# sAMAccountName Spoofing in the Forest
### Description
Parent domain can be compromised from a user of the child domain using the `noPac.exe` (sAMAccountName spoofing exploit) is written by cube0x0. I notice that he didn't refer example command to compromise the parent domain.
{% hint style="info" %}
**Forest Information**
unsafe.local = parent domain
gotham.unsafe.local = child domain
user1 = user of the gotham domain
{% endhint %}
For above scenario, you must set `-dc` parameter as a domain controller of the parent domain without specifying `-domain` parameter because if you specify a parent domain name with the credentials of a child domain user, invalid credentials error occurs in the `NetworkCredential` class.
If you specify the child domain name, a machine account will be added to `gotham.unsafe.local` by the noPac exploit and it fails our objective. So `NetworkCredential.argDomain` should be empty. Username and password are enough to connect parent DC successfully. (trust relations) We can see this adding line 399.
The domain name that is required for adding a machine will be extracted from the specified DC name (line 421).
{% code title="Commands" %}
```
noPac.exe -user [child-user] -pass [pass] -dc [parent-dc] -mAccount [machine-name] -mPassword [machine-pass] -service cifs -ptt
dir \\parent-dc\c$
```
{% endcode %}
# Author: Metin Yunus Kandemir
### Reference