1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
|
# **Powermad - PowerShell MachineAccountQuota and DNS exploit tools**
## Wiki
* https://github.com/Kevin-Robertson/Powermad/wiki
## Functions
* [MachineAccountQuota Functions](#machineaccountquota-functions)
* [DNS Functions](#dns-functions)
* [Dynamic Updates Functions](#dynamic-updates-functions)
* [ADIDNS Functions](#adidns-functions)
* [Miscellaneous Functions](#miscellaneous-functions)
## MachineAccountQuota Functions
The default Active Directory ms-DS-MachineAccountQuota attribute setting allows all domain users to add up to 10 machine accounts to a domain. Powermad includes a set of functions for exploiting ms-DS-MachineAccountQuota without attaching an actual system to AD.
### Get-MachineAccountAttribute
This function can return values populated in a machine account attribute.
##### Example:
* Get a the value of 'description' from a machine account names 'test'.
`Get-MachineAccountAttribute -MachineAccount test -Attribute discription`
### Get-MachineAccountCreator
This function leverages the ms-DS-CreatorSID property on machine accounts to return a list of usernames or SIDs and the associated machine account. The ms-DS-CreatorSID property is only populated when a machine account is created by an unprivileged user.
##### Example:
* Get a list of all populated ms-DS-CreatorSID attributes.
`Get-MachineAccountCreator`
### Disable-MachineAccount
This function can disable a machine account that was added through New-MachineAccount. This function should be used with the same user that created the machine account.
##### Example:
* Disable a machine account named test.
`Disable-MachineAccount -MachineAccount test`
### Enable-MachineAccount
This function can enable a machine account that was disabled through Disable-MachineAccount. This function should be used with the same user that created the machine account.
##### Example:
* Enable a machine account named test.
`Enable-MachineAccount -MachineAccount test`
### New-MachineAccount
This function can can add a new machine account directly through an LDAP add request to a domain controller and not by impacting the host system’s attachment status to Active Directory.
The LDAP add request is modeled after the add request used when joining a system to a domain. The following (mostly validated by the DC) attributes are set:
* objectClass = Computer
* SamAccountName = Machine account name with trailing $
* userAccountControl = 4096
* DnsHostName = FQDN
* ServicePrincipalName = 2 HOST and 2 RestrictedKrbHost SPNs using both the FQDN and account name
* unicodePwd = the specified password
A new machine account can be used for tasks such as leveraging privilege provided to the ‘Domain Computers’ group or as an additional account for domain enumeration, DNS exploits, etc. By default, machine accounts do not have logon locally permission. You can either use tools/clients that accept network credentials directly or through the use of ‘runsas /netonly’ or @harmj0y’s Invoke-UserImpersonation/Invoke-RevertToSelf included with PowerView.
* https://github.com/PowerShellMafia/PowerSploit/tree/dev/Recon
Machine accounts created with standard users will have the mS-DS-CreatorSID populated with the standard user’s SID.
Note that ms-DS-MachineAccountQuota does not provide the ability for authenticated users to delete added machine accounts from AD. Elevated privilege will need to be acquired to remove the account if you want to avoid passing the task off to your client.
##### Examples:
* Add a new machine account
`New-MachineAccount -MachineAccount test`
* Use the added account with runas /netonly
`runas /netonly /user:domain\test$ powershell`
### Remove-MachineAccount
This function removes a machine account with a privileged account.
##### Example:
* Remove a machine account named test with domain admin credentials
`Remove-MachineAccount -MachineAccount test -Credential $domainadmin`
### Set-MachineAccountAttribute
This function can populate some attributes for an account that was added through New-MachineAccount, if a user has write access. This function should be used with the same user that created the machine account.
Here is a list of some of the usual write access enabled attributes:
* AccountDisabled
* description
* displayName
* DnsHostName
* ServicePrincipalName
* userParameters
* userAccountControl
* msDS-AdditionalDnsHostName
* msDS-AllowedToActOnBehalfOfOtherIdentity
* SamAccountName
##### Examples:
* Remove the trailing '$' from the SamAccountName attribute
`Set-MachineAccountAttribute -MachineName test -Attribute SamAccountName -Value test`
* Use the modified account with runas /netonly
`runas /netonly /user:domain\test powershell`
## DNS Functions
By default, authenticated users have the 'Create all child objects' permission on the Active Directory-Integrated DNS (ADIDNS) zone. Most records that do not currently exist in an AD zone can be added/deleted.
## Dynamic Updates Functions
### Invoke-DNSUpdate
This function can be used to add/delete dynamic DNS records if the default setting of enabled secure dynamic updates is configured on a domain controller. A, AAAA, CNAME, MX, PTR, SRV, and TXT records are currently supported. Invoke-DNSUpdate is modeled after BIND`s nsupdate tool when using the '-g' or 'gsstsig' options.
##### Examples:
* Add an A record
`Invoke-DNSUpdate -DNSType A -DNSName www -DNSData 192.168.100.125`
* Delete an A record
`Invoke-DNSUpdate -DNSType A -DNSName www.test.local`
* Add an SRV record
`Invoke-DNSUpdate -DNSType SRV -DNSName _autodiscover._tcp.test.local -DNSData system.test.local -DNSPriority 100 -DNSWeight 80 -DNSPort 443`
## ADIDNS Functions
### Disable-ADIDNSNode
This function can tombstone an ADIDNS node.
##### Example:
*Tombstone a wildcard record.
`Disable-ADIDNSNode -Node *
### Enable-ADIDNSNode
This function can turn a tombstoned node back into a valid record.
##### Example:
* Enable a wildcard record.
`Enable-ADIDNSNode -Node *`
### Get-ADIDNSNodeAttribute
This function can return values populated in an DNS node attribute.
##### Example:
* Get the value populated dnsRecord attribute of a node named test.
`Get-ADIDNSNodeAttribute -Node test -Attribute dnsRecord`
### Get-ADIDNSNodeOwner
This function can returns the owner of an ADIDNS Node.
##### Example:
* Get the owner of a node named test.
`Get-ADIDNSNodeOwner -Node test`
### Get-ADIDNSPermission
This function gets a DACL of an ADIDNS node or zone.
##### Examples:
* Get the DACL for the default Active Directory-Integrated Zone from a domain attached system.
`Get-ADIDNSPermission`
* Get the DACL for an DNS node named test from a domain attached system.
`Get-ADIDNSPermission -Node test`
### Grant-ADIDNSPermission
This function adds an ACE to an DNS node or zone DACL.
##### Example:
* Add full access to a wildcard record for "Authenticated Users".
* Add full access to a wildcard record for "Authenticated Users".
`Grant-ADIDNSPermission -Node * -Principal "authenticated users"`
### New-ADIDNSNode
This function adds an DNS node to an Active Directory-Integrated DNS (ADIDNS) Zone through an encrypted LDAP add request.
##### Example:
* Add a wildcard record to a ADIDNS zone and tombstones the node.
`New-ADIDNSNode -Node * -Tombstone`
### New-DNSRecordArray
This function creates a valid byte array for the dnsRecord attribute.
##### Example:
* Create a dnsRecord array for an A record pointing to 192.168.0.1.
`New-DNSRecordArray -DNSType A -DNSData 192.168.0.1`
### New-SOASerialNumberArray
This function gets the current SOA serial number for a DNS zone and increments it by the set amount.
##### Example:
* Generate a byte array from the currect SOA serial number incremented by one.
`New-SOASerialNumberArray`
### Rename-ADIDNSNode
This function can rename an DNS node.
##### Example:
* Renames an DNS node named test to test2.
`Rename-ADIDNSNode -Node test -NodeNew test2`
### Remove-ADIDNSNode
This function can remove an DNS node.
##### Example:
* Removes a a wildcard node.
`Remove-ADIDNSNode -Node *`
### Revoke-ADIDNSPermission
This function removes an ACE to an DNS node or zone DACL.
##### Example:
* Remove the GenericAll ACE associated with the user1 account.
`Revoke-ADIDNSPermission -Node * -Principal user1 -Access GenericAll`
### Set-ADIDNSNodeAttribute
This function can append, populate, or overwite values in an DNS node attribute.
##### Example:
* Set the writable description attribute on a node named test.
`Set-ADIDNSNodeAttribute -Node test -Attribute description -Value "do not delete"`
### Set-ADIDNSNodeOwner
This function can sets the owner of an DNS Node. Note that a token with SeRestorePrivilege is required.
##### Example:
* Set the owner of a node named test to user1.
`Set-ADIDNSNodeOwner -Node test -Principal user1`
# Miscellaneous Functions
## Get-KerberosAESKey
This function can generate Kerberos AES 256 and 128 keys from a known username and password. This can be used to test pass the hash in invoke-DNSUpdate.
##### Example:
* Generate keys for a valid AD user named user@test.local.
`Get-KerberosAESKey -Salt TEST.LOCALuser`
|