Walkthrough of NTLM relaying against Active Directory Certificate Services (AD CS)'s HTTP Web Enrollment. I will show the 'manual' and 'automated' way to exploit this along with walking through the remediation to fix this misconfiguration. This is a quick and easy way to escalate privileges from low level domain user to domain admin.
Active Directory Certificate Services PenTesting Attacks.
Links:
PenTesting ESC1 Walkthrough:
[ Ссылка ]
Ceritpy Github:
[ Ссылка ]
Abusing AD CS Whitepaper:
[ Ссылка ]
PKINITools Github:
[ Ссылка ]
Great Blog about ntlm relay to AD CS:
[ Ссылка ]
DFSCoerce Github:
[ Ссылка ]
00:00 Intro
00:45 Attack Overview
01:50 Manual Walkthrough
23:12 Automated Walkthrough
33:09 Remediation
35:28 Verify Remediation
