CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/documentation/modules/auxiliary/admin/dcerpc/samr_computer.md
Views: 1904

Vulnerable Application

Add, lookup and delete computer accounts via MS-SAMR. By default standard active directory users can add up to 10 new computers to the domain. Administrative privileges however are required to delete the created accounts.

Verification Steps

  1. From msfconsole

  2. Do: use auxiliary/admin/dcerpc/samr_computer

  3. Set the RHOSTS, SMBUser and SMBPass options

    1. Set the COMPUTER_NAME option for DELETE_COMPUTER and LOOKUP_COMPUTER actions

  4. Run the module and see that a new machine account was added

Options

SMBDomain

The Windows domain to use for authentication. The domain will automatically be identified if this option is left in its default value.

COMPUTER_NAME

The computer name to add, lookup or delete. This option is optional for the ADD_COMPUTER action, and required for the LOOKUP_COMPUTER and DELETE_COMPUTER actions.

COMPUTER_PASSWORD

The password for the new computer. This option is only used for the ADD_COMPUTER action. If left blank, a random value will be generated.

Actions

ADD_COMPUTER

Add a new computer to the domain. This action will fail with status STATUS_DS_MACHINE_ACCOUNT_QUOTA_EXCEEDED if the user has exceeded the maximum number of computer accounts that they are allowed to create.

After the computer account is created, the password will be set for it. If COMPUTER_NAME is set, that value will be used and the module will fail if the selected name is already in use. If COMPUTER_NAME is not set, a random value will be used.

DELETE_COMPUTER

Delete a computer from the domain. This action requires that the COMPUTER_NAME option be set.

LOOKUP_COMPUTER

Lookup a computer in the domain. This action verifies that the specified computer exists, and looks up its security ID (SID), which includes the relative ID (RID) as the last component.

Scenarios

Windows Server 2019

First, a new computer account is created and its details are logged to the database.

msf6 auxiliary(admin/dcerpc/samr_computer) > set RHOSTS 192.168.159.96
RHOSTS => 192.168.159.96
msf6 auxiliary(admin/dcerpc/samr_computer) > set SMBUser aliddle
SMBUser => aliddle
msf6 auxiliary(admin/dcerpc/samr_computer) > set SMBPass Password1
SMBPass => Password1
msf6 auxiliary(admin/dcerpc/samr_computer) > show options

Module options (auxiliary/admin/dcerpc/samr_computer):

   Name               Current Setting  Required  Description
   ----               ---------------  --------  -----------
   COMPUTER_NAME                       no        The computer name
   COMPUTER_PASSWORD                   no        The password for the new computer
   RHOSTS             192.168.159.96   yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT              445              yes       The target port (TCP)
   SMBDomain          .                no        The Windows domain to use for authentication
   SMBPass            Password1        no        The password for the specified username
   SMBUser            aliddle          no        The username to authenticate as


Auxiliary action:

   Name          Description
   ----          -----------
   ADD_COMPUTER  Add a computer account


msf6 auxiliary(admin/dcerpc/samr_computer) > run
[*] Running module against 192.168.159.96

[*] 192.168.159.96:445 - Using automatically identified domain: MSFLAB
[+] 192.168.159.96:445 - Successfully created MSFLAB\DESKTOP-2X8F54QG$ with password MCoDkNALd3SdGR1GoLhqniEkWa8Me9FY
[*] Auxiliary module execution completed
msf6 auxiliary(admin/dcerpc/samr_computer) > creds
Credentials
===========

host            origin          service        public             private                           realm   private_type  JtR Format
----            ------          -------        ------             -------                           -----   ------------  ----------
192.168.159.96  192.168.159.96  445/tcp (smb)  DESKTOP-2X8F54QG$  MCoDkNALd3SdGR1GoLhqniEkWa8Me9FY  MSFLAB  Password

msf6 auxiliary(admin/dcerpc/samr_computer) >