NTLM relaying to AD CS - On certificates, printers and a littl | PT SWARM

NTLM relaying to AD CS - On certificates, printers and a little hippo
by @_dirkjan

More Active Directory NTLM relaying wizardry from Dirk-jan, this time aggregating and unifying multiple different tools and techniques, culminating in the release of PKINITtools.

Contents:
• Background - the state of NTLM relaying
• Exploring AD CS relaying
• Abusing the obtained certificate - diving into PKINIT
• Obtaining the NT hash of the impersonated computer account
• Using S4U2Self to obtain access to the relayed machine
• Other abuse avenues of PetitPotam
• Defenses
• Credits / Thanks / Tools

https://dirkjanm.io/ntlm-relaying-to-ad-certificate-services/

PT SWARM

🤷‍♂️ 2.98K
Technologies

Positive Technologies Offensive Team: twitter.com/ptswarm. This is the channel where we share articles/vulnerabilities/scripts/etc, not necessarily authored by us, that we find interesting...

Join
▲ Vote (1)

NTLM relaying to AD CS - On certificates, printers and a littl | PT SWARM

Login