Skip to content

Commit

Permalink
Machine Account Quota
Browse files Browse the repository at this point in the history
  • Loading branch information
@swisskyrepo
swisskyrepo committed Nov 5, 2024
1 parent 349d75a commit d2c2174
Show file tree
Hide file tree
Showing 3 changed files with 53 additions and 3 deletions.
4 changes: 2 additions & 2 deletions docs/active-directory/ad-adcs-certificate-services.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -427,8 +427,8 @@ Members : {}

**Requirements**

* **Template Schema Version 1**
* **ENROLLEE_SUPPLIES_SUBJECT** = True
* **Template Schema** Version 1
* **ENROLLEE_SUPPLIES_SUBJECT** = `True`

**Exploitation**:

Expand Down
49 changes: 49 additions & 0 deletions docs/active-directory/ad-adds-machineaccountquota.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,49 @@
# Active Directory - Machine Account Quota

In Active Directory (AD), the `MachineAccountQuota` is a limit set on how many computer accounts a specific user or group can create in the domain.

When a user attempts to create a new computer account, AD checks the current number of computer accounts that the user has already created against the defined quota for that user or group.

However, Active Directory does not store the current count of created machine accounts directly in a user attribute. Instead, you would need to perform a query to count the machine accounts that were created by a specific user.


## Machine Account Quota Process

1. **Quota Definition**: The `MachineAccountQuota` is defined at the domain level and can be set for individual users or groups. By default, it is set to **10** for the "Domain Admins" group and to 0 for standard users, limiting their capability to create computer accounts.

```powershell
nxc ldap <ip> -u user -p pass -M maq
```
2. **Creation Process**: When a user attempts to create a new computer account (for example, by using the "Add Computer" option in Active Directory Users and Computers or via PowerShell), the account creation request is made to the domain controllers (DCs).
```powershell
impacket@linux> addcomputer.py -computer-name 'ControlledComputer$' -computer-pass 'ComputerPassword' -dc-host DC01 -domain-netbios domain 'domain.local/user1:complexpassword'
```
3. **Quota Evaluation**: Before the account is created, Active Directory checks the current count of computer accounts created by that user. This is done by querying the `msDS-CreatorSID` attribute, which holds the SID of the user who created that object.
The system compares this count to the `MachineAccountQuota` value set for that user. If the count is less than the quota, the creation proceeds; if it equals or exceeds the quota, the creation is denied, and an error is returned.
```powershell
# Replace DOMAIN\username with the actual domain and user name
$user = "DOMAIN\username"
# Get the user's SID
$userSID = (Get-ADUser -Identity $user).SID
# Count the number of computer accounts created by this user
$computerCount = (Get-ADComputer -Filter { msDS-CreatorSID -eq $userSID }).Count
# Display the count
$computerCount
```
4. **Failure Handling**:
- If the quota is exceeded, the user attempting to create the account will receive an error message indicating that they cannot create a new computer account because they have reached their quota limit.
## References
* [MachineAccountQuota - The Hacker Recipes - 24/10/2024](https://www.thehacker.recipes/ad/movement/builtins/machineaccountquota)
* [MachineAccountQuota is USEFUL Sometimes: Exploiting One of Active Directory's Oddest Settings - Kevin Robertson - March 6, 2019](https://www.netspi.com/blog/technical-blog/network-penetration-testing/machineaccountquota-is-useful-sometimes/)
* [Machine Account Quota - NetExec - 13/09/2023](https://www.netexec.wiki/ldap-protocol/machine-account-quota)
3 changes: 2 additions & 1 deletion docs/methodology/vulnerability-reports.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,9 +12,10 @@ Tools to help you collaborate and generate your reports.

List of penetration test reports and templates.

* [reconmap/pentest-reports](https://github.com/reconmap/pentest-reports) - Collection of penetration test reports and pentest report templates
* [reconmap/pentest-reports](https://github.com/reconmap/pentest-reports) - Collection of penetration test reports and pentest report templates.
* [juliocesarfort/public-pentesting-reports](https://github.com/juliocesarfort/public-pentesting-reports) - A list of public penetration test reports published by several consulting firms and academic security groups.
* [xanhacks/web-pentest-reports](https://gitlab.com/xanhacks/web-pentest-reports) - List of template vulnerability reports for web pentesting.
* [noraj/OSCP-Exam-Report-Template-Markdown](https://github.com/noraj/OSCP-Exam-Report-Template-Markdown) - Markdown Templates for Offensive Security OSCP, OSWE, OSCE, OSEE, OSWP exam report.


## Vulnerability Report Structure
Expand Down

0 comments on commit d2c2174

Please sign in to comment.