Hacktricks Adcs Info

# Relay NTLM auth from a compromised host to ADCS ntlmrelayx.py -t http://ca.contoso.com/certsrv/certfnsh.asp -smb2support --adcs --template DomainController certipy relay -target http://ca.contoso.com -template DomainController

: Relaying NTLM to CA endpoints (see ESC8). ESC11 – If the CA allows HTTP (instead of mandatory HTTPS) Same as ESC8. ESC12 – CA Holder Compromise (via AD CS Web Enrollment, no hardening) Allows remote attackers to capture NTLM hashes or relay authentication. ESC13 – Dangerous Certificate Template with Extra EKU that Enables Domain Controller Authentication Some templates include EKUs like “Domain Controller Authentication” (1.3.6.1.4.1.311.20.2.2) combined with low enrollment rights. hacktricks adcs

: Request any template with Client Authentication EKU and include SAN. # Relay NTLM auth from a compromised host to ADCS ntlmrelayx

(using ntlmrelayx.py from Impacket):