In this video, I demonstrate how to NTLM Relay through Cobalt Strike in order to exploit the unpatched Active Directory Certificate Services (AD CS) vulnerability in the Web Enrollment feature. PortBender is used with reverse port forwarding and a socks proxy in order to create a tunnel that allows the attacker to relay requests on a network that they aren't directly connected to. SpoolSample is then executed through the beacon to coerce authentication from the domain controller to a NTLMRelayx server through the tunnel. Once the base64 generated certificate is received, Rubeus was used with BOFNET to perform a "pass the ticket" attack. This effectively gave the beacon session Domain Admin access, which was demonstrated by dumping all the hashes on the domain with Mimikatz.

All credit goes to rasta mouse for his blogpost that explains how to do this:
[ Ссылка ]

Tools used in this video:
PortBender: [ Ссылка ]
SpoolSample: [ Ссылка ]
NTLMRelayx: [ Ссылка ]
SharpUnhooker: [ Ссылка ]
Rubeus: [ Ссылка ]

Chapters:
0:00 Introduction
0:38 Cobalt Strike Setup
0:55 Checking for Updates
1:33 Initial Beacon
2:42 Setting up PortBender
3:25 Second Beacon
3:53 Socks proxy + NTLMRelayx
4:38 Port Forwarding + PortBender
5:07 SpoolSample
5:26 Getting Certificate
5:55 BOFNET + Rubeus
7:33 Dumping all Domain Hashes
7:59 Outro

Thank you to everyone who's been supporting the channel so far. I haven't promoted these videos at all, so it's cool to see support that is truly organic. I hope everyone enjoys this video, and stick around for more content coming soon.

свернуть