • Verify that this account is returned, with the logonCount attribute included.

Demo

msf6 auxiliary(gather/ldap_query) > set action ENUM_PRE_WINDOWS_2000_COMPUTERS
action => ENUM_PRE_WINDOWS_2000_COMPUTERS
msf6 auxiliary(gather/ldap_query) > run rhost=4.237.57.48 username=admin password=Password123 domain=msf.local
[*] Running module against 4.237.57.48

[*] 4.237.57.48:389 Discovered base DN: DC=msf,DC=local
CN=pre2k,CN=Computers,DC=msf,DC=local
=====================================

 Name                Attributes
 ----                ----------
 cn                  pre2k
 logoncount          1
 samaccountname      PRE2K$
 useraccountcontrol  4128

[*] Query returned 1 result.
[*] Auxiliary module execution completed

adfoster-r7
adfoster-r7 reviewed Nov 25, 2024
View reviewed changes
data/auxiliary/gather/ldap_query/ldap_queries_default.yaml
@@ -373,3 +373,17 @@ queries:
- https://malicious.link/post/2022/ldapsearch-reference/
- https://burmat.gitbook.io/security/hacking/domain-exploitation
- https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/useraccountcontrol-manipulate-account-properties
- action: ENUM_PRE_WINDOWS_2000_COMPUTERS
description: 'Dump info about all computer objects likely created as a "pre-Windows 2000 computer", for which the password might be predictable.'
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do you think in this scenario the identified computer objects should be registered as a vulnerability in the database? 🤔

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Probably not. At this point we don't know for sure that the password is weak, and if it is, that should be reported by the module who successfully authenticates with it. Saying that the password was recovered through some means is a more meaningful representation of the vulnerability where as looking for pre-Windows 2000 computers is more akin to target generation.

@smcintyre-r7 smcintyre-r7 self-assigned this Nov 25, 2024
smcintyre-r7
smcintyre-r7 approved these changes Nov 25, 2024
View reviewed changes
Copy link
Contributor

@smcintyre-r7 smcintyre-r7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more. 

metasploit-framework (S:0 J:0) auxiliary(gather/ldap_query) > run
[*] Running module against 192.168.159.10

[+] Successfully bound to the LDAP server!
[*] 192.168.159.10:389 Discovered base DN: DC=msflab,DC=local
CN=IMINDANGER,CN=Computers,DC=msflab,DC=local
=============================================

 Name                Attributes
 ----                ----------
 cn                  IMINDANGER
 logoncount          0
 samaccountname      IMINDANGER$
 useraccountcontrol  4128

[*] Query returned 1 result.
[*] Auxiliary module execution completed
metasploit-framework (S:0 J:0) auxiliary(gather/ldap_query) >

@smcintyre-r7 smcintyre-r7 merged commit 530dbd6 into rapid7:master Nov 25, 2024
39 checks passed
@smcintyre-r7
Copy link
Contributor

smcintyre-r7 commented Nov 25, 2024
edited by adfoster-r7
Loading

Release Notes

This adds a new LDAP query to enumerate computer accounts that were created with the "pre-Windows 2000 computer" option. These accounts may have weak passwords that can be brute-forced.

@cgranleese-r7 cgranleese-r7 added the rn-enhancement release notes enhancement label Nov 29, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@adfoster-r7 adfoster-r7 adfoster-r7 left review comments

@smcintyre-r7 smcintyre-r7 smcintyre-r7 approved these changes

Assignees

@smcintyre-r7 smcintyre-r7

Labels
rn-enhancement release notes enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@smashery @smcintyre-r7 @adfoster-r7 @cgranleese-r7