Forwarded from APT
🔄 CertSync
New technique in order to dump NTDS remotely, but without DRSUAPI it uses golden certificate and UnPAC the hash. It does not require to use a Domain Administrator, it only require a CA Administrator.
It works in several steps:
— Dump user list, CA informations and CRL from LDAP;
— Dump CA certificate and private key;
— Forge offline a certificate for every user;
— UnPAC the hash for every user in order to get NT and LM hashes.
https://github.com/zblurx/certsync
#ad #adcs #drsuapi #ntds #cert #redteam
New technique in order to dump NTDS remotely, but without DRSUAPI it uses golden certificate and UnPAC the hash. It does not require to use a Domain Administrator, it only require a CA Administrator.
It works in several steps:
— Dump user list, CA informations and CRL from LDAP;
— Dump CA certificate and private key;
— Forge offline a certificate for every user;
— UnPAC the hash for every user in order to get NT and LM hashes.
https://github.com/zblurx/certsync
#ad #adcs #drsuapi #ntds #cert #redteam