impacket-addcomputer 命令

常用示例

说明

impacket-addcomputer is a tool from the Impacket library that allows adding or removing computer accounts in an Active Directory domain. By default, domain users can add up to 10 computer accounts (controlled by the ms-DS-MachineAccountQuota attribute), making this useful for penetration testing scenarios. The tool communicates with the domain controller via LDAP or SAMR protocols to create machine accounts. Created computer accounts can then be used for various attack techniques including resource-based constrained delegation attacks.

参数

-computer-name _NAME_

Name of the computer account to add (should end with $)

-computer-pass _PASSWORD_

Password for the new computer account

-delete

Delete the specified computer account instead of adding

-no-add

Don't add a computer, only set its password (requires existing account)

-dc-ip _IP_

IP address of the domain controller

-dc-host _HOSTNAME_

Hostname of the domain controller

-use-ldaps

Use LDAPS instead of LDAP

-hashes _LMHASH:NTHASH_

Use NTLM hashes for authentication instead of password

-no-pass

Don't ask for password (useful with -k)

-k

Use Kerberos authentication from ccache file

-aesKey _KEY_

AES key to use for Kerberos authentication

-method _{SAMR,LDAPS}_

Method to add the computer account (default: SAMR)

-port _{139,445,636}_

Destination port (SAMR defaults to 445, LDAPS to 636)

-baseDN _DN_

LDAP base distinguished name (derived from domain if omitted)

-computer-group _GROUP_

LDAP path of group to add the computer to (e.g., CN=Computers,DC=test,DC=local)

-domain-netbios _NETBIOSNAME_

Domain NetBIOS name (required if the DC has multiple domains)

-ts

Add timestamps to output

-debug

Enable debug output