impacket-addcomputer

Add or remove computer accounts in Active Directory via Impacket

TLDR

Add a computer account to the domain using default credentials

$ impacket-addcomputer -computer-name '[NEWPC$]' -computer-pass '[Password123]' '[domain]/[user]:[password]'

Add a computer account specifying the domain controller IP

$ impacket-addcomputer -computer-name '[NEWPC$]' -dc-ip [192.168.1.100] '[domain]/[user]:[password]'

Add a computer using LDAPS (secure connection)

$ impacket-addcomputer -computer-name '[NEWPC$]' -use-ldaps '[domain]/[user]:[password]'

Add a computer using Kerberos authentication with a ticket

$ impacket-addcomputer -computer-name '[NEWPC$]' -k -no-pass '[domain]/[user]'

Add a computer using the LDAPS method

$ impacket-addcomputer -computer-name '[NEWPC$]' -method LDAPS '[domain]/[user]:[password]'

Delete a computer account from the domain

$ impacket-addcomputer -computer-name '[TARGETPC$]' -delete '[domain]/[user]:[password]'

impacket-addcomputer [-h] [-computer-name NAME] [-computer-pass PASSWORD] [-no-add] [-delete] [-method {SAMR,LDAPS}] [-port {139,445,636}] [-baseDN DC=x,DC=y] [-computer-group GROUP] [-domain-netbios NETBIOSNAME] [-dc-ip IP] [-dc-host HOSTNAME] [-use-ldaps] [-hashes LMHASH:NTHASH] [-no-pass] [-k] [-aesKey KEY] target

DESCRIPTION

impacket-addcomputer is a tool from the Impacket library that allows adding or removing computer accounts in an Active Directory domain. By default, domain users can add up to 10 computer accounts (controlled by the ms-DS-MachineAccountQuota attribute), making this useful for penetration testing scenarios.The tool communicates with the domain controller via LDAP or SAMR protocols to create machine accounts. Created computer accounts can then be used for various attack techniques including resource-based constrained delegation attacks.

PARAMETERS

-computer-name NAME

Name of the computer account to add (should end with $)

-computer-pass PASSWORD

Password for the new computer account

-delete

Delete the specified computer account instead of adding

-no-add

Don't add a computer, only set its password (requires existing account)

-dc-ip IP

IP address of the domain controller

-dc-host HOSTNAME

Hostname of the domain controller

-use-ldaps

Use LDAPS instead of LDAP

-hashes LMHASH:NTHASH

Use NTLM hashes for authentication instead of password

-no-pass

Don't ask for password (useful with -k)

-k

Use Kerberos authentication from ccache file

-aesKey KEY

AES key to use for Kerberos authentication

-method {SAMR,LDAPS}

Method to add the computer account (default: SAMR)

-port {139,445,636}

Destination port (SAMR defaults to 445, LDAPS to 636)

-baseDN DN

LDAP base distinguished name (derived from domain if omitted)

-computer-group GROUP

LDAP path of group to add the computer to (e.g., CN=Computers,DC=test,DC=local)

-domain-netbios NETBIOSNAME

Domain NetBIOS name (required if the DC has multiple domains)

-ts

Add timestamps to output

-debug

Enable debug output

CAVEATS

Requires valid domain credentials with permissions to create computer accounts. The default ms-DS-MachineAccountQuota may be set to 0 in hardened environments. Computer names should follow NetBIOS naming conventions and typically end with a dollar sign ($).

HISTORY

Impacket was created by SecureAuth (formerly Core Security) as a collection of Python classes for working with network protocols. The addcomputer script was added to support Active Directory penetration testing workflows, particularly after research into resource-based constrained delegation attacks became prominent around 2018-2019.