NTLM relay to AD CS ESC8 Tutorial | Exploit Active Directory Certificate Services

Описание

Walkthrough of NTLM relaying against Active Directory Certificate Services (AD CS)'s HTTP Web Enrollment. I will show the 'manual' and 'automated' way to exploit this along with walking through the remediation to fix this misconfiguration. This is a quick and easy way to escalate privileges from low level domain user to domain admin.

Active Directory Certificate Services PenTesting Attacks.

Links:
PenTesting ESC1 Walkthrough:
https://youtu.be/wozcGjAsfZ0

Ceritpy Github:
https://github.com/ly4k/Certipy

Abusing AD CS Whitepaper:
https://specterops.io/wp-content/uploads/sites/3/2022/06/Certified_Pre-Owned.pdf

PKINITools Github:
https://github.com/dirkjanm/PKINITtools

Great Blog about ntlm relay to AD CS:
https://dirkjanm.io/ntlm-relaying-to-ad-certificate-services/

DFSCoerce Github:
https://github.com/Wh04m1001/DFSCoerce


----------------------------- Contents of Video -----------------------------
0:00 Intro
0:45 Attack Overview
1:50 Manual Walkthrough
23:12 Automated Walkthrough
33:09 Remediation
35:28 Verify Remediation