Impersonating a computer in a Windows domain

Question

I've been trying to wrap my head around how computers are identified and granted access to a Windows domain. More specifically, I've been asking myself if whatever mechanism is involved really prevents faking the identity of a computer or not, and if so, then how?

Assuming one has full access to a computer that is already on the domain, I'm thinking that whatever information the domain controller relies on for identification could be replicated on another computer.

(As I understand it, what identifies a computer in a domain is one LSA shared secret. According to this Technet blog, LSA shared secrets can be decrypted and extracted.)

According to this answer to a question on Server Fault about re-joining a wiped computer to a domain it used to be on, and here on Information Security, this one about similar topics, it's not possible to have a computer assume even an existing identity in a windows domain.

If this is true, I would like to know the principle of behind this prevention mechanism. The answers given in the above links to me do not contain enough insight.

If the above claims are false, and it is in fact possible to fake the identity of a computer on the domain given the right circumstances, I would like in summary to know what steps would be involved.

Thank you beforehand for any effort to help me out.

Answer 1

When workstation joins domain, following happens:

• Workstation creates some random password, asks Domain Controller to create machine account and associate it with this password. User account must have "Add machine to domain" permission, domain admins do have this permission.
• Since Windows does not use names internally, but use SIDs for any account, workstation sid (may be checked with psgetsid) is stored in domain with associated password (password is stored in unicodepwd as any user password, see https://technet.microsoft.com/en-us/magazine/ff848710.aspx)

• Machine stores password in HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets\$MACHINE.ACC. Only NT AUTHORITY\SYSTEM has access to this hive. Even local admin does not have (it is not registry permission, it is something hardcoded in Windows, I am sure).

• DC and workstation change password periodically. Funny, but old password stored there too (oldVal subkey). Pass may be reset manually: https://support.microsoft.com/en-us/kb/260575

This process is described here: https://blogs.technet.microsoft.com/askds/2009/02/15/machine-account-password-process-2/

Since all passwords for accounts are stored in HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets and only NT AUTHORITY\SYSTEM has access to this hive, person from article used powershell to impersonate its process to this account. You can do the same with psexec -i -s cmd.exe, and them launch regedit from there. Open $MACHINE.ACC and check it for CurrVal.

This hive also stores information about security permissions each account have, and all this is part of Local Security Policy (see https://msdn.microsoft.com/en-us/library/windows/desktop/ms721785(v=vs.85).aspx) managed by lsass.exe.

So, to fake PC you should at least be able to:

• Log into it
• Be able to run code as NT AUTHORITY\SYSTEM (be local admin and use tool like psexec)
• Read its password from $MACHINE.ACC
• Read its sid (with psgetsid)

And on another machine

• Change its name and SID (sysprep may be used, but I am not sure if you can set sid or it is chosen randomly, see https://blogs.technet.microsoft.com/markrussinovich/2009/11/03/the-machine-sid-duplication-myth-and-why-sysprep-matters/)

• Set its password for $MACHINE.ACC

I am not sure if it is enough to fake PC or not, but even this thing is does not look very easy: at least you need local admin permissions on another PC to impersonate System, and good IT whould never give you this access.