Month: January 2024

  • AD Series: Active Directory Certificate Services (ADCS) Exploits Using NTLMRelayx.py

    AD Series: Active Directory Certificate Services (ADCS) Exploits Using NTLMRelayx.py

    I recently updated the last installment in my AD series – Active Directory Certificate Services (ADCS) Misconfiguration Exploits – with a few new tricks I discovered recently on an engagement. I mentioned that I have seen web enrollment where it does not listen on port 80 (HTTP), which is the default for certipy. I ran into some weird issues with certipy when testing on port 443, and I found that NTLMRelayx.py worked better in that case. As promised, here is a short blog explaining what I did.

    This is basically the same thing as using certipy – just a different set of commands. So here we will go through an example and see how it works.

    First we setup the relay.

    impacket-ntlmrelayx -t {Target} --adcs --template {Template Name} -smb2support
    Impacket command and results.

    The first part of the command points to the target. Make sure to include the endpoint (/certsrv/certfnsh.asp) as NTLMRelay won’t know that on its own. Also make sure to tell NTLMRelay if the host is HTTP or HTTPS.

    The adcs flag tells NTLMRelay that we are attacking ADCS, and the template flag is used to specify the template. This is needed if you are relaying a domain controller or want to target a specific template. However, if you are planning on just relaying machines or users, you can actually leave this part out.

    As connections come in, NTLMRelay will figure out on its own whether it’s a user or machine account and request the proper certificate. It does this based on whether the incoming username ends in a dollar sign. If it ends in a dollar sign NTLMRelay requests a machine certificate, if not it requests a user certificate.

    Once NTLMRelay gets a successful relay, it will return a large Base64 blob of data. This is a Base64 encoded certificate.

    Base64 certificate.

    You can take this Base64 blob and save it to a file. Then just decode the Base64 and save that as a PFX certificate file. After that the attack is the same as the certipy attack in my previous blog. Just use the certificate to login.

    Saving, decoding, and using the Base64 certificate to login.

    Want to learn more? Take a look at the next part of our Active Directory Series.

  • Meet the Team: Nathan Anderson, Lead Penetration Tester

    Meet the Team: Nathan Anderson, Lead Penetration Tester

    I’m Nathan Anderson, the newest lead penetration tester at Raxis. I’ve been on the team several months now, but Bonnie cut me some slack since I was booked solid. This might be a good time to remind folks that a pentest earlier in the year is often much easier to schedule no matter what company you trust with your cybersecurity testing!

    Bonnie: So I hear you’ve been working with tech from a young age?

    Nathan: True, I’ve been working with information technology systems for over nine years. It all started in high school when my dad brought home an old Dell tower server that a client decommissioned and an eight port Cisco router. Those hardware pieces became the platform of a young man’s experiments!

    Bonnie: And you didn’t stop there. You continued into an IT degree in college as well?

    Nathan: Exactly, I went from experimenting at home to college where I discovered Red Teaming and found my calling. I also ended up practicing coding and digital forensics. My forensics teacher at LCCC ended up losing a bet against a group of us regarding an off-hours project and bought us tickets to a Cleveland Browns game. Lots of fun memories there!

    Bonnie: Now that sounds like a fun group! And by the time we met you, you had a number of certs under your belt too!

    Nathan: After my experience in college I knew what I wanted to do, but I also knew that certificates hold more weight in the cybersecurity field… and I also realized that I needed some practice at pentesting. I started using HackTheBox and TryHackMe to practice while I got ready to take my OSCP.

    Bonnie: With all of that time staring a computer, what do you do to relax?

    Nathan: Well, in my spare time I end up focusing more on tech projects, which I really truly enjoy. Recently, I have been working on a Raspberry Pi 4 and Pico Pi Micro Controllers. There’s always some new tech I want to get my hands on!

    Bonnie: That’s awesome! But please tell me you really do get to step away from the computers sometimes and just chill?

    Nathan: In my spare time, I really enjoy kayaking, hiking, and fishing! I have been kayaking all over Ohio, from Lake Erie down to the Hocking River in southern Ohio. It has been something that is always relaxing for me. I have also been hiking all across the northeastern U.S. Last year, my wife and I drove to the White Mountains in New Hampshire to get away. It was awesome!

    The Ozarks
    The Ozarks

    Bonnie: You’re joining a good crew then! When our marketing director, Jim retired, he hiked more than half of the Appalachian Trail, and Brian and Brad have been known to go on hiking adventures together. Last year while I was in Norway, Mark’s family talked me into kayaking… I was nervous, but I agree with you now! It’s so relaxing and beautiful!

    Nathan: We have made our trips within driving distance from our home, however, for us “driving distance” has meant up to 12 hours of driving. We have driven to the Ozarks in Missouri, to the Smoky Mountains in Tennessee, to the Upper Peninsula in Michigan, and to the White Mountains in New Hampshire. It has lead to some great journeys! For our next trip, it isn’t going to be driving distance, I am shooting for Ireland. We will see what happens with that!

    Bonnie: Those all sound amazing!

    Nathan: One of our favorite non-outdoors things to do when traveling is finding the most interesting food we can. Recently we found the most interesting place when we were in Missouri at a place called “Top of the Rock.” One of the restaurants there served caribou stew and 90-day dry-aged steaks. I can tell you right now, I will absolutely be having both of those again.

    Nathan and his wife, Emmy, enjoying a bakery they found in New Jersey
    Nathan and his wife, Emmy, enjoying a bakery they found in New Jersey

    Bonnie: Well, we’re really excited to have you on the Raxis team.

    Nathan: I really enjoy the team here. I’m able to reach out to anyone with a question, and, if they don’t have the answer, they always direct me to the person who does. My favorite part of being a pentester is getting paid to break into things, and, at the same time, getting paid to basically have fun.