{"uuid": "17abb29c-6f99-4c01-a06c-9708d84e788d", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-42278", "type": "published-proof-of-concept", "source": "https://t.me/ETHICALHACKERSCOMMUNITY2/1110", "content": "Exploiting CVE-2021-42278 and CVE-2021-42287 to impersonate DA from standard domain user  Changed from sam-the-admin (https://github.com/WazeHell/sam-the-admin).\n  Usage  SAM THE ADMIN CVE-2021-42278 + CVE-2021-42287 chain\n\npositional arguments:\n  [domain/]username[:password]\n                        Account used to authenticate to DC.\n\noptional arguments:\n  -h, --help            show this help message and exit\n  --impersonate IMPERSONATE\n                        target username that will be impersonated (thru S4U2Self) for quering the ST. Keep in mind this will only work if the identity provided in this scripts is allowed for delegation to the SPN specified\n  -domain-netbios NETBIOSNAME\n                        Domain NetBIOS name. Required if the DC has multiple domains.\n  -target-name NEWNAME  Target computer name, if not specified, will be random generated.\n  -new-pass PASSWORD    Add new computer password, if not specified, will be random generated.\n  -old-pass PASSWORD    Target computer password, use if you know the password of the target you input with -target-name.\n  -ol   d-hash LMHASH:NTHASH\n                        Target computer hashes, use if you know the hash of the target you input with -target-name.\n  -debug                Turn DEBUG output ON\n  -ts                   Adds timestamp to every logging output\n  -shell                Drop a shell via smbexec\n  -no-add               Forcibly change the password of the target computer.\n  -create-child         Current account have permission to CreateChild.\n  -dump                 Dump Hashs via secretsdump\n  -use-ldap             Use LDAP instead of LDAPS\n\nauthentication:\n  -hashes LMHASH:NTHASH\n                        NTLM hashes, format is LMHASH:NTHASH\n  -no-pass              don't ask for password (useful for -k)\n  -k                    Use Kerberos (https://www.kitploit.com/search/label/Kerberos) authentication. Grabs credentials (https://www.kitploit.com/search/label/Credentials) from ccache file (KRB5CCNAME) based on account parameters. If valid credentials cannot be found, it will use the ones specified in the command line\n  -aesKey hex key       AES key to use for Kerberos Authentication (https://www.kitploit.com/search/label/Authentication) (128 or 256 bits)\n  -dc-host hostname     Hostname of the domain controller (https://www.kitploit.com/search/label/Domain%20Controller) to use. If ommited, the domain part (FQDN) specified in the account parameter will be used\n  -dc-ip ip             IP of the domain controller to use. Useful if you can't translate the FQDN.specified in the account parameter will be used\n\nexecute options:\n  -port [destination port]\n                        Destination port to connect to SMB Server\n  -mode {SERVER,SHARE}  mode to use (default SHARE, SERVER needs root!)&lt;   br/&gt;  -share SHARE          share where the output will be grabbed from (default ADMIN$)\n  -shell-type {cmd,powershell}\n                        choose a command processor for the semi-interactive shell\n  -codec CODEC          Sets encoding (https://www.kitploit.com/search/label/Encoding) used (codec) from the target's output (default \"GBK\").\n  -service-name service_name\n                        The name of theservice used to trigger the payload\n\ndump options:\n  -just-dc-user USERNAME\n                        Extract only NTDS.DIT data for the user specified. Only available for DRSUAPI approach. Implies also -just-dc switch\n  -just-dc              Extract only NTDS.DIT data (NTLM hashes and Kerberos keys)\n  -just-dc-ntlm         Extract only NTDS.DIT data (NTLM hashes only)\n  -pwd-last-set         Shows pwdLastSet attribute for each NTDS.DIT account. Doesn't apply to -outputfile data\n  -use   r-status          Display whether or not the user is disabled\n  -history              Dump password history, and LSA secrets OldVal\n  -resumefile RESUMEFILE", "creation_timestamp": "2022-09-06T14:17:32.000000Z"}