20. In internal network domain penetration, when using NTLM relay in combination with the ADCS vulnerability, what are the utilisation conditions? On which machine should the Responder host be deployed, and why? Why can the ADCS vulnerability be used to gain domain administrator privileges, and what is the principle?
Utilising NTLM Relay with the ADCS vulnerability requires user credentials and the Responder host to be present in the target network.
- The attacker first uses the Responder tool to sniff NTLM authentication requests on the local network.
- When a victim attempts to access a network resource, Responder captures the victim’s NTLM authentication request.
- The attacker redirects the victim’s NTLM authentication request via the NTLM Relay vulnerability to the target machine where the ADCS vulnerability exists.
- The target machine processes the redirected NTLM authentication request, and during this process, the ADCS vulnerability is triggered.
- The attacker exploits the ADCS vulnerability to execute malicious code on the target machine, thereby gaining domain administrator privileges.
- The ADCS vulnerability can allow an attacker to gain domain administrator privileges because of misconfigurations in the ADCS service. Under normal conditions, only authorised users should be able to request certificates for other users or computers. However, if the ADCS service is improperly configured—for instance, if it allows any authenticated user to request a new certificate based on a specific template—an attacker can exploit this to request a certificate for themselves or another machine that should only be available to high‑privilege users (such as administrators).