ESC8

• https://blog.truesec.com/2021/08/05/from-stranger-to-da-using-petitpotam-to-ntlm-relay-to-active-directory/

• https://blog.compass-security.com/2022/11/relaying-to-ad-certificate-services-over-rpc/

• https://habr.com/ru/company/deiteriylab/blog/581758/

• https://habr.com/ru/companies/jetinfosystems/articles/846066/

Enumerate

Discover CES endpoints with certutil:

Cmd > certutil.exe -enrollmentServerURL -config CA01.megacorp.local\CA01

Discover CES endpoints with PowerShell:

PS > Get-CertificationAuthority | select name,enroll* | fl

Check a bunch of targets for the vulnerable endpoint:

$ for ip in `cat ~/ws/discover/hosts/ca.txt`; do curl -sSLkI -u 'MEGACORP\snovvcrash:Passw0rd!' --ntlm http://$ip/certsrv/certfnsh.asp | grep -e 401 -e 200 > /dev/null && echo "[+] $ip" || echo "[-] $ip"; done

Exploit

ntlmrelayx

• https://www.exandroid.dev/2021/06/23/ad-cs-relay-attack-practical-guide/

• https://github.com/fortra/impacket/pull/1101

• https://github.com/ExAndroidDev/impacket/tree/ntlmrelayx-adcs-attack

PKINITtools

• https://dirkjanm.io/ntlm-relaying-to-ad-certificate-services/

• https://github.com/dirkjanm/PKINITtools

• https://gist.github.com/snovvcrash/8b6a1a10e1f47439d16072c60cc2e099

Backup original httpattack.py and copy one from the toolkit with a modified domain name and a template if needed (DomainController is by default, but also one may use KerberosAuthentication):

Perform the relay attack, request the TGT via PKINIT and get the NT hash based on U2U Kerberos extension:

Revert the original httpattack.py:

Certipy

Prepare for the relay attack:

ADCSPwn

• https://github.com/bats3c/ADCSPwn

Start a relay server:

Coerce the authentication, e. g. via Coercer: