NTLM relaying to AD CS - On certificates, printers and a littl | PT SWARM
NTLMrelaying to AD CS - On certificates, printers and a little hippo by @_dirkjan
More Active Directory NTLM relaying wizardry from Dirk-jan, this time aggregating and unifying multiple different tools and techniques, culminating in the release of PKINITtools.
Contents: • Background - the state of NTLM relaying • Exploring AD CS relaying • Abusing the obtained certificate - diving into PKINIT • Obtaining the NT hash of the impersonated computer account • Using S4U2Self to obtain access to the relayed machine • Other abuse avenues of PetitPotam • Defenses • Credits / Thanks / Tools
Positive Technologies Offensive Team: twitter.com/ptswarm. This is the channel where we share articles/vulnerabilities/scripts/etc, not necessarily authored by us, that we find interesting...