top of page

What is the Microsoft AD noPac Exploit?

The noPac Microsoft Active Directory exploit is a security vulnerability that was discovered in 2021 and affects Microsoft Active Directory (AD) systems. It allows attackers to bypass the "Protected Users" security group in AD, which is a security feature that is designed to protect against certain types of attacks.

To understand the noPac exploit, it's helpful to first understand how the "Protected Users" security group works. When a user is added to the "Protected Users" security group, their account is given additional security protections.

These protections include:

  1. No Kerberos delegation: Users in the "Protected Users" security group are not allowed to delegate their Kerberos tickets, which means that they cannot be used to authenticate to other systems on the network.

  2. No NTLM authentication: Users in the "Protected Users" security group are not allowed to use NTLM authentication, which is a legacy authentication protocol that is susceptible to certain types of attacks.

  3. No LM or NTLM password hashes: Users in the "Protected Users" security group do not have their LM or NTLM password hashes stored, which means that they cannot be used in certain types of attacks.

  4. No offline password cracking: Users in the "Protected Users" security group do not have their password hashes stored in the AD database, which means that they cannot be cracked offline.

The noPac exploit allows attackers to bypass these protections by exploiting a weakness in the way that the "Protected Users" security group is implemented. Specifically, the exploit allows attackers to gain access to the LM and NTLM password hashes of users in the "Protected Users" security group. This is a significant vulnerability because it allows attackers to potentially gain access to sensitive systems and data on the network.

There are several ways that attackers can exploit the noPac vulnerability. One common method is through the use of "pass-the-hash" attacks, which involve using a stolen password hash to authenticate to a system or network.

Other methods include using the stolen password hashes in offline cracking attacks, or using them to gain access to other systems on the network through Kerberos delegation.

To protect against the noPac exploit, it's important to ensure that the latest security updates are applied to all systems, including AD servers. It's also a good idea to regularly review and update the membership of the "Protected Users" security group, as well as to implement other security measures, such as multi-factor authentication and strong password policies.

bottom of page