ADCSPwn is a tool crafted for escalating privileges within an Active Directory network. It does this by coercing authentication from machine accounts using a technique known as PetitPotam and then relaying that authentication to the certificate service. This tool is used to potentially exploit vulnerabilities in Active Directory environments and gain unauthorized access to critical resources.
Installation
- Download the ADCSPwn executable from the official source.
- Place the executable on the target machine or a machine within the network.
Usage
Run ADCSPwn on your target network.
Required Arguments:
- adcs: This is the address of the AD CS server to which authentication will be relayed.
Optional Arguments:
- secure: Use HTTPS with the certificate service.
- port: The port ADCSPwn will listen on.
- remote: Remote machine to trigger authentication from.
- username: Username for non-domain context.
- password: Password for non-domain context.
- dc: Domain controller to query for Certificate Templates (LDAP).
- unc: Set a custom UNC callback path for EfsRpcOpenFileRaw (Petitpotam).
- output: Output path to store base64-generated crt.
