NTLM relay to AD CS ESC8 Tutorial | Exploit Active Directory Certificate Services
Вставка
- Опубліковано 27 чер 2024
- Walkthrough of NTLM relaying against Active Directory Certificate Services (AD CS)'s HTTP Web Enrollment. I will show the 'manual' and 'automated' way to exploit this along with walking through the remediation to fix this misconfiguration. This is a quick and easy way to escalate privileges from low level domain user to domain admin.
Active Directory Certificate Services PenTesting Attacks.
Links:
PenTesting ESC1 Walkthrough:
• AD CS ESC1 Privilege E...
Ceritpy Github:
github.com/ly4k/Certipy
Abusing AD CS Whitepaper:
specterops.io/wp-content/uplo...
PKINITools Github:
github.com/dirkjanm/PKINITtools
Great Blog about ntlm relay to AD CS:
dirkjanm.io/ntlm-relaying-to-...
DFSCoerce Github:
github.com/Wh04m1001/DFSCoerce
00:00 Intro
00:45 Attack Overview
01:50 Manual Walkthrough
23:12 Automated Walkthrough
33:09 Remediation
35:28 Verify Remediation
Great vid man!
Thanks!
I just wanted to thank you for getting this information out there. You also broke it down in a very easy to understand way. Most importantly you shed light on the remediation path. Other posts have been vague to misleading when it comes to how you should fix this vulnerability. Thank YOU!!!
Very welcome! I'm glad you enjoyed the work I put into it!
Excellent run through!
This is a great explanation.
Thanks! I'm glad you liked it
Great content
Great Clip! Thanks you. Would be great one day if you covered all 8 🙂
I was wondering if that would be valuable to ppl. So thanks for letting me know it might be!
good one 👍🏻
Excellent video, I learned this attack from this video half a year ago but I have one question that still: If the HTTP NTLM authentication would use HTTPS instead of just cleartext, how would that change this attack vector if at all?
Thanks for the support! I was digging more into the HTTPS mitigation. And it looks like just having HTTPS wont fix it, it also has to have extended protection and authentication (EPA) set to 'required'.
support.microsoft.com/en-us/topic/kb5005413-mitigating-ntlm-relay-attacks-on-active-directory-certificate-services-ad-cs-3612b773-4043-4aa9-b23d-b87910cd3429
Hi, would you share any blog post on how to setup ESC8 in my AD lab environment?
Here's a good blog about setting up AD CS on a server. To get the ESC8 vuln, select the 'Web enrollment' role when you are in the 'role services' section.
dinika-15.medium.com/installing-active-directory-certificate-services-ad-cs-4db7d0950289
how to contact you on LinkedIn?
I have personal educational questions to ask you.
@@cmphande Hi, I have a twitter you can message me on at Villaroot