The certificate can then be imported into Rubeus or kekeo and subsequently used in various pass the ticket type attacks such as dcsync. This essentially allows credentials to be relayed to the CA Enrollment Web Services (EWS) resulting in a base64 encoded cert for the template you specify. ExAndroidDev carried out some further fine work within the ntlmrrelayx.py script to allow targeting of a CA, this was subsequently submitted as pull request into the SecureAuthCorp Impacket master branch. My hope is to raise awareness of the attack and offer some practical mitigation for the vulnerability.įollowing on from the recent work conducted by SpectorOps where various AD attack path were identified within Active Directory Certificate Services/Certificate Authority (AD CS/CA). In this post I walk through the PetitPotam and Active Directory Certificate Services NTLM Relay Attack recently announced.
0 Comments
Leave a Reply.AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |