NTLM relay to AD CS ESC8 Tutorial | Exploit Active Directory Certificate Services

Показать описание

Walkthrough of NTLM relaying against Active Directory Certificate Services (AD CS)'s HTTP Web Enrollment. I will show the 'manual' and 'automated' way to exploit this along with walking through the remediation to fix this misconfiguration. This is a quick and easy way to escalate privileges from low level domain user to domain admin.

Active Directory Certificate Services PenTesting Attacks.

Links:
PenTesting ESC1 Walkthrough:

Ceritpy Github:

Abusing AD CS Whitepaper:

PKINITools Github:

Great Blog about ntlm relay to AD CS:

DFSCoerce Github:

00:00 Intro
00:45 Attack Overview
01:50 Manual Walkthrough
23:12 Automated Walkthrough
33:09 Remediation
35:28 Verify Remediation

Рекомендации по теме

Комментарии

doing rto but I understand the concept more as you explain them. Though I find little harder to perform the attacks following your approach. This is great.

palevelmode

I just wanted to thank you for getting this information out there. You also broke it down in a very easy to understand way. Most importantly you shed light on the remediation path. Other posts have been vague to misleading when it comes to how you should fix this vulnerability. Thank YOU!!!

jpcapone

Great Clip! Thanks you. Would be great one day if you covered all 8 🙂

JohnSmith-wzhe

Excellent video, I learned this attack from this video half a year ago but I have one question that still: If the HTTP NTLM authentication would use HTTPS instead of just cleartext, how would that change this attack vector if at all?

SzaboB

Although i got a CA vulnerable to ESC8 attack i try to create a relay server with certipy and after using petitpotam or coercer with coerce flag but i get unauthorized response from AD CS instead of being authenticated. Do you know maybe why can this happen?

ΜάρκοςΚαραγιαννάκης

Hi, would you share any blog post on how to setup ESC8 in my AD lab environment?

MM-mhnv

NTLM relay to AD CS ESC8 Tutorial | Exploit Active Directory Certificate Services

NTLM relay to AD CS ESC8 Tutorial | Exploit Active Directory Certificate Services

PetitPotam - NTLM Relay to AD CS

ADCS NTLM Relay - Compromise the DC

BlackAlps 2022: NTLM Relay: The Attack That Keeps On Giving by Sylvain Heiniger

PetitPotam | NTLM Relay Attacks | AD CS | Mimikatz | Rubeus | Domain Takeover

ESC8 | NTLM Relay & PetitPotam: The ADCS Attack You NEED To Know

[Fixed]DFSCoerce NTLM Relay attack allows Windows domain takeover | MS-DFSNM NTLM Relay attack

NTLM Relaying via Cobalt Strike (AD CS Exploit Demo)

Abusing Active Directory Certificate Services (ADCS) | ESC8 Attack Explained

Attack and Detection of DFSCoerce and NTLM relaying ADCS attacks.

PetitPotam NTLM Relay Attack | Threat SnapShot

Windows Domain - Attack & Defense: 02 NTLM Relay

Performing SMB Relay Attacks in Active Directory

Pwning a Domain in 30 seconds - ESC1 PoC (AD CS)

DFSCoerce NTLM Relay Attack | Threat SnapShot

NTLM Relay SMB_PWN

ESC 8 | NTLM Relay Attack Explained: How Hackers Exploit Windows Authentication!

NTLM Relay Attack Allows Any Standard Active Directory User To Become Domain Admin.

NTLM Relay Angriff & Verteidigung auf SMB und LDAP

NTLM Relay on Active Directory (LDAP) with Intercepter-NG

Kapitan Hack - NTLM Relay attack using Active Directory Web Services/WCF

Coercion Vulnerabilities and a ESC8 Demo

Unpatched AD CS Vulnerability Exploitation with NTLMRelayx

#HITB2018DXB D2T2: NTLM Relay Is Dead, Long Live NTLM Relay - Jianing Wang and Junyu Zhou