Pre2K (short for "Pre-Windows 2000") Active Directory misconfigurations often stem from overlooked legacy settings in Windows environments. Common issues include enabling NTLM or SMBv1 for backward compatibility, leaving Pre-Windows 2000 accounts active, and neglecting proper account cleanup.
In this article, we shall exploit one such default misconfiguration
that sets Computer Accounts’ password to be the same as hostname in lowercase,
thereby allowing an attacker to compromise domain controller.
Table of Contents
· Prevalence of Pre2K AD Misconfigurations
· Prerequisites
· Lab Setup
Enumeration
Method
#1: Using the tool:- pre2k
Method
#2: Using the tool:- nxc
· Exploitation
· Mitigation
Prevalence of Pre2K AD
Misconfigurations
While many organizations have moved to newer technologies, Pre2K (short
for "Pre-Windows
2000") misconfigurations still persist in a significant number
of environments, especially where legacy applications or systems require
continued support. A few prominent surveys across the industry confirm
·
40-60% of organizations are still using legacy systems that require Pre2K
compatibility.
·
Around 30-40% of Active
Directory environments have lingering unused Pre2K accounts that
remain improperly configured.
·
57% of businesses rely on outdated or unsupported operating systems with legacy
configurations, which often involve Pre2K AD misconfigurations.
·
Approximately 30% of
data breaches stem from mismanaged Active Directory settings, including
legacy configurations like Pre2K.
Key Notes:
· UAC 4128 indicates legacy settings where
accounts may be enabled for authentication without the usual security checks
(e.g., passwords).
· LogonCount of 0 suggests that the account might
not be used for typical logons but could still be exploited for other purposes.
· Post-password change authentication: When a
user changes their password, the system normally requires the new password for
authentication.
Prerequisites:
· Windows Server 2019 as Active Directory Domain
Controller
· Tools: pre2k, nxc, impacket, evil-winrm
· Kali Linux
Lab Setup:
In this lab set up, we will create a Computer
Account and provide backward compatibility to interact with legacy systems or
services that are particularly prior to Windows 2000.
Create
the AD Environment:
To simulate an Active Directory environment,
you will need a Windows Server 2019 as a Domain Controller (DC) and a
client/attacker machine (Kali Linux) where you can run enumeration and
exploitation tools.
Domain
Controller:
· install Windows Server (2016 or 2019
recommended).
· Promote it to a Domain Controller by adding the
“Active Directory Domain Services”
role.
· Set up the domain (e.g., “ignite.local”).
· Create a domain user with username “raj” and password “Password@1”.
Create
a Computer (Account) and assign Pre2K Compatibility:
Once the AD environment is setup, open “Active Directory Users and Computers
(ADUC)” on the Domain Controller. Then, right-click on “Computers” and add a
New Computer.
Provide the computer name as “demo”, “DEMO” for
“pre-Windows 2000 Computer Name” and ensure to select
the checkbox that enables this computer to support/act as a Pre2K computer.
Click on “OK” button and confirm that a
computer with name “demo” is created within “ignite.local” domain.
Note: Ensure to have SMB & WINRM services
enabled on the Domain Controller.
Enumeration:
pre2k
Use the commands below to download and install
pre2k tool in Kali Linux.
git
clone https://github.com/garrettfoster13/pre2k.git
cd
pre2k
ls
pipx
install .
Now, let’s enumerate valid Computer Accounts that
act as pre-windows 2000 computers by performing
password spraying attack using pre2k tool in an authenticated mode.
pre2k
auth -u raj -p Password@1 -dc-ip 192.168.1.48 -d ignite.local
Based on the output from pre2k tool, we can
confirm that “DEMO” computer account is enabled with default password.
nxc
Run the below NetExec (nxc) command from Kali
Linux on the same network to enumerate Computer Accounts that are either
created or configured to support pre-windows 2000 systems or services.
nxc
ldap 192.168.1.48 -u raj –p Password@1 -M pre2k
“nxc” tool has successfully enumerated “DEMO”
computer account that supports pre-windows 2000 computers.
Exploitation:
We have successfully enumerated a pre-Windows
2000 computer account “DEMO” and we
are already aware that such accounts’ password could be the same as the
Computer Name but with all characters in lower-case.
Let’s confirm if the default password “demo” for the computer account “DEMO” is still valid by running the
below command.
nxc
smb ignite.local -u DEMO$ -p demo
The error
“STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT” indicates a computer
is unable to log on to the domain because it does not have the necessary trust
relationship set up with the Active Directory domain. This usually
happens when the computer account
is misconfigured (or) inactive (or) if the password is out of sync
between the computer and the domain controller.
Therefore, we can change the password and reattempt to connect with
the new password.
We shall change “DEMO” computer account’s password to “Password@987”
using “impacket” tool and below command.
impacket-changepasswd
ignite.local/DEMO\$@192.168.1.48 -newpass 'Password@987' -p rpc-samr
Now that password is successfully changed,
let’s try to connect to the domain controller using “evil-winrm” tool and the
below command to obtain remote access.
evil-winrm
–i 192.168.1.48 -u DEMO$ -p Password@987
whoami
Mitigation:
·
Disable outdated protocols (e.g., SMBv1, NTLM)
and enforce Kerberos where
possible.
·
Ensure all systems are patched and updated to
remediate all known vulnerabilities and to remove reliance on older
authentication protocols.
·
Regularly audit Active Directory for obsolete
accounts and outdated settings to minimize the attack surface.
· Migrate legacy applications to newer and secure platforms.
0 comments:
Post a Comment