-
Notifications
You must be signed in to change notification settings - Fork 202
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Could not find computer account SID: #3
Comments
Are you sure you used the FQDN for -Domain? I get this error if the Domain is not correct (i.e. using windomain when it should be windomain.local) |
I had this issue, started working after a reboot. |
same issue here. Let's say I have a host=laptop123 on AD domain=mycompany.com, tried following neither works: |
In the first command your domain was incorrect so it couldn't find the SID of the new computer in that domain (cause it doesn't exist) so this why it failed.
In the next version (should be out this week) the tool will lookup the domain by itself so this kind of confusion would be less likely to happen again. |
Tried two revisions, getting the same error: |
I pulled out the latest and re-run the excutable and notice following option dispearing |
[-] KRB-ERROR (24) : KDC_ERR_PREAUTH_FAILED means that the password specified for the laptop123$ machine account is incorrect. the -cn and -cp flags are for the separate machine account you own or the one you added if you specified -c to create a new one (not the one you are executing KrbRelayUp from) run those 2 commands and it should work:
|
when running the following command to createnewcomputeraccount (-c) |
Insufficient privileges to add a computer account usually is due to either a restriction in the domain where regular users are not allowed to add a new machine accout (this is actually one of the mitigation suggestions for this attack) or because your user have reached the maximum quota for new computer accounts it may add which is 10 by default (this is my guess for your specific issue). |
I verified:
|
Could you check the previous commands using new low priv user? (which probably still hadn't reached it's ms-DS-MachineAccountQuota limit) |
Hey,
I just tried the POC for a costumer. Unfortunately the method does not seem to work on the Windows 10 Enterprise 19042 Client.
LDAP signing is disabled
The text was updated successfully, but these errors were encountered: