NTLM relay to AD CS ESC8 Tutorial | Exploit Active Directory Certificate Services
Рет қаралды 3,380
Күн бұрынWalkthrough of NTLM relaying against Active Directory Certificate Services (AD CS)'s HTTP Web Enrollment. I will show the 'manual' and 'automated' way to exploit this along with walking through the remediation to fix this misconfiguration. This is a quick and easy way to escalate privileges from low level domain user to domain admin.
Active Directory Certificate Services PenTesting Attacks.
Links:
PenTesting ESC1 Walkthrough:
• AD CS ESC1 Privilege E...
Ceritpy Github:
github.com/ly4k/Certipy
Abusing AD CS Whitepaper:
specterops.io/wp-content/uplo...
PKINITools Github:
github.com/dirkjanm/PKINITtools
Great Blog about ntlm relay to AD CS:
dirkjanm.io/ntlm-relaying-to-...
DFSCoerce Github:
github.com/Wh04m1001/DFSCoerce
00:00 Intro
00:45 Attack Overview
01:50 Manual Walkthrough
23:12 Automated Walkthrough
33:09 Remediation
35:28 Verify Remediation
@georgesiere161 9 ай бұрын
Excellent run through!
@jpcapone 7 ай бұрын
I just wanted to thank you for getting this information out there. You also broke it down in a very easy to understand way. Most importantly you shed light on the remediation path. Other posts have been vague to misleading when it comes to how you should fix this vulnerability. Thank YOU!!!
@villaroot 7 ай бұрын
Very welcome! I'm glad you enjoyed the work I put into it!
@lmfao69420 5 ай бұрын
This is a great explanation.
@villaroot 5 ай бұрын
Thanks! I'm glad you liked it
@innxrmxst2207 10 ай бұрын
Great content
@SrRunsis 2 ай бұрын
Great vid man!
@villaroot 2 ай бұрын
Thanks!
@JohnSmith-wz7he 4 ай бұрын
Great Clip! Thanks you. Would be great one day if you covered all 8 🙂
@villaroot 4 ай бұрын
I was wondering if that would be valuable to ppl. So thanks for letting me know it might be!
@MohdAqeelasif 8 ай бұрын
good one 👍🏻
@SzaboB33 2 ай бұрын
Excellent video, I learned this attack from this video half a year ago but I have one question that still: If the HTTP NTLM authentication would use HTTPS instead of just cleartext, how would that change this attack vector if at all?
@villaroot 2 ай бұрын
Thanks for the support! I was digging more into the HTTPS mitigation. And it looks like just having HTTPS wont fix it, it also has to have extended protection and authentication (EPA) set to 'required'. support.microsoft.com/en-us/topic/kb5005413-mitigating-ntlm-relay-attacks-on-active-directory-certificate-services-ad-cs-3612b773-4043-4aa9-b23d-b87910cd3429
@MM-mh6nv Жыл бұрын
Hi, would you share any blog post on how to setup ESC8 in my AD lab environment?
@villaroot Жыл бұрын
Here's a good blog about setting up AD CS on a server. To get the ESC8 vuln, select the 'Web enrollment' role when you are in the 'role services' section. dinika-15.medium.com/installing-active-directory-certificate-services-ad-cs-4db7d0950289
@cmphande 11 ай бұрын
how to contact you on LinkedIn?
@cmphande 11 ай бұрын
I have personal educational questions to ask you.
@villaroot 10 ай бұрын
@@cmphande Hi, I have a twitter you can message me on at Villaroot
VillaRoot
Рет қаралды 2,8 М.
BlackAlps CyberSecurityConference
Рет қаралды 334
VillaRoot
Рет қаралды 1,1 М.
Cyber Attack & Defense
Рет қаралды 2,4 М.
Cyber Attack & Defense
Рет қаралды 2,8 М.