ADCSPwn

By forcing authentication from machine accounts (Petitpotam) and relaying to the certificate service, ADCSPwn is a tool created to increase privileges in an Active Directory network.

ADCSPwn is a tool crafted for escalating privileges within an Active Directory network. It does this by coercing authentication from machine accounts using a technique known as PetitPotam and then relaying that authentication to the certificate service. This tool is used to potentially exploit vulnerabilities in Active Directory environments and gain unauthorized access to critical resources.

Installation

  1. Download     the ADCSPwn executable from the official source.
  2. Place     the executable on the target machine or a machine within the network.

Usage

Run ADCSPwn on your target network.

 

Required Arguments:

  • adcs:     This is the address of the AD CS server to which authentication will be relayed.

Optional Arguments:

  • secure:     Use HTTPS with the certificate service.
  • port:     The port ADCSPwn will listen on.
  • remote:     Remote machine to trigger authentication from.
  • username:     Username for non-domain context.
  • password:     Password for non-domain context.
  • dc:     Domain controller to query for Certificate Templates (LDAP).
  • unc:     Set a custom UNC callback path for EfsRpcOpenFileRaw (Petitpotam).
  • output:     Output path to store base64-generated crt.

Example Usage

 
Table of Contents: