Pre2k Computer Account Abuse

Identifies pre-created computer accounts in Active Directory and attempts to obtain Kerberos TGTs using their default machine password.

Targets computer objects with:

• objectClass=computer

• userAccountControl=4128 (WORKSTATION_TRUST_ACCOUNT + PASSWD_NOTREQD)

The module:

1. Enumerates possibly vulnerable computer accounts via LDAP

2. Saves discovered accounts to file

3. Attempts TGT request using password = first 14 chars of hostname (lowercase)

4. Saves valid tickets as .ccache

Usage

nxc ldap <hostname> -u <user> -p <pass> -M pre2k

Output:

Discovered accounts:

~/.nxc/modules/pre2k/<domain>/precreated_computers.txt

Kerberos tickets:

~/.nxc/modules/pre2k/ccache/<machine>.ccache

Using the forged ticket

References:

Diving into Pre-Created Computer AccountsTrustedSec