Active Directory - Certificate ESC11
ESC11 - Relaying NTLM to ICPR
Encryption is not enforced for ICPR requests and Request Disposition is set to Issue.
Requirements:
- sploutchy/Certipy - Certipy fork
- sploutchy/impacket - Impacket fork
Exploitation:
- Look for
Enforce Encryption for Requests: Disabled
incertipy find -u user@dc1.lab.local -p 'REDACTED' -dc-ip 10.10.10.10 -stdout
output -
Setup a relay using Impacket ntlmrelay and trigger a connection to it.