While testing a network's AD CS environment, I had traffic I was able to relay, but default templates were disabled. I performed some testing on what other endpoints you could relay to, and discovered that several ADCS web enrollment endpoints contain a list of templates the authenticated user can enroll in. One of these endpoints, /certsrv/certrqxt.asp, conveniently has them listed in a dropdown box between
If we relay credentials to this endpoint with ntlmrelayx while capturing network traffic, then analyze that traffic in wireshark and follow the TCP stream, we can see that the templates are returned in the response HTML source:
In the case of this test, I did not have valid credentials and hadn't determined a way to acquire them, so this was used to obtain initial domain access by relaying for a certificate that I deduced was likely able to be used for authentication. I think this technique may be helpful in situations where:
Another way to obtain credentials cannot be found
You can't relay to LDAP due to LDAP signing or other protections (If you can relay to LDAP, just dump ADCS)
You have a consistent method of obtaining credentials to relay
As I can see this being a useful technique in the future, I modified certipy to add a -enum-templates options that will relay to the /certsrv/certreqxt.asp endpoint, obtain the response, parse out the valid templates using BeautifulSoup, and then print them to the terminal:
I would like to expand this in the future, including storing the template names in a file for later reference, and possibly look into either prompting for an additional relay to obtain a certificate, or just yoloing obtaining a certificate for each template (perhaps an option?), but wanted to submit this first before working on it more!
While testing a network's AD CS environment, I had traffic I was able to relay, but default templates were disabled. I performed some testing on what other endpoints you could relay to, and discovered that several ADCS web enrollment endpoints contain a list of templates the authenticated user can enroll in. One of these endpoints, /certsrv/certrqxt.asp, conveniently has them listed in a dropdown box between
If we relay credentials to this endpoint with ntlmrelayx while capturing network traffic, then analyze that traffic in wireshark and follow the TCP stream, we can see that the templates are returned in the response HTML source:
In the case of this test, I did not have valid credentials and hadn't determined a way to acquire them, so this was used to obtain initial domain access by relaying for a certificate that I deduced was likely able to be used for authentication. I think this technique may be helpful in situations where:
As I can see this being a useful technique in the future, I modified certipy to add a
-enum-templatesoptions that will relay to the /certsrv/certreqxt.asp endpoint, obtain the response, parse out the valid templates using BeautifulSoup, and then print them to the terminal:I would like to expand this in the future, including storing the template names in a file for later reference, and possibly look into either prompting for an additional relay to obtain a certificate, or just yoloing obtaining a certificate for each template (perhaps an option?), but wanted to submit this first before working on it more!