📜 Abuse AD CS via dNSHostName Spoofing

This blog covers the technical details of CVE-2022-26923. Active Directory Domain Services Elevation of Privilege Vulnerability via AD CS dNSHostName Spoofing.

https://research.ifcr.dk/certifried-active-directory-domain-privilege-escalation-cve-2022-26923-9e098fe298f4

#ad #adcs #privesc #redteam

🔄 CertSync

New technique in order to dump NTDS remotely, but without DRSUAPI it uses golden certificate and UnPAC the hash. It does not require to use a Domain Administrator, it only require a CA Administrator.

It works in several steps:
— Dump user list, CA informations and CRL from LDAP;
— Dump CA certificate and private key;
— Forge offline a certificate for every user;
— UnPAC the hash for every user in order to get NT and LM hashes.

https://github.com/zblurx/certsync

#ad #adcs #drsuapi #ntds #cert #redteam

📜 ADCS Attack Techniques Cheatsheet

This is a handy table outlining the various methods of attack against Active Directory Certificate Services (ADCS)

🔗 Source:
https://docs.google.com/spreadsheets/d/1E5SDC5cwXWz36rPP_TXhhAvTvqz2RGnMYXieu4ZHx64/edit?gid=0#gid=0

#ad #adcs #esc #cheatsheet