NoPac / sAMAccountName Spoofing in Active Directory Domain Services

This repository is a Python-based exploit for chaining CVE-2021-42278 and CVE-2021-42287 against Microsoft Active Directory Domain Controllers. The main exploit logic is in 'exp.py', which automates the attack chain: it creates a new computer account, renames it to impersonate the DC, obtains Kerberos tickets as a privileged user, and then uses these tickets to either execute commands (via 'smbexec.py') or dump password hashes (via 'secretsdump.py'). Supporting modules in the 'utils' directory handle Kerberos ticket requests, LDAP operations, and computer account management. The exploit is operational and provides both shell access and credential dumping capabilities if the target is vulnerable. The attack is performed over the network and targets the DC's IP address, requiring valid domain credentials and network access to the DC. The repository is structured with a clear separation between the main exploit, supporting scripts, and utility modules.

This repository is a C# implementation of the 'noPac' exploit, targeting the combination of CVE-2021-42287 and CVE-2021-42278 in Microsoft Active Directory Domain Controllers. The exploit enables a low-privileged domain user to escalate privileges to Domain Admin by abusing flaws in the Kerberos protocol and Active Directory object management. The codebase is structured as a Visual Studio solution with a main entry point in 'noPac/Program.cs'. Supporting libraries handle ASN.1 parsing, Kerberos protocol operations, LDAP manipulation, cryptographic operations, and ticket forging. The exploit works by creating a new machine account, manipulating its attributes via LDAP, requesting Kerberos tickets (TGTs) for the new account, and then leveraging S4U (Service for User) functionality to impersonate privileged accounts. The tool communicates with Domain Controllers over standard ports (TCP 88 for Kerberos, TCP 389 for LDAP, and TCP 464 for kpasswd). The repository is mature and operational, providing a full exploit chain rather than just a proof of concept. It is not part of a larger exploitation framework but is a standalone tool. The README and code comments credit prior research and tools such as Rubeus and SharpMad, and recommend patching Domain Controllers to mitigate the vulnerabilities.

This repository contains a Python exploit (pachine.py) for CVE-2021-42278, a privilege escalation vulnerability in Microsoft Active Directory. The exploit leverages a flaw in the way sAMAccountName is handled during Kerberos authentication, allowing an attacker with domain user credentials to create a machine account with a name matching a domain controller (minus the trailing '$'), obtain a TGT, rename the account, and then impersonate privileged users (such as the domain administrator) via S4U2Self. The resulting Kerberos ticket can be used for pass-the-ticket attacks, enabling remote code execution as SYSTEM on the domain controller. The repository is structured with a single main code file (pachine.py), a README with detailed usage instructions and examples, and standard project files (.gitignore, LICENSE). The exploit requires network access to the DC and valid domain credentials, and is operational with a functional payload that automates the attack chain. No hardcoded endpoints are present, but the tool requires the attacker to specify the target DC's FQDN or IP address.

This repository is a C# implementation of the 'noPac' exploit, which targets a combination of two critical Active Directory vulnerabilities: CVE-2021-42278 (sAMAccountName spoofing) and CVE-2021-42287 (KDC confusion). The exploit allows an attacker with domain user credentials to escalate privileges to domain admin by manipulating machine accounts and Kerberos tickets. The codebase is structured as a Visual Studio solution with a main entry point in 'noPac/Program.cs', and supporting libraries for Kerberos protocol manipulation, ASN.1 parsing, cryptography, and ticket forging. The exploit works by creating or modifying a machine account, requesting a TGT as that account, and then leveraging the vulnerabilities to obtain a TGT for the domain controller. The attacker can then use Pass-the-Ticket (PTT) to inject the ticket and gain access to domain resources as a privileged user. The repository is operational and provides a working exploit, not just a proof of concept. It is not part of a larger exploitation framework, but is a standalone tool. The code is well-structured and modular, with clear separation between Kerberos protocol logic, cryptographic operations, and exploit orchestration. The README provides detailed usage instructions and example commands, as well as environmental requirements (Windows, .NET 4.0+).

This repository is a Python-based exploit chain targeting Microsoft Active Directory environments vulnerable to CVE-2021-42278 and CVE-2021-42287. The main script, 'sam_the_admin.py', orchestrates the attack by creating a new computer account, renaming its sAMAccountName to match a Domain Controller, obtaining a Kerberos TGT as the DC, and then using S4U2self/S4U2proxy to impersonate a Domain Admin. The exploit leverages impacket and related libraries for LDAP and Kerberos operations. After successful exploitation, the attacker can use impacket-smbexec to obtain a shell or impacket-secretsdump to extract secrets from the DC. The code is modular, with helper scripts in the 'utils' directory handling LDAP, Kerberos, and SAMR operations. The exploit is operational and provides a practical attack path for privilege escalation from a standard domain user to Domain Admin in unpatched environments.

This repository is a Python-based exploit toolkit targeting Microsoft Active Directory environments vulnerable to CVE-2021-42278 and CVE-2021-42287. The main exploit script is `noPac.py`, which chains these vulnerabilities to escalate privileges from a standard domain user to Domain Admin by manipulating computer account attributes and abusing Kerberos delegation (S4U2Self/S4U2Proxy). The toolkit allows attackers to: - Add or rename computer accounts in the domain (abusing MachineAccountQuota or CreateChild permissions) - Request Kerberos service tickets as privileged users (impersonation) - Dump domain hashes (NTDS.dit) using secretsdump techniques - Obtain a remote shell on the domain controller via SMB (smbexec) The repository includes supporting modules for LDAP/Kerberos operations, computer account management, hash dumping, and remote command execution. There is also a `scanner.py` script for vulnerability detection. The exploit is operational and provides real post-exploitation capabilities, including hash extraction and shell access. The code is modular, leveraging Impacket and ldapdomaindump libraries, and is intended for use in penetration testing or red teaming against unpatched Windows AD environments.