search
githubEdit

Pass the Certificate

hashtag
Theory

The Kerberos authentication protocol works with tickets in order to grant access. An ST (Service Ticket) can be obtained by presenting a TGT (Ticket Granting Ticket). That prior TGT can only be obtained by validating a first step named "pre-authentication" (except if that requirement is explicitly removed for some accounts, making them vulnerable to ASREProastarrow-up-right). The pre-authentication can be validated symmetrically (with a DES, RC4, AES128 or AES256 key) or asymmetrically (with certificates). The asymmetrical way of pre-authenticating is called PKINIT.

Pass the Certificate is the fancy name given to the pre-authentication operation relying on a certificate (i.e. key pair) to pass in order to obtain a TGT. This operation is often conducted along shadow credentialsarrow-up-right, AD CS escalationarrow-up-right and UnPAC-the-hash attacksarrow-up-right.

circle-info

Keep in mind a certificate in itself cannot be used for authentication without the knowledge of the private key. A certificate is signed for a specific public key, that was generated along with a private key, which should be used when relying on a certificate for authentication.

The "certificate + private key" pair is usually used in the following manner

  • PEM certificate + PEM private key

  • PFX certificate export (which contains the private key) + PFX password (which protects the PFX certificate export)

hashtag
Practical

hashtag
Evil-Winrm

circle-info

For this attack you need to have access the .pfx file.

Read More: https://app.gitbook.com/o/9kzX8LPNy02cc2a878FF/s/DJRbLGcwXjABPDzT31US/~/changes/158/readme/active-directory-pentesting/crendentials/pfx-filearrow-up-right

evil-winrm -i <domain ip> -c <certificate> -k <private key> -S

PreviousKerberoastNextAD Post Exploitation

Last updated