Pentest & Red Team(part2) 1. Ligolo-ng Revolutionary tunneling tool using TUN interfaces. Forwards traffic into internal networks without slow SOCKS proxies, turning remote networks into local interfaces you can probe with standard tools like nmap 2. Certipy Ultimate tool for auditing and exploiting Active Directory Certificate Services (AD CS). Discovers vulnerable certificate templates (ESC1–ESC11) and enables domain account compromise or privilege escalation via certificate-based authentication 3. Coercer Script for automatically coercing Windows machines to authenticate to a controlled server. Leverages dozens of undocumented RPC calls (MS-RPRN, MS-EFSR) to make servers "leak" NTLMv2 hashesno direct exploitation needed. Ideal for Relay attacks 4. NetExec Modern successor to the legendary CrackMapExec. Mass-assess Windows network security, execute commands, dump credentials, and audit privileges across SMB, WMI, MSSQL, and WinRMat incredible speed. 5. Sliver Cross-platform C2 framework written in Go. Generates beacons that evade modern AV, supports covert comms via DNS/HTTP/MTLS, and provides a full-featured console for managing compromised nodes. 6. Inveigh .NET tool for MITM attacks inside Windows networks. Unlike classic Responder, it's written in C#enabling direct in-memory execution via PowerShell or C2 beacons, silently capturing hashes via LLMNR/mDNS. 7. DonPapi Automated secret collector from DPAPI (Data Protection API) dumps. Mass-decrypts saved passwords in Chrome/Edge, Outlook, and Windows credentials using keys harvested during domain audits. 8. GoFetch Automated attack-path finder for Active Directory, integrated with BloodHound graphs. Doesn't just visualize connections it actively identifies and extracts data for lateral movement, prioritizing the shortest, most efficient routes. #Pentest #RedTeam #AD #Exploitation #Cybersecurity #InfoSec #EthicalHacking #ActiveDirectory #C2Framework #ThreatSimulation #SecurityResearch #PenTesting #MrRobot #CyberSec #OffensiveSecurity

A Detailed Guide on Certipy 🔥 Telegram: t.me/hackinarticles ✴ Twitter: x.com/hackinarticles Certipy is a powerful tool for exploiting Active Directory Certificate Services (AD CS) misconfigurations, enabling attackers to escalate privileges, impersonate users, and achieve domain persistence using certificate-based attacks. 📚 Topic Covered 📖 Overview of Certipy 🧠 Understanding AD CS Concepts ⚙️ Prerequisites & Lab Setup 🔍 Finding Vulnerable Certificate Templates 👤 Examining Account Privileges 🛠 Manipulating User Accounts 📜 Requesting Certificates (ESC1 Abuse) 🔐 Authenticating via Certificate (PKINIT) 🧬 Shadow Credentials Attack 📂 Template Enumeration & Modification 🏢 Certificate Authority (CA) Management 💉 Certificate Forging (Golden Certificate) 🔄 NTLM Relay to AD CS (ESC8/ESC11) 🎟 SubCA Abuse & Privilege Escalation 🚀 Domain Compromise using Certificates 🛡 Detection & Mitigation Techniques 📖 Article: hackingarticles.in/a-detaile… #CyberSecurity #ActiveDirectory #RedTeam #Pentesting #EthicalHacking #ADCS #Certipy #InfoSec

Just Wrote two blogs about Active Directory Certificate Services (ADCS) deep dive into their attacks from ESC1 to ESC11 ring0shady.github.io/posts/a… ring0shady.github.io/posts/e… #ActiveDirectory #ADSecurity #Pentesting #CyberSecurity #RedTeam #ADCS #PKI #Kerberos #DCSync #PrivilegeEscalation #LateralMovement #BloodHound #Mimikatz #OffensiveSecurity #InfoSec

Sometimes obsolescence is a "security control"... This is a funny situation. Was on an internal pentest and the client had ESC6, ESC8, and ESC11. However when I attempted the ESC8 relaying attack, it failed, certificate expired. The root CA certificate had expired. 🙃 Obviously I say security control jokingly, because there's absolutely 0 reason to rely on expired certificates for your security.

1,2,7,3... Speaking of, ESC11 ranking coming soon i guess

ADCS ESC11 – Relaying NTLM to ICPR 🔥 Telegram: t.me/hackinarticles hackingarticles.in/adcs-esc1… #CyberSecurity #InfoSec #PenetrationTesting #EthicalHacking #BugBounty #ThreatIntelligence #RedTeam #BlueTeam #CloudSecurity #DataSecurity #ZeroTrust #CyberSecurityJobs #CyberSecurityAwareness

step 0 enable RPC encryption secures cert requests but also creates opportunity for ESC11 abuse to exploit the same channel

ESC11 attack CA via RPC 2025; certipy-ad; coercer coerce 2019 DC to send NTLM creds back to relay listener; authenticate as DC with the captured cert && ldap-shell; extract admin nt hash with netexec smb; gains full system shell on DC impacket psexec; blog hackingarticles.in/adcs-esc1…

Locksmith 2023 2025 scan and fix ADCS issues; Use the -Scans parameter to choose which vulnerabilities to scan for All, Auditing, ESC1, ESC2, ESC3, ESC4, ESC5, ESC6, ESC7, ESC8, ESC9, ESC11, ESC13, ESC15, EKEUwu, ESC16 github.com/dmore/Locksmith-r…

ESC11 ADCS priv esc NTLM relay attack vector; default HTTP-based certificate RPC enrolment methods are vulnerable (MS-ICPR); impacket NTLM relayx; recon vuln templates with Certipy.

I just completed ADCS Attacks - 28 hands-on exercises - Exploiting misconfigured templates (ESC1 - ESC11) - Certificate mapping & PKINIT abuse - CVE-2022-26923 (Certifried) - Done entirely through Linux & Windows academy.hackthebox.com/achie… #hackthebox #cybersecurity

Castleberry early childhood teachers learning @Esc11 Days of of Play! #CISDEarlyliteracy #Choosecastleberry

ADCS ESC11 – Relaying NTLM to ICPR hackingarticles.in/adcs-esc1… 🔥 Telegram: t.me/hackinarticles #infosec #cybersecurity #cybersecuritytips #microsoft #redteam #informationsecurity #CyberSec #ai #offensivesecurity #infosecurity #cyberattacks #security #oscp #cybersecurityawareness #bugbounty #bugbountytips

ESC11 targets AD CS by exploiting RPC enforcement and NTLM relay flaws to escalate privileges & relay authentication to obtain domain certificates. Awareness of this attack surface is crucial. 🚨 #ActiveDirectory #NTLMRelay #CyberUK ift.tt/Zu3v7fe

Have you done an ESC11?

Certipy es una herramienta diseñada para enumerar y abusar de los Active Directory Certificate Services (AD CS). Con soporte para técnicas como **Shadow Credentials**, **Golden Certificates** y escalaciones específicas como **ESC1 a ESC11**, permite realizar acciones avanzadas como la extracción de certificados, forjado de credenciales y abuso de plantillas vulnerables. Si trabajas con seguridad en redes basadas en AD, esta herramienta ofrece un enfoque poderoso para evaluar configuraciones críticas. #ADCS #CyberSecurity

esc11

Locksmith can identify ESC11 :)

Absolutely! Exploited ESC11 in a pretty locked down environment a few weeks ago. But if I remember correctly, PingCastle will at least identify some of the more common AD CS misconfigurations.

アッ。ESC11月のTOP20まであと4時間？　サムネはマルコだけど一位はどうなるんです!?