Common Active Directory Certificate Services Misconfigurations and Abuse
C:\Windows\System32\> whoami
I'm a Senior Penetration Tester with a keen eye on safeguarding network and Active Directory environments. My qualifications, highlighted by certifications like eJPTv1, PNPT, ICCA, CARTP, CNPen, CRTE, and CRTO speak to my expertise and passion for cybersecurity. When I'm not decoding the complexities of security systems, you'll find me indulging in herpetology, noodling on my guitar, or grinding away at certs or labs.
Currently, I'm delving deeper into malware development and red team tactics, a testament to my belief in continuous learning and adapting. As I navigate through the intricate world of cybersecurity, my journey is marked by a blend of professional growth and personal pursuits, always with a readiness to tackle the next challenge.
What is ADCS?
Active Directory Certificate Services (ADCS) is a network service that allows you to deploy your own Public Key Infrastructure (PKI).
It allows the network to have a secure backbone for many applications such as Secure/Multipurpose Internet Mail Extensions(S/MIME), Smart Card Logon, SSL/TLS, IPsec/VPN, to secure wireless networks, and for domain authentication.
Supports the CIA triad by providing encryption for confidentiality, digital signatures for integrity, and utilizing authentication certificates for availability.
This presentation will cover the most common misconfigurations I’ve personally seen, which are ESC 1, 4, and 8 attacks. ESC referring to privilege escalation within the active directory domain.
Credits and Tools
SpecterOps –Certified Pre-Owned/Certify tool
ZeroPointSecurity – Red Team Operator Course
Altered Security – Red Team Professional and Expert Courses
Ly4k – Certipy Tool
Orange Cyberdefense – Game of Active Directory (GOAD)
HackTheBox – Labs (Escape)
TheHackerRecipes – Their main ADCS page
Anatomy
Certificate Authority
•The server hosting the templates
•Control Center
•Domain Facing
Certificate Templates
•Intended Use
•Permissions
•Functionality
EKU (extended key usage) are OIDs (object identifier) that define the functions and usage of the certificate template.
Certificate Authority
•Name
•Hostname
•Web Enrollment
•Flags
•Permissions
•Access Rights
•Enrollment Agent Restrictions
Certificate Templates
•Domain Object
•CA
•Name
•Enabled
•Extended Key Usage (EKU)
•Permissions
•Enrollment Permissions
•Object Control Permissions
UnPac The Hash Attack
This technique used to obtain the NTLM hash of a domain account from a certificate. This technique will be used in each of the attacks demonstrated. I believe it is important to cover the attack even if Certipy automates the process for us.
This technique revolves around Kerberos authentication using PKINIT. If you are not familiar with how Kerberos works, this attack may be difficult to understand.
When a TGT is requested with PKINIT the NTLM hash is added in the PAC_CREDENTIAL_INFO field in case Kerberos authentication is not supported. The PAC is encrypted with the KRBTGT account’s hash. This means we can’t just extract the NTLM hash from the ticket.
If we utilize this TGT to request a TGS the same structure is added but is ciphered with the session key. This session key can be extracted and used to decrypt the PAC, including the PAC_CREDENTIAL_INFO field. Which allows us to extract the NTLM hash of the authenticating account.
Privilege Escalation (ESC 1)
ESC 1 - Enumeration (certipy)
This occurs when a template is over permissioned and results in complete domain compromise.
Requirements:
-Client Authentication set to True (PKINIT EKU)
-The EnroleeSuppliesSubject certificate name flag (subject alternative name EKU)
-The ability to enroll (any valid domain account)
The certipy tool can be used to remotely request CA and template information.
certipy find –vulnerable –u user –p pass –target domain.corp
ESC 1- Exploitation (certipy)
To exploit this, we first need to request a certificate authenticated as our current user while specifying the target CA, Template, and target user.
Then using the pfx (certificate) requested, we perform an un-pac the hash attack to extract the targeted account’s NTLM hash.
Privilege Escalation (ESC 4)
ESC 4 - Enumeration (certipy)
Like ESC 1 this occurs when a template is over permissioned and results in complete domain compromise.
Requirements:
-Write Permissions over a template
The write permissions allow us to back up the template, modify it to be vulnerable to ESC 1, exploit ESC 1, and finally revert the template back to the original configuration.
ESC 4 - Enumeration (certipy)
Here we can see that the user khal.drogo has full control and general write privileges over the template
ESC 4 - Exploitation (certipy)
To exploit this with certipy:
We first need to make a backup of the template while modifying it to be vulnerable to ESC 1.
Then we execute the ESC 1 attack.
And lastly revert the template back to its original configuration
Privilege Escalation (ESC 8)
ESC 8 - Enumeration (certipy)
This occurs when a CA has web enrollment enabled and you can either relay or coerce an incoming NTLMv2 authentication to the CA. This attack usually results in complete domain compromise.
Requirements:
-Certificate Authority has Web Enrollment
-You can cause authentication coercion in the domain
The certipy tool can be used to automate the process except for the coercion.
Note: Domain credentials are not required for this as the certificated obtained is based off the account that initialized the authentication.
certipy find -u user -p pass -dc-ip 1.2.3.4
ESC 8 - Exploitation (certipy / Coercer)
We can either relay an incoming authentication or cause coercion on a target machine, such as a domain controller. Which is the path I will be demonstrating.
First, we need to determine whether we have the ability to perform authentication coercion on the domain controller. This can be achieved by fuzzing it using the Coercer tool or attempting to exploit it manually. Once we confirm that authentication coercion is possible, we can proceed.
Next, we set up the Certipy tool to listen for incoming relay connections. If we are coercing a domain controller, we can specify Certipy to use the domain controller template.
Then, we execute the authentication coercion and observe the certificate being pulled down.
Lastly, we can use Certipy to authenticate and perform an UnPac the Hash attack to obtain the NTLM hash of the domain controller's computer account. In this demo, we use it for DCSync to compromise the domain.
Remediation
There is no way to patch (most) ADCS ‘vulnerabilities’. As we’re simply abusing intended functionality or misconfigurations.
For ESC 1 the entire domain users can enroll. If that is a must, then making sure that the template is configured in a way that it either cannot be used by an attacker to authenticate or to remove the EnrolleeSuppliesSubject configuration. A less common way to mitigate this is by enabling Certificate Manager Approval before issuing certificates.
When it comes to situations like these its best to first configure the templates and CA based on the principal of least privilege. For the case of ESC 4, if that user absolutely requires the ability to modify the template, it may be best to create a specific domain account intended for that.
For ESC 8 if its possible to disable web enrollment, that would be the first step to mitigating the risk. Enabling extended protection for authentication (EPA) is an additional configuration that can be made. And lastly, disabling NTLM on the DA and CA could prevent the abuse.
Microsoft does have its own document on security the PKI. Link to it is here.