🐚 GTFOBins πŸͺŸ LOLBAS πŸ’Ύ Compiled Binaries 🩸 BloodHound 🩸 bloodyAD πŸ“œ Certipy ☁️ Cloud ⚑ goexec πŸ€– HackTricks πŸ”Œ HardwareATT πŸ“¦ Impacket 🏰 InternalATT πŸ”€ Ligolo-ng 🐱 Mimikatz πŸ’£ msfvenom πŸ”§ NetExec πŸ€– OSAI πŸ’₯ PATT 🍳 Recipes 🎟️ Rubeus 🐍 Sliver
πŸ”§ NetExec Wiki / Pre2k Computer Account Abuse

Pre2k Computer Account Abuse

Identifies pre-created computer accounts in Active Directory and attempts to obtain Kerberos TGTs using their default machine password.

Targets computer objects with:

  • objectClass=computer
  • userAccountControl=4128 (WORKSTATION_TRUST_ACCOUNT + PASSWD_NOTREQD)

The module:

  1. Enumerates possibly vulnerable computer accounts via LDAP
  2. Saves discovered accounts to file
  3. Attempts TGT request using password = first 14 chars of hostname (lowercase)
  4. Saves valid tickets as .ccache

Usage

nxc ldap <hostname> -u <user> -p <pass> -M pre2k

Output:

Discovered accounts:

~/.nxc/modules/pre2k/<domain>/precreated_computers.txt

Kerberos tickets:

~/.nxc/modules/pre2k/ccache/<machine>.ccache

Using the forged ticket

export KRB5CCNAME=<machine>.ccache
nxc ldap <dc> --use-kcache

References:

{% embed url="https://trustedsec.com/blog/diving-into-pre-created-computer-accounts" %}