The Hacker Recipes
GitHubTwitterExegolTools
Search…
Introduction
Active Directory
Reconnaissance
Movement
Credentials
MITM and coerced auths
NTLM
Kerberos
DACL abuse
Group policies
🛠️ Trusts
Built-ins & settings
Netlogon
Certificate Services (AD-CS)
Certificate templates
CA configuration
Access controls
Web endpoints
Exchange services
Print Spooler Service
Persistence
Web services
Reconnaissance
Configuration
Accounts and sessions
User inputs
Systems & services
Reconnaissance
Movement
Privilege escalation
Pivoting
🛠️ Physical
Locks
Networking
Machines
Super secret zones
🛠️ Intelligence gathering
CYBINT
OSINT
GEOINT
🛠️ RADIO
RFID
Bluetooth
Wi-Fi
Wireless keyboard/mouse
🛠️ mobile apps
Android
iOS
Powered By GitBook
Certificate Services (AD-CS)

Theory

AD CS is Microsoft’s PKI implementation that provides everything from encrypting file systems, to digital signatures, to user authentication (a large focus of our research), and more. While AD CS is not installed by default for Active Directory environments, from our experience in enterprise environments it is widely deployed, and the security ramifications of misconfigured certificate service instances are enormous. (specterops.io)
In their research papers, Will Schroeder and Lee Christensen shared their research on AD CS and identified multiple theft, escalation and persistence vectors.

Practice

Terminology

  • PKI (Public Key Infrastructure) — a system to manage certificates/public key encryption
  • AD CS (Active Directory Certificate Services) — Microsoft’s PKI implementation
  • CA (Certificate Authority) — PKI server that issues certificates
  • Enterprise CA — CA integrated with AD (as opposed to a standalone CA), offers certificate templates
  • Certificate Template — a collection of settings and policies that defines the contents of a certificate issued by an enterprise CA
  • CSR (Certificate Signing Request) — a message sent to a CA to request a signed certificate
  • EKU (Extended/Enhanced Key Usage) — one or more object identifiers (OIDs) that define how a certificate can be used
(specterops.io)

Recon

While AD CS offers attackers a wide range of exploitation and persistence scenarios, this set of services is not always installed, and when it is, it is a requirement to identify its different parts in the domain.

Cert Publishers

An initial indicator is the "Cert Publishers" built-in group whose members usually are the servers where AD CS is installed (i.e. PKI/CA).
  • From UNIX-like systems: rpc net group members "Cert Publishers" -U "DOMAIN"/"User"%"Password" -S "DomainController"
  • From Windows systems: net group "Cert Publishers" /domain

pKIEnrollmentService objects

Alternatively, information like the PKI's CA and DNS names can be gathered through LDAP.
CrackMapExec
windapsearch
ntlmrelayx
CrackMapExec's adcs module (Python) can be used to find PKI enrollment services in AD.
crackmapexec ldap 'domaincontroller' -d 'domain' -u 'user' -p 'password' -M adcs
windapsearch (Python) can be used to manually to the LDAP query.
windapsearch -m custom --filter '(objectCategory=pKIEnrollmentService)' --base 'CN=Configuration,DC=domain,DC=local' --attrs dn,dnshostname --dc 'domaincontroller' -d 'domain.local' -u 'user' -p 'password'
With Impacket's ntlmrelayx (Python), thanks to SAERXCIT (PR#1214), it is possible to gather information regarding ADCS like the name and host of the CA, the certificate templates enrollment rights for those allowing client authentication and not requiring manager approval, etc. With ntlmrelayx, these information can be gathered through a relayed LDAP session.
ntlmrelayx -t "ldap://domaincontroller" --dump-adcs

Attack paths

Certipy (Python) and Certify (C#) can also identify the PKI enrollment services and potential attack paths.
UNIX-like
Windows
From UNIX-like systems, the Certipy (Python) tool can be used to operate multiple attacks and enumeration operations.
certipy 'domain.local'/'user':'password'@'domaincontroller' find
By default, Certipy uses LDAPS, which is not always supported by the domain controllers. The -scheme flag can be used to set whether to use LDAP or LDAPS.
From Windows systems, the Certify (C#) tool can be used to operate multiple attacks and enumeration operations.
Certify.exe cas

Abuse

The different domain escalation scenarios are detailed in the following parts.

Techniques dubbed ESC1 to ESC3

Technique dubbed ESC6

Techniques dubbed ESC4, ESC5 & ESC7

Technique dubbed ESC8

Resources

https://posts.specterops.io/certified-pre-owned-d95910965cd2
posts.specterops.io
Microsoft ADCS – Abusing PKI in Active Directory Environment - RiskInsight
RiskInsight
AD CS - What Can Be Misconfigured? - HTTP418 InfoSec
HTTP418 InfoSec
AD CS - The 'Certified Pre-Owned' Attacks - HTTP418 InfoSec
HTTP418 InfoSec
Certipy 2.0: BloodHound, New Escalations, Shadow Credentials, Golden Certificates, and more!
Medium
Previous
ZeroLogon
Next
Certificate templates
Last modified 5mo ago
Copy link
Outline
Theory
Practice
Terminology
Recon
Abuse
Resources