adcs-access-and-relay

Name: adcs-access-and-relay
Availability: InStock
Author: blacklanternsecurity

Official

Exploit ADCS via ACLs and NTLM relay.

Software Engineering #active directory #adcs #certificate services #acl abuse #ntlm relay #esc4 #esc8

Authorblacklanternsecurity

Version1.0.0

Installs0

System Documentation

What problem does it solve?

This Skill helps penetration testers exploit Active Directory Certificate Services (ADCS) by abusing access control lists (ACLs) on templates or Certificate Authority (CA) objects, and by leveraging NTLM relay attacks against enrollment endpoints.

Core Features & Use Cases

ACL Abuse: Exploit misconfigurations in certificate template permissions (ESC4) or PKI object ACLs (ESC5) to gain unauthorized certificate enrollment.
CA Permission Abuse: Leverage ManageCA or ManageCertificates permissions on the CA itself to issue privileged certificates or achieve remote code execution (ESC7).
NTLM Relay: Exploit HTTP (ESC8) or RPC (ESC11) enrollment endpoints by relaying NTLM authentication to obtain certificates for privileged accounts or machines.
Use Case: A tester needs to gain domain administrator privileges. They discover that a certificate template is misconfigured, allowing them to enroll for a certificate with a specific SAN. They use this skill to exploit the misconfiguration, obtain a certificate, and use it to authenticate as a high-privilege user.

Quick Start

Use the adcs-access-and-relay skill to identify attack paths for exploiting ADCS by checking certificate template ACLs and CA permissions.

Dependency Matrix

Required Modules

certipycertify.exentlmrelayx.pymodifyCertTemplate.pyPetitPotam.pyprinterbug.pyDFSCoerce.pyRubeus.exesecretsdump.pymitm6krbrelayx.py

Components

scriptsreferences