whx
/
killchain-compendium
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
killchain-compendium/misc/active_directory/AD_CS.md

3.4 KiB
Raw Blame History

Active Directory Certificate Service ADCS

  • Internal CA

  • PKI

  • File system encryption

  • Digital signatures

  • User authentication

  • Certificates will not be revoked after account password reset

Certificate Templates

  • Extended/Enhanced Key Usage
  • Parameter combination can be exploited
  • User Certificates may be requested from a member of a Domain User Group
  • Machine Certifcates may be requested from a host of a Domain Computer Group

Enumeration

certutil -v -template > ct.txt

Exploitable templates should have the following traits:

  • Allow Enroll or Allow Full Control permissions to request certificate
    • Find groups by net user <username> /domain --> Domain Users, Domain Computers
  • Client authentication EKU for Kerberos authentication --> Client Authentication
  • Permission to subject alternative name (SAN), e.g. URL to encrypt. Used to create Kerberos ticket, --> CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT

Certificate Creation

  • Win+R --> mmc --> File --> Add/Remove Snap-in --> Certificates (Request Certificate if administration account --> Computer Account)
  • After that in the main menu, Certificates --> right click on Personal --> All Tasks --> Request Certificates --> Next --> Next --> More information is required to enroll this certificate --> Common Name --> CN=concerto && User Principal Name is the user to impersonate --> OK --> select User Request --> Enroll
  • After that in the main menu, Personal --> Certificates --> The certificate
  • Right click certificate --> All Tasks --> Export --> Yes, export private key --> PFX --> set Password --> Save

Impersonation

  • Request TGT with the created cert

  • Grab TGT

  • On the machine via

Rubeus.exe asktgt /user:<user (UPN) of cert> /enctype:aes256 /certificate:<path to certificate> /password:<certificate file password> /outfile:<name of file to write TGT to> /domain:<domain name> /dc:<IP of domain controller>
  • Select a domain admin via opening Active Directory Users and Computers
.\Rubeus.exe changepw /ticket:<ticketfilename> /new:<new password> /dc:<domain of controller> /targetuser:<domain>\<dauser>
  • runas /user:<domain>\<username of DA> cmd.exe

CVE-2022-26923

  • Aims on abusing templates configuration, the Subject Alternative Name SAN. Set it to someone with higher permissions
  • User and Machine certificate templates
  • User Principal Name is used for SAN, this template can not be modified in a way to escalate privileges
  • Computer accounts DNS name is used for SAN
  • Users of the Authenticated Users Group can create 10 Machine Certificates
  • DNS hostname is used for authentication
  • Service Principal Names (SPN), associates a service logon with a service instance. SPNs are unique
  • Permissions of interest, all two are needed
    • Validate write to DNS hostname allows to update DNS hostname of AD object associated with the host
    • Validate write to SPN, update SPN of the AD object associated with the host

Usage

  • User account has to be compromised, use it to enrol a new host on the domain
  • Alter the DNS hostname attribute of the AD Object to one of a Domain Controller or other higher privilege
  • Remove the SPN attribute to bypass the unique SPN
  • With the default template request the machine cert
  • authenticate via Kerberos with the template as the higher privileged machine