unPACman

Because I’m too lazy to juggle certs between tools

What is this thing?

You have a shell on a Windows box, no password, no hash, no creds — just a user token and network access to AD/CA. unPACman automates the annoying bit: finds an enrollable cert, requests it, PKINITs for a TGT, parses the PAC, and abracadabra an NTLM hashbrown! One command. Less babysitting.

Made with love, questionable code quality, and even worse decisions but it works. Most of the time.

Super quick demo

# one command. yes, really.
unPACman.exe

Output:

              ____   _    ____
  _   _ _ __ |  _ \ / \  / ___|_ __ ___   __ _ _ __
 | | | | '_ \| |_) / _ \| |   | '_ ` _ \ / _` | '_ \
 | |_| | | | |  __/ ___ \ |___| | | | | | (_| | | | |
  \__,_|_| |_|_| /_/   \_\____|_| |_| |_|\__,_|_| |_|
  Version: 0.1.0

          I have no idea what I'm doing.
[>] Finding potential certificate templates
[>] Searching 'CN=Configuration,DC=TEST,DC=LOCAL'
[>] CA information for 'TEST-CERT-CA'
[*] unPACman is gooooo!
...
[*] NTLM hash               : ABCDEFGHIJKLMNOPQRSTUVWXYZ012345
[+] Successfully processed template 'User' on CA 'CERT.TEST.LOCAL\TEST-CERT-CA'

Why did I make this?

Because I am very lazy.

Manual flow with Certify + Rubeus works, but it’s tedious:

• enumerate templates
• pick one
• request cert
• export PFX
• run Rubeus with PFX
• copy/paste results

unPACman replaces that work with a single binary.

How does it work?

1. CertFinder — Digs through AD and the CA to figure out which certificate templates you’re actually allowed to use. No guesswork, no dead ends.
2. CertRequest — Uses your current user context to grab a cert. Deals with all the Windows nonsense like non-exportable keys so you don’t have to.
3. PKINIT — Takes that shiny new cert, signs the right Kerberos request, and convinces the KDC to hand you a ticket.
4. unPAC — Cracks open the ticket, rummages through the PAC, and pulls out your NTLM hash like a prize from a cereal box.

Requirements

• Windows (domain-joined or reachable AD + CA)
• .NET Framework 4.8.1
• Enrollment rights on at least one certificate template
• Network access to a CA and KDC

Build

git clone https://github.com/investigato/unPACman.git
cd unPACman
msbuild unPACman.sln /p:Configuration=Release

Roadmap / TODOs

• Command-line options for runtime adjustments.
• A ton of cleanup to remove unused code and simplify the project.
• Replace custom BigInteger w/ System.Numerics.BigInteger

Disclaimer

AUTHORIZED TESTING ONLY. Use only on systems you own or have written permission to test. I’m not responsible for your poor decisions.

Frequently not-Asked Questions

• Q: Does this require admin privileges?
• Nope, just enrollment permissions for a template. Works from a regular shell if the cert template permits it.
• Q: Will CA or Blue Team detect this?
• Probably. Enrollments and PKINIT requests are logged. Use with caution and proper rules of engagement. There’s a Splunk rule available here: Using Rubeus And Certify To Unpac The Hash
• Q: What if I don’t have enrollment permissions?
• The tool will tell you and exit gracefully. You need enrollment rights on at least one template.
• Q: Can I use this in production?
• Please don’t. This is a security research tool, not production software. Also, see the disclaimer above.
• Q: Why is there so much custom crypto code?
• Legacy from the original tools. I’m considering replacing it with built-in .NET crypto. See the roadmap.