reddit hackernews mail facebook facebook linkedin


PowerShell MachineAccountQuota and DNS exploit tools.

The default Active Directory ms-DS-MachineAccountQuota attribute setting allows all domain users to add up to 10 machine accounts to a domain. Powermad includes a set of functions for exploiting ms-DS-MachineAccountQuota without attaching an actual system to AD.

By default, authenticated users have the 'Create all child objects' permission on the Active Directory-Integrated DNS (ADIDNS) zone. Most records that do not currently exist in an AD zone can be added/deleted.

MachineAccountQuota functions:
- Get-MachineAccountAttribute
- Get-MachineAccountCreator
- Disable-MachineAccount
- Enable-MachineAccount
- New-MachineAccount
- Remove-MachineAccount
- Set-MachineAccountAttribute
- Invoke-AgentSmith

DNS Functions:
- Invoke-DNSUpdate
- Disable-ADIDNSNode
- Get-ADIDNSNodeAttribute
- Get-ADIDNSNodeOwner
- Get-ADIDNSPermission
- Get-ADIDNSZone
- Grant-ADIDNSPermission
- New-ADIDNSNode
- New-DNSRecordArray
- New-SOASerialNumberArray
- Rename-ADIDNSNode
- Remove-ADIDNSNode
- Revoke-ADIDNSPermission
- Set-ADIDNSNodeAttribute
- Set-ADIDNSNodeOwner

Miscellaneous functions:
- Get-KerberosAESKey