Open
Conversation
Hi, The original only supports the RC4 encryption scheme which is bad for OPSEC and breaks the exploit if the target domain has RC4 disabled. The MR supports DES, RC4, AES128 and AES256 (default) and also the code changes will allow the exploit to be reflectively loaded by Powershell like this: https://github.com/ricardojba/Invoke-noPac
KINGSABRI
reviewed
Dec 21, 2021
KINGSABRI
left a comment
KINGSABRI
left a comment
There was a problem hiding this comment.
This code returns
[+] Domain: vulnerable.com
[+] User account: user99
[+] Encryption type: AES256 (default when no /enctype is specified and for better opsec)
[+] Distinguished Name = CN=noPacFakeComp1,CN=Computers,DC=vulnerable,DC=com
[+] Machine account noPacFakeComp1 added
[+] Machine account noPacFakeComp1 attribute serviceprincipalname cleared
[+] Machine account noPacFakeComp1 attribute samaccountname updated
[X] KRB-ERROR (24) : KDC_ERR_PREAUTH_FAILED
Unhandled Exception: System.NullReferenceException: Object reference not set to an instance of an object.
at noPac.Program.Main(String[] args)
even with specifying accepted encryption (e.g. rc4)
Additionally, it doesn't handle an existing object properly
System.DirectoryServices.DirectoryServicesCOMException (0x80071392): The object already exists.
at System.DirectoryServices.DirectoryEntry.CommitChanges()
at noPac.Program.SetMachineAccountAttribute(String container, String distinguishedName, String domain, String domainController, String attribute, String machineAccount, String value, Boolean append, Boolean clear, Boolean verbose, NetworkCredential credential)
Unhandled Exception: System.DirectoryServices.DirectoryServicesCOMException: The object already exists.
at System.DirectoryServices.DirectoryEntry.CommitChanges()
at noPac.Program.SetMachineAccountAttribute(String container, String distinguishedName, String domain, String domainController, String attribute, String machineAccount, String value, Boolean append, Boolean clear, Boolean verbose, NetworkCredential credential)
at noPac.Program.Main(String[] args)
|
Is there any delegate way to detect the supported encryption before executing the command? or let the scan and/or exploit functions detect the supported algorithm? |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Hi,
The original only supports the RC4 encryption scheme which is bad for OPSEC and breaks the exploit if the target domain has RC4 disabled.
The MR supports DES, RC4, AES128 and AES256 (default) and also the code changes will allow the exploit to be reflectively loaded by Powershell like this: https://github.com/ricardojba/Invoke-noPac