AD CS supports several HTTP-based enrollment methods via additional server roles that administrators can optionally install [(The certificate enrollment web interface, Certificate Enrollment Service (CES), Network Device Enrollment Service (NDES)).][...]These HTTP-based certificate enrollment interfaces are all vulnerable to NTLM relay attacks. Using NTLM relay, an attacker can impersonate an inbound-NTLM-authenticating victim user. While impersonating the victim user, an attacker could access these web interfaces and request a client authentication certificate based on the "User" or "Machine" certificate templates.
This attack, like all NTLM relay attacks, requires a victim account to authenticate to an attacker-controlled machine. An attacker can coerce authentication by many means, see MITM and coerced authentication coercion techniques. Once the incoming authentication is received by the attacker, it can be relayed to an AD CS web endpoint.
Once the relayed session is obtained, the attacker poses as the relayed account and can request a client authentication certificate. The certificate template used needs to be configured for authentication (i.e. EKUs like Client Authentication, PKINIT Client Authentication, Smart Card Logon, Any Purpose (
OID 126.96.36.199.0), or no EKU (
SubCA)) and allowing low-priv users to enroll can be abused to authenticate as any other user/machine/admin.
The default User and Machine/Computer templates match those criteria and are very often enabled.
This allows for lateral movement, account persistence, and in some cases privilege escalation if the relayed user had powerful privileges (e.g., domain controllers or Exchange servers, domain admins etc.).
1 - Setting up the relay servers
ntlmrelayx -t "http://CA/certsrv/certfnsh.asp" --adcs --template "Template name"
The certificate template flag (i.e.
--template) can either be left blank (default to Machine at the time of writing, October 20th 2012) or chosen among the certificate templates that fill the requirements.
# find ESC8-vulnerable CAs
certipy find -u "$USER@$DOMAIN" -p "$PASSWORD" -dc-ip "$DC_IP" -stdout | grep -B20 ESC8
# find and look through enabled templates for ones that could be used for authentication
certipy find -u "$USER@$DOMAIN" -p "$PASSWORD" -dc-ip "$DC_IP" -stdout -enabled
By default, Certipy uses LDAPS, which is not always supported by the domain controllers. The
-schemeflag can be used to set whether to use LDAP or LDAPS.
2 - Authentication coercion
3 - Loot
Once incoming NTLM authentications are relayed and authenticated sessions abused, base64-encoded PFX certificates will be obtained and usable with Pass-the-Certificate to obtain a TGT and authenticate.
If web endpoints are enabled, switch to UNIX because at the time of writing (October 20th, 2021), I don't know how to easily conduct the ESC8 abuse from Windows.