Scribd
Upload
194 views

ADCS

This document discusses common misconfigurations of Active Directory Certificate Services (ADCS) that can lead to privilege escalation attacks. It covers ESC 1, 4, and 8 attacks which involve over-permissioned certificate templates. The attacks allow extracting domain user hashes or compromising the entire domain. The document recommends configuring templates based on least privilege and disabling features like web enrollment if possible. Remediation focuses on template configuration and hardening domain controllers.

Uploaded by

Deniz Yaşar
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
194 views

ADCS

This document discusses common misconfigurations of Active Directory Certificate Services (ADCS) that can lead to privilege escalation attacks. It covers ESC 1, 4, and 8 attacks which involve over-permissioned certificate templates. The attacks allow extracting domain user hashes or compromising the entire domain. The document recommends configuring templates based on least privilege and disabling features like web enrollment if possible. Remediation focuses on template configuration and hardening domain controllers.

Uploaded by

Deniz Yaşar
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 29

Active Directory Certificate Services

Misconfigurations and Abuse


By Steven Harris
PS C:\Windows\System32> whoami

• Cybersecurity Analyst / Penetration Tester


• Certifications: eJPTv1, PNPT, ICCA, CARTP, CNPen, CRTE
• Hobbies: Herpetology, Guitar, CTF/Labs
• Focus on network and Active Directory security
What is ADCS
Active Directory Certificate Services (ADCS) is a network service
that allows you to deploy your own Public Key Infrastructure (PKI).
It allows the network to have a secure backbone for many
applications such as Secure/Multipurpose Internet Mail
Extensions(S/MIME), Smart Card Logon, SSL/TLS, IPsec/VPN, to
secure wireless networks, and for domain authentication.
Supports the CIA triad by providing encryption for confidentiality,
digital signatures for integrity, and utilizing authentication
certificates for availability.
This presentation will cover the most common misconfigurations
I’ve personally seen, which are ESC 1, 4, and 8 attacks. ESC
referring to privilege escalation within the active directory domain.
Credits and Tools
SpecterOps – Certified Pre-Owned / Certify tool
ZeroPointSecurity – Red Team Operator Course
Altered Security – Red Team Professional and Expert Courses
Note: Altered Security has recently released an ADCS centric course, but I’ve not been able to partake.

Ly4k – Certipy Tool


Orange Cyberdefense – Game of Active Directory (GOAD)
HackTheBox – Labs (Escape)
TheHackerRecipes – Their main ADCS page
Anatomy
Certificate Authority
• The server hosting the templates
• Control Center
• Domain Facing

Certificate Templates
• Intended Use
• Permissions
• Functionality
EKU (extended key usage) are OIDs (object identifier) that define the functions and usage of the
certificate template.
Certificate Authority
• Name
• Hostname
• Web Enrollment
• Flags
• Permissions
• Access Rights
• Enrollment Agent Restrictions
Certificate Templates
• Domain Object
• CA
• Name
• Enabled
• Extended Key Usage (EKU)
• Permissions
• Enrollment Permissions
• Object Control Permissions
UnPac The Hash Attack
UnPac the Hash
This technique used to obtain the NTLM hash of a domain account from a
certificate. This technique will be used in each of the attacks demonstrated. I
believe it is important to cover the attack even if Certipy automates the process
for us.
This technique revolves around Kerberos authentication using PKINIT. If you are
not familiar with how Kerberos works, this attack may be difficult to understand.
When a TGT is requested with PKINIT the NTLM hash is added in the
PAC_CREDENTIAL_INFO field in case Kerberos authentication is not supported.
The PAC is encrypted with the KRBTGT account’s hash. This means we can’t just
extract the NTLM hash from the ticket.
If we utilize this TGT to request a TGS the same structure is added but is ciphered
with the session key. This session key can be extracted and used to decrypt the
PAC, including the PAC_CREDENTIAL_INFO field. Which allows us to extract the
NTLM hash of the authenticating account.
Privilege Escalation (ESC 1)
ESC 1 - Enumeration (certipy)
This occurs when a template is over permissioned and results in
complete domain compromise.
Requirements:
- Client Authentication set to True (PKINIT EKU)
- The EnroleeSuppliesSubject certificate name flag (subject
alternative name EKU)
- The ability to enroll (any valid domain account)
The certipy tool can be used to remotely request CA and template
information.
$ certipy find –vulnerable –u user –p pass –target domain.corp
ESC 1- Exploitation (certipy)
To exploit this, we first need to request a certificate authenticated as our
current user while specifying the target CA, Template, and target user.
Then using the pfx (certificate) requested, we perform an un-pac the hash
attack to extract the targeted account’s NTLM hash.
Privilege Escalation (ESC 4)
ESC 4 - Enumeration (certipy)
Like ESC 1 this occurs when a template is over permissioned and
results in complete domain compromise.
Requirements:
- Write Permissions over a template
The write permissions allow us to back up the template, modify it
to be vulnerable to ESC 1, exploit ESC 1, and finally revert the
template back to the original configuration.
ESC 4 - Enumeration (certipy)

Here we can see that the user


khal.drogo has full control and
general write privileges over
the template
ESC 4 - Exploitation (certipy)
To exploit this with certipy:
We first need to make a backup of the template while modifying it to
be vulnerable to ESC 1.
Then we execute the ESC 1 attack.
And lastly revert the template back to its original configuration
Privilege Escalation (ESC 8)
ESC 8 - Enumeration (certipy)
This occurs when a CA has web enrollment enabled and you can
either relay or coerce an incoming NTLMv2 authentication to the
CA. This attack usually results in complete domain compromise.
Requirements:
- Certificate Authority has Web Enrollment
- You can cause authentication coercion in the domain
The certipy tool can be used to automate the process except for
the coercion.
Note: Domain credentials are not required for this as the
certificated obtained is based off the account that initialized the
authentication.
$ certipy find -u user –p pass -dc-ip 1.2.3.4
ESC 8 - Exploitation (certipy / Coercer)
We can either relay an incoming authentication or cause coercion on a target
machine, such as a domain controller. Which is the path I will be demonstrating.
First, we need to determine whether we have the ability to perform
authentication coercion on the domain controller. This can be achieved by
fuzzing it using the Coercer tool or attempting to exploit it manually. Once we
confirm that authentication coercion is possible, we can proceed.
Next, we set up the Certipy tool to listen for incoming relay connections. If we
are coercing a domain controller, we can specify Certipy to use the domain
controller template.
Then, we execute the authentication coercion and observe the certificate being
pulled down.
Lastly, we can use Certipy to authenticate and perform an UnPac the Hash
attack to obtain the NTLM hash of the domain controller's computer account. In
this demo, we use it for DCSync to compromise the domain.
Remediation
There is no way to patch (most) ADCS ‘vulnerabilities’. As we’re simply abusing
intended functionality or misconfigurations.

For ESC 1 the entire domain users can enroll. If that is a must, then making sure that
the template is configured in a way that it either cannot be used by an attacker to
authenticate or to remove the EnrolleeSuppliesSubject configuration. A less common
way to mitigate this is by enabling Certificate Manager Approval before issuing
certificates.
When it comes to situations like these its best to first configure the templates and CA
based on the principal of least privilege. For the case of ESC 4, if that user absolutely
requires the ability to modify the template, it may be best to create a specific domain
account intended for that.

For ESC 8 if its possible to disable web enrollment, that would be the first step to
mitigating the risk. Enabling extended protection for authentication (EPA) is an
additional configuration that can be made. And lastly, disabling NTLM on the DA and
CA could prevent the abuse.
Microsoft does have its own document on security the PKI. Link to it is here.
tylertech.com

You might also like