sAMAccountName Spoofing in the Forest

Exploiting sAMAccountName spoofing (CVE-2021-42278 & CVE-2021-42287) from the child domain can led to compromise the parent domain


Parent domain can be compromised from a user of the child domain using the noPac.exe (sAMAccountName spoofing exploit) is written by cube0x0. I notice that he didn't refer example command to compromise the parent domain.

Forest Information

unsafe.local = parent domain

gotham.unsafe.local = child domain

user1 = user of the gotham domain

For above scenario, you must set -dc parameter as a domain controller of the parent domain without specifying -domain parameter because if you specify a parent domain name with the credentials of a child domain user, invalid credentials error occurs in the NetworkCredential class.

If you specify the child domain name, a machine account will be added to gotham.unsafe.local by the noPac exploit and it fails our objective. So NetworkCredential.argDomain should be empty. Username and password are enough to connect parent DC successfully. (trust relations) We can see this adding line 399.

The domain name that is required for adding a machine will be extracted from the specified DC name (line 421).

noPac.exe -user [child-user] -pass [pass] -dc [parent-dc] -mAccount [machine-name] -mPassword [machine-pass] -service cifs -ptt
dir \\parent-dc\c$
# Author: Metin Yunus Kandemir


Last updated