sAMAccountName Spoofing in the Forest

Exploiting sAMAccountName spoofing (CVE-2021-42278 & CVE-2021-42287) from the child domain can led to compromise the parent domain

Description
Parent domain can be compromised from a user of the child domain using the noPac.exe (sAMAccountName spoofing exploit) is written by cube0x0. I notice that he didn't refer example command to compromise the parent domain. 
Forest Information
unsafe.local = parent domain
gotham.unsafe.local = child domain
user1 = user of the gotham domain
For above scenario, you must set -dc parameter as a domain controller of the parent domain without specifying -domain parameter because if you specify a parent domain name with the credentials of a child domain user, invalid credentials error occurs in the NetworkCredential class. 
If you specify the child domain name, a machine account will be added to gotham.unsafe.local by the noPac exploit and it fails our objective. So NetworkCredential.argDomain should be empty. Username and password are enough to connect parent DC successfully. (trust relations) We can see this adding line 399.
The domain name that is required for adding a machine will be extracted from the specified DC name (line 421).
Commands
noPac.exe -user [child-user] -pass [pass] -dc [parent-dc] -mAccount [machine-name] -mPassword [machine-pass] -service cifs -ptt
dir \\parent-dc\c$
Reference
​https://github.com/cube0x0/noPac​

UNSAFE

Pass-the-Hash Attack Over Named Pipes Against ESET Server Security

Last modified 1yr ago