adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
3da170a43c7f288fe9bc88fe325da488733acac3
metasploit-gs/documentation/modules/auxiliary/admin/dcerpc/samr_computer.md
T
Grant Willcox 6043d0ffba Update all links from Wiki site to new docs site.
2023-01-27 09:58:53 -06:00

101 lines
4.0 KiB
Markdown
Raw Blame History

## Vulnerable Application
Add, lookup and delete computer accounts via MS-SAMR. By default standard active directory users can add up to 10 new
computers to the domain. Administrative privileges however are required to delete the created accounts.
## Verification Steps
1. From msfconsole
2. Do: `use auxiliary/admin/dcerpc/samr_computer`
3. Set the `RHOSTS`, `SMBUser` and `SMBPass` options
1. Set the `COMPUTER_NAME` option for `DELETE_COMPUTER` and `LOOKUP_COMPUTER` actions
4. Run the module and see that a new machine account was added
## Options
### SMBDomain
The Windows domain to use for authentication. The domain will automatically be identified if this option is left in its
default value.
### COMPUTER_NAME
The computer name to add, lookup or delete. This option is optional for the `ADD_COMPUTER` action, and required for the
`LOOKUP_COMPUTER` and `DELETE_COMPUTER` actions.
### COMPUTER_PASSWORD
The password for the new computer. This option is only used for the `ADD_COMPUTER` action. If left blank, a random value
will be generated.
## Actions
### ADD_COMPUTER
Add a new computer to the domain. This action will fail with status `STATUS_DS_MACHINE_ACCOUNT_QUOTA_EXCEEDED` if the
user has exceeded the maximum number of computer accounts that they are allowed to create.
After the computer account is created, the password will be set for it. If `COMPUTER_NAME` is set, that value will be
used and the module will fail if the selected name is already in use. If `COMPUTER_NAME` is *not* set, a random value
will be used.
### DELETE_COMPUTER
Delete a computer from the domain. This action requires that the `COMPUTER_NAME` option be set.
### LOOKUP_COMPUTER
Lookup a computer in the domain. This action verifies that the specified computer exists, and looks up its security ID
(SID), which includes the relative ID (RID) as the last component.
## Scenarios
### Windows Server 2019
First, a new computer account is created and its details are logged to the database.
```
msf6 auxiliary(admin/dcerpc/samr_computer) > set RHOSTS 192.168.159.96
RHOSTS => 192.168.159.96
msf6 auxiliary(admin/dcerpc/samr_computer) > set SMBUser aliddle
SMBUser => aliddle
msf6 auxiliary(admin/dcerpc/samr_computer) > set SMBPass Password1
SMBPass => Password1
msf6 auxiliary(admin/dcerpc/samr_computer) > show options
Module options (auxiliary/admin/dcerpc/samr_computer):
Name Current Setting Required Description
---- --------------- -------- -----------
COMPUTER_NAME no The computer name
COMPUTER_PASSWORD no The password for the new computer
RHOSTS 192.168.159.96 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 445 yes The target port (TCP)
SMBDomain . no The Windows domain to use for authentication
SMBPass Password1 no The password for the specified username
SMBUser aliddle no The username to authenticate as
Auxiliary action:
Name Description
---- -----------
ADD_COMPUTER Add a computer account
msf6 auxiliary(admin/dcerpc/samr_computer) > run
[*] Running module against 192.168.159.96
[*] 192.168.159.96:445 - Using automatically identified domain: MSFLAB
[+] 192.168.159.96:445 - Successfully created MSFLAB\DESKTOP-2X8F54QG$ with password MCoDkNALd3SdGR1GoLhqniEkWa8Me9FY
[*] Auxiliary module execution completed
msf6 auxiliary(admin/dcerpc/samr_computer) > creds
Credentials
===========
host origin service public private realm private_type JtR Format
---- ------ ------- ------ ------- ----- ------------ ----------
192.168.159.96 192.168.159.96 445/tcp (smb) DESKTOP-2X8F54QG$ MCoDkNALd3SdGR1GoLhqniEkWa8Me9FY MSFLAB Password
msf6 auxiliary(admin/dcerpc/samr_computer) >
```
Reference in New Issue View Git Blame Copy Permalink