ntlmrelayx: Add --dump-pre2k to enumerate Pre-Windows 2000 vulnerable computers

[H4ckT0Th3Futur3]

Summary

• Add a new --dump-pre2k option to ntlmrelayx LDAP relay attacks
• Enumerates computer accounts potentially vulnerable to Pre-Windows 2000 authentication, where the password is predictable (lowercase machine name without the trailing $)
• Detection based on PASSWD_NOTREQD flag (0x0020) in userAccountControl and accounts with pwdLastSet=0
• Results are displayed in the console and saved as JSON in the lootdir

Usage

ntlmrelayx.py -t ldap://DC_IP --dump-pre2k

Output example

[*] Enumerating computer accounts potentially vulnerable to Pre-Windows 2000 authentication
[*] Found 2 potentially vulnerable Pre-Windows 2000 computer account(s):
[*]   OLDPC01$                        Password: oldpc01                   OS: Windows Server 2012 R2
[*]   YOURPC$                         Password: yourpc                    OS: N/A
[*] Pre-Windows 2000 results saved to /tmp/loot/pre2k-dump-admin-12345.json

Test plan

• Test with LDAP relay to a domain controller containing known pre-2k computer accounts
• Verify JSON output file is correctly written to lootdir
• Verify no false positives on standard computer accounts
• Test with both LDAP and LDAPS targets

[gabrielg5]

Hey @H4ckT0Th3Futur3, thanks!

I just pushed one commit to dedupe the candidates processing in dumpPre2k function (b6e1e60).

There's one case, though, that is missing to be considered in the function. The one that's in the comment there

pwdLastSet equals whenCreated (password was never changed since account creation)

I quickly tried in my lab (Win2022) creating a Computer Account with the Assign this computer account as a pre-Windows 2000 computer checkbox checked and the password was set as the account name with these values:

Name               : pre2klab1
SamAccountName     : PRE2KLAB1$
whenCreated        : 5/27/2026 4:51:22 PM
PwdLastSetDate     : 5/27/2026 4:51:22 PM

we may need to consider some seconds as tolerance I guess