Request a certificate with arbitrary SAN (and SID to bypass KB5014754 AKA Strong Mapping), authenticate via PKINIT, and extract the NT hash
esc1-unpac1.mp4
cobalt-poc1.mp4
| Feature | Description |
|---|---|
| ESC1 Exploitation | Request certificates with arbitrary Subject Alternative Name |
| KB5014754 Bypass | Automatic SID inclusion for Strong Certificate Mapping |
| PKINIT Authentication | Full RFC 4556 implementation with DH key exchange |
| UnPAC-the-hash | Extract NT hash from PAC credentials |
| U2U Fallback | User-to-User when PA-PAC-CREDENTIALS unavailable |
| Single BOF | Complete attack chain in one command |
| Rubeus Compatible | Kirbi output works with Rubeus/Mimikatz |
git clone https://github.com/RayRRT/ESC1-unPAC.git && cd ESC1-unPAC && chmod +x build.sh && ./build.sh- Scripts → Load Script →
havoc/esc1-unpac.py
- Script Manager → Load →
cobaltstrike/esc1-unpac.cna
esc1-unpac <CA> <Template> <UPN> [KDC]
esc1-unpac EVILCA1.evilcorp.net\evilcorp-EVILCA1-CA ESC1Template [email protected]
- PFX certificate (base64, password:
SpicyAD123) - TGT in kirbi format (Rubeus compatible)
- NT Hash
This tool is intended for authorized security testing and educational purposes only. Unauthorized access to computer systems is illegal. Always obtain proper authorization before testing.