-
Notifications
You must be signed in to change notification settings - Fork 787
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Patch SamAccountName [CVE-2021-42287] #145
Comments
Hi Mayfly, The command output shows me that the PAC cannot be affected by CVE 2021-42278 : $ netexec smb winterfell.north.sevenkingdoms.local -u jon.snow -p iknownothing -d north.sevenkingdoms.local -M nopac
SMB 192.168.10.11 445 WINTERFELL [*] Windows 10.0 Build 17763 x64 (name:WINTERFELL) (domain:north.sevenkingdoms.local) (signing:True) (SMBv1:False)
SMB 192.168.10.11 445 WINTERFELL [+] north.sevenkingdoms.local\jon.snow:iknownothing
NOPAC 192.168.10.11 445 WINTERFELL TGT with PAC size 1743
NOPAC 192.168.10.11 445 WINTERFELL TGT without PAC size 1743 I hadn't specified it, but my lab was setup on Proxmox (following your doc). Perhaps there's a difference with the lab set up locally via viagrant? |
Sad :/ , certainly the image you take (or the link i provide) for setting up the lab is more recent and patched. imo you can try on essos if it work. |
Indeed, it works on essos! $ netexec smb meereen.essos.local -u khal.drogo -p horse -d essos.local -M nopac
SMB 192.168.10.12 445 MEEREEN [*] Windows Server 2016 Standard Evaluation 14393 x64 (name:MEEREEN) (domain:essos.local) (signing:True) (SMBv1:True)
SMB 192.168.10.12 445 MEEREEN [+] essos.local\khal.drogo:horse
NOPAC 192.168.10.12 445 MEEREEN TGT with PAC size 1465
NOPAC 192.168.10.12 445 MEEREEN TGT without PAC size 708
NOPAC 192.168.10.12 445 MEEREEN
NOPAC 192.168.10.12 445 MEEREEN VULNERABLE
NOPAC 192.168.10.12 445 MEEREEN Next step: https://github.com/Ridter/noPac (thank you Microsoft for not patching Windows Server 2016) Thanks for your feedback |
Hi,
It would appear that the SamAccountName vulnerability is no longer exploitable on DC02. I've tried to exploit it with Impacket pull requests (fortra/impacket#1202 and fortra/impacket#1224) and also with ldapmodify and in both cases I get an error 00000523 (https://support.microsoft.com/en-us/topic/kb5008102-active-directory-security-accounts-manager-hardening-changes-cve-2021-42278-5975b463-4c95-45e1-831a-d120004e258e -> make sure sAMAccountName ends with '$').
Via Impacket :
Via Ldapsearch :
Why DC02? Because this is the example used in mayfly277's write-up.
The text was updated successfully, but these errors were encountered: