Closed 7MinSec closed 2 years ago
Not sure if it matters, but one thing I noticed is if I do nmap -p389,636 FQDN.OF.A.DOMAINCONTROLLER
it reports as "down" but if I add the no-ping flag of -Pn
the nmap finishes with the results I expect.
Hi!
By default, PassTheCert tries the LDAPS port. Is it reported as open in your nmap
scan? Either way, you can try using --start-tls
, which will connect to the LDAP port. Let me know your results.
Thank you again @the-useless-one for the super fast help. The LDAPS did report as open.
This is a huge environment and I tried all the other DCs just for grins, and the last one worked! So I didn't end up trying start-tls
but I'll make note of it.
I'll check my new (hopefully) super powers and report back on the certipy thread as to how things go...
Hi @DeserranoJorden,
This is weird. Would you be able to provide a Wireshark capture? One for LDAPS and one for LDAP with StartTLS would be great.
Cheers,
Y
Hello!
Per this thread I'm excited to give PassTheCert a try but am having an issue. When I run this...
PassTheCert.exe --server FQDN.OF.A.DOMAINCONTROLLER --cert-path domainadmin.pfx --elevate --target "DC=victim,DC=domain" --sid XXX
I get this:
Any thoughts? The
FQDN.OF.A.DOMAINCONTROLLER
is resolvable and online (and a DC :-)