Рет қаралды 3,380
Walkthrough of NTLM relaying against Active Directory Certificate Services (AD CS)'s HTTP Web Enrollment. I will show the 'manual' and 'automated' way to exploit this along with walking through the remediation to fix this misconfiguration. This is a quick and easy way to escalate privileges from low level domain user to domain admin.
Active Directory Certificate Services PenTesting Attacks.
Links:
PenTesting ESC1 Walkthrough:
• AD CS ESC1 Privilege E...
Ceritpy Github:
github.com/ly4k/Certipy
Abusing AD CS Whitepaper:
specterops.io/wp-content/uplo...
PKINITools Github:
github.com/dirkjanm/PKINITtools
Great Blog about ntlm relay to AD CS:
dirkjanm.io/ntlm-relaying-to-...
DFSCoerce Github:
github.com/Wh04m1001/DFSCoerce
00:00 Intro
00:45 Attack Overview
01:50 Manual Walkthrough
23:12 Automated Walkthrough
33:09 Remediation
35:28 Verify Remediation