reddit hackernews mail facebook facebook linkedin


The perils of the pre-Windows 2000 compatible access group in a Windows domain.

On Windows 2000 and probably 2003/2008 too (not verified), that group contained groups: Anonymous/Everyone/Authenticated Users Even if you have upgraded your Domain Controllers to Windows 2022, that group is kept unchanged.

That means a anonymous user can query domain information, like userinfo, group membership, trusts, etc. Even newly installed domains running Windows 2022, will still have Authenticated users as members in that group.

So if you have user credentials, you can still query all that information.

Prenum is a script exploiting this, by requesting information that might be useful for an attacker. It can search for computer-accounts with password the same as computername or no password at all.

- Full AMSI-Bypass
- Reflectively loading Rubeus and Certify
- Enumerate and test all computers in AD; check if their password is the same as the computername
- Enumerate all users in AD; check if the password is blank
- Passwordspray all users in AD
- Request Kerberos TGT for computer and/or user-accounts found vulnerable (Using Rubeus)
- Test for vulnerable certificate templates (Using Certify)
- Do simple LDAP searches
- Run any Rubeus command
- Run any Certify command