Don't lose trust! "The trust relationship between this workstation and the primary domain failed." Have this ever happened to you? I'll show you how to fix it, and (more interestingly) how it works behind the scenes 1/🧵
First some basics: when you join a computer to an Active Directory, it gets a machine account in the AD. This is like a user account, but with objectClass value 'computer' (and others) and some userAccountControl flags indicating it to be a computer (0x1000). But ... 2/🧵
It uses a password to authenticate to Active Directory controllers. Every once in a while (30 days default) it rotates the password. If you roll back a VM, restore from backup or clone two machines, the computer's idea of the password and the AD password can get out of sync 3/🧵
Then you get the dreaded "trust relationship" error message. Years ago the recommended fix was to 1) disjoin the computer 2) delete machine account in AD 3) join the machine to the AD again. This is hopeless, for many reasons! Also it's entirely unnecessary 4/🧵
To fix it, you need admin access to the machine. There are multiple ways to do this 1) local admin account 2) unrotated LAPS account (unlikely) or 3) cached domain account which is local admin. 4) break into machine with your fav ISO and pwn local administrator account. 5/🧵
Congrats, you're local admin. Now sync the password using PowerShell - provide an AD account that has the power to "Reset Password" on the machine account. That's it, problem solved! If you're in the mood for some history, read on ... 6/🧵
There are multiple non-working suggestions on how to fix this on the internet. A popular one is using the "Reset Account" GUI option in Users & Computers. This does not work, but what does it actually do? 7/🧵
We need to go back in time, when Windows 2000 was the cool thing (it was!). Things were simpler, and machine accounts were ... uhm, also "simpler". With simpler I mean they used the machine name as password. (Check out @Oddvarmoe's recent post on this). 8/🧵
The NT5 code base (Windows 2003) is all over GitHub (thanks, @Microsoft and evil hackers!) so I went hunting for this oddity. I found it replicated 4 different places in the source ... the old Windows source is a goldmine for knowledge if you're into that kind of stuff. 9/🧵
Enough history, you get the picture. Do "Reset Account" procedure on the machine object in the AD = it sets the password to "lowercased machine name" :-\ Yes, that simple. Useless today, but no one has been squishing bugs on "Users & Computers" for many years, so no wonder 10/🧵
You can validate the "Reset Account" functionality by doing it, and then testing the password. I used HashCat against the LM hash (thanks @UK_Daniel_Card for the registry NoLMHash hint!). But just use PowerShell if you want. (Script from powershellbros.com/test-credentia…) 11/🧵
So to sum it up: locally stored machine password and AD password must match. Resyncing them is possible and easy, but must be done on both ends at the same time for it to work. 12/🧵END

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Lars Karlslund - mucking around with your AD

Lars Karlslund - mucking around with your AD Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @lkarlslund

Jan 4
This is why your NVidia driver download is 670MB: they silently fix a *ton* of problems in games, so customers are happy. It's the same in Windows - here's the system wide shim db from Windows 11 23H2 with workarounds for "After Dark 4.0" with flying toasters released in 1996. Image
You should definitely not download the maybe-abandonware After Dark 4.0 ISO from the internet and install it on your Windows 11 PC. On the other hand, if you *do*, it will really mess up the app usage metrics that your computer ships to Microsoft.
winworldpc.com/download/45c38…
OK, diving in. SYSTEM.INI ... I forgot it even existed! It's *STILL* there on my Windows 11 machine .... along with entries from a bitmap font.
Image
Image
Read 5 tweets
Sep 19, 2022
You can harden your Active Directory against wrong owners and permissions on Computer objects, which is a typical scenario with devastating results if it's a Domain Controller object. I've written about this problem earlier here. 1/11
Hardening against computer ownership requires your Domain Controllers to be running at least Windows 2008, and if they're not just stop reading this and get upgrading, you have bigger problems. Anyway, the nitty gritty is described here 2/11 learn.microsoft.com/en-us/openspec…
The impact of this is that after this change it doesn't matter if you're the owner of a computer object - it doesn't grant you implicit rights to overwrite the DACL and manipulate the object. You need explicit rights to do it. 3/11
Read 11 tweets
Jul 15, 2022
Deploy GOAD (the wonderful vulnerable Active Directory experimental lab from Orange Cyberdefense) - a quick guide. You'll need a spare PC with at least 4 cores, 16GB RAM and 256GB SSD. Script included, so it's easy even if you're not Linux savvy! 1/🧵 github.com/lkarlslund/dep…
It needs Linux because of vagrant and ansible. It might work directly on Windows, but it's not easy. I tried running Linux under Windows using VirtualBox with nested virtualization, but after spending *way* too much time on this, I've concluded that this will not work. 2/🧵
First grab the latest Ubuntu 22.04 ISO, and install that using the defaults (adjust size of / partition to at least 160GB - just use all of the space). If you're running headless (server ISO), choose to add SSH server, so you can do the rest remote. 3/🧵ubuntu.com/download/server
Read 7 tweets
Apr 11, 2022
Fellow Active Directory infosec researchers here in Denmark have figured out how to cross domains in the same direction as a trust - yes, the opposite of what is normal 1/🧵
improsec.com/tech-blog/sid-…
They explain it much better in their 7-part series (linked above is the last part, but it comes down to the fact that the two domains have to talk to each other, as part of exchanging data. They do this with a special type of account - the SAM_TRUST_ACCOUNT. 2/🧵
These accounts are easy to find in my Active Directory tool 'adalanche' - simply query for (samaccounttype=805306370) and you'll get all of them. But so far there is no connection between them in the graph 3/🧵
Read 6 tweets
Feb 17, 2022
The Active Directory group "Account Operators" is a bastard, and should be kept empty. Why? Because it undermines your *entire* delegation structure in the AD. Here are the details, and it shows why you should stay clear of this group 1/n
Many of you probably know that this group shouldn't be used, but not all know the details of WHY. Here's the description from Microsoft. Just by reading this it becomes fairly evident what the issue is ... 2/n
There are two parts to this: "Account Operators" can manipulate groups and users, except for the BUILT IN groups (in the Builtin container) and users in the "Administrators" and "Domain Admins" groups. This works like this ... 3/n
Read 12 tweets
Feb 14, 2022
Cool adalanche trick: do supply chain attack analysis. If you're using the local collector to grab data from domain member computers, you can used the installedSoftware attribute to select machines. Here's ~10% random selection of machines with "Microsoft SQL server". Nifty, eh? Image
Here are my settings for the search - it's reverse because we're investigating "what can my selection pwn of the rest of the infrastructure" Image
I'm filtering away outer nodes that I don't care about - focus for me is mostly computers or users - so I removed groups in this search. Image
Read 4 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

:(