Share this page!

Maybe Scrolly?
Lars Karlslund Profile picture
Twitter logo
May 20 12 tweets 6 min read
Don't lose trust! "The trust relationship between this workstation and the primary domain failed." Have this ever happened to you? I'll show you how to fix it, and (more interestingly) how it works behind the scenes 1/🧵
First some basics: when you join a computer to an Active Directory, it gets a machine account in the AD. This is like a user account, but with objectClass value 'computer' (and others) and some userAccountControl flags indicating it to be a computer (0x1000). But ... 2/🧵
It uses a password to authenticate to Active Directory controllers. Every once in a while (30 days default) it rotates the password. If you roll back a VM, restore from backup or clone two machines, the computer's idea of the password and the AD password can get out of sync 3/🧵
Then you get the dreaded "trust relationship" error message. Years ago the recommended fix was to 1) disjoin the computer 2) delete machine account in AD 3) join the machine to the AD again. This is hopeless, for many reasons! Also it's entirely unnecessary 4/🧵
To fix it, you need admin access to the machine. There are multiple ways to do this 1) local admin account 2) unrotated LAPS account (unlikely) or 3) cached domain account which is local admin. 4) break into machine with your fav ISO and pwn local administrator account. 5/🧵
Congrats, you're local admin. Now sync the password using PowerShell - provide an AD account that has the power to "Reset Password" on the machine account. That's it, problem solved! If you're in the mood for some history, read on ... 6/🧵
There are multiple non-working suggestions on how to fix this on the internet. A popular one is using the "Reset Account" GUI option in Users & Computers. This does not work, but what does it actually do? 7/🧵
We need to go back in time, when Windows 2000 was the cool thing (it was!). Things were simpler, and machine accounts were ... uhm, also "simpler". With simpler I mean they used the machine name as password. (Check out @Oddvarmoe's recent post on this). 8/🧵
The NT5 code base (Windows 2003) is all over GitHub (thanks, @Microsoft and evil hackers!) so I went hunting for this oddity. I found it replicated 4 different places in the source ... the old Windows source is a goldmine for knowledge if you're into that kind of stuff. 9/🧵
Enough history, you get the picture. Do "Reset Account" procedure on the machine object in the AD = it sets the password to "lowercased machine name" :-\ Yes, that simple. Useless today, but no one has been squishing bugs on "Users & Computers" for many years, so no wonder 10/🧵
You can validate the "Reset Account" functionality by doing it, and then testing the password. I used HashCat against the LM hash (thanks @UK_Daniel_Card for the registry NoLMHash hint!). But just use PowerShell if you want. (Script from powershellbros.com/test-credentia…) 11/🧵
So to sum it up: locally stored machine password and AD password must match. Resyncing them is possible and easy, but must be done on both ends at the same time for it to work. 12/🧵END

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Lars Karlslund

Lars Karlslund Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @lkarlslund

Lars Karlslund Profile picture
Apr 11
Fellow Active Directory infosec researchers here in Denmark have figured out how to cross domains in the same direction as a trust - yes, the opposite of what is normal 1/🧵
improsec.com/tech-blog/sid-…
They explain it much better in their 7-part series (linked above is the last part, but it comes down to the fact that the two domains have to talk to each other, as part of exchanging data. They do this with a special type of account - the SAM_TRUST_ACCOUNT. 2/🧵
These accounts are easy to find in my Active Directory tool 'adalanche' - simply query for (samaccounttype=805306370) and you'll get all of them. But so far there is no connection between them in the graph 3/🧵
Read 6 tweets
Lars Karlslund Profile picture
Feb 17
The Active Directory group "Account Operators" is a bastard, and should be kept empty. Why? Because it undermines your *entire* delegation structure in the AD. Here are the details, and it shows why you should stay clear of this group 1/n
Many of you probably know that this group shouldn't be used, but not all know the details of WHY. Here's the description from Microsoft. Just by reading this it becomes fairly evident what the issue is ... 2/n
There are two parts to this: "Account Operators" can manipulate groups and users, except for the BUILT IN groups (in the Builtin container) and users in the "Administrators" and "Domain Admins" groups. This works like this ... 3/n
Read 12 tweets
Lars Karlslund Profile picture
Feb 14
Cool adalanche trick: do supply chain attack analysis. If you're using the local collector to grab data from domain member computers, you can used the installedSoftware attribute to select machines. Here's ~10% random selection of machines with "Microsoft SQL server". Nifty, eh? Image
Here are my settings for the search - it's reverse because we're investigating "what can my selection pwn of the rest of the infrastructure" Image
I'm filtering away outer nodes that I don't care about - focus for me is mostly computers or users - so I removed groups in this search. Image
Read 4 tweets
Lars Karlslund Profile picture
Jan 8
Did you know that you can mass upgrade a lot of Windows 10/11 3rd party software with a free tool from Microsoft? It's like Linux's "apt" or "yum" ... Patching some of your vulnerable software is now free and easy, as I'll show you here 1/5
If you're running Windows 11, it's preloaded onto the system, so you can skip this part. On Windows 10, go to the Microsoft Store and search for "app installer". Here is my laptop which hasn't been powered on for quite a while - ironically it has a winget update available :-) 2/5
Then launch an elevated Windows Terminal, and get ready to patch some stuff. You simply type "winget upgrade" - this shows you all the stuff you have installed (not necessarily using winget - also manually!) which can be upgraded. 3/5
Read 5 tweets
Lars Karlslund Profile picture
Sep 27, 2021
So today I started looking at Azure AD, which spawned an interesting thread with my thoughts, and lots of input and corrections from others. It also spawned need for a refresher on AD attribute security ...
You see, I probably should have been able to figure this out in 2 minutes. After all I've spent uncountable hours creating github.com/lkarlslund/ada…, which dumps an entire Active Directory and maps how ACLs can be misused to jump from tier to tier.
But lets jump back to Azure AD for a while. It works with a "sync service" called Azure AD Connect. It exports stuff from your on prem AD to the Azure AD. Sometimes it imports stuff, but look in the other thread for information on that.
Read 20 tweets
Lars Karlslund Profile picture
Sep 27, 2021
So I'm diving head first into Azure AD, and I think it's a f*cking can of worms. Most large orgs do a TWO WAY sync of their on prem AD with AAD (users, groups, passwords). The attack surface is just horrible.
So you're moving to the cloud. Someone needs to be able to reset passwords, so lets give them the "Password Admin" role. No worries, this doesn't apply to admin accounts. Or does it?
Well, it's synced to your on prem, right? AAD's assumption about who has a sensitive account is based on built in groups and roles assigned in AAD.
Read 10 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

:(