On Windows 2000 and probably 2003/2008 too (not verified), that group contained groups: Anonymous/Everyone/Authenticated Users Even if you have upgraded your Domain Controllers to Windows 2022, that group is kept unchanged.
That means a anonymous user can query domain information, like userinfo, group membership, trusts, etc. Even newly installed domains running Windows 2022, will still have Authenticated users as members in that group.
So if you have user credentials, you can still query all that information.
Prenum is a script exploiting this, by requesting information that might be useful for an attacker. It can search for computer account with password the same as computername or no password at all.
This could be the situation if some computer-accounts are pre-created with the box Assign this computer account as a pre-Windows 2000 computer
are ticked, or computer-accounts are created with other tools.
Some automation-tools also create users, leaving the Password-Not-Required
attribute enabled. This means that users may set a blank password and are allowed to do so, regardless of what kind of password policy is in place. You can and should test for this in your Active Directory:
Get-ADUser -Filter {PasswordNotRequired -eq $true}
And fix it:
Get-ADUser -Identity username | Set-ADUser -PasswordNotRequired $false
All of this should be checked in an old Active Directory.
Prenum is still in early development...
- Full AMSI-Bypass
- Reflectively loading Rubeus and Certify
- Enumerate and test all computers in AD; check if their password is the same as the computername
- Enumerate all users in AD; check if the password is blank
- Passwordspray all users in AD
- Request Kerberos TGT for computer and/or user-accounts found vulnerable (Using Rubeus)
- Test for vulnerable certificate templates (Using Certify)
- Do simple LDAP searches
- Run any Rubeus command
- Run any Certify command
.\Prenum.ps1' -DC menhit -Domain windcorp.htb -Users -Computers -Spraypass 'WelcomeToWindcorp#2023'
.\Prenum.ps1' -DC menhit -Domain windcorp.htb -Computers -Asktgt
.\Prenum.ps1 -DC menhit -Domain windcorp.htb -Rubeus "triage"
.\Prenum.ps1 -Certify "cas /domain:windcorp.htb"
.\Prenum.ps1 -DC menhit -Domain windcorp.htb -ldap "(&(objectCategory=Computer)(userAccountControl:1.2.840.113556.1.4.803:=8192))"