AD CS
Active Directory Certificate Services
This section covers the TryHackMe room CVE-2022-26923 and this excellent article from Will Schroeder about the Active Directory Certificate Service misconfigurations. Information are also retrieved from the offical SpecterOps white paper.
Introduction
AD CS stands for Active Directory Certificate Service. Severe misconfigurations in AD CS can allow an attacker to elevate his privilege within an Active Directory environment and take full control of the domain. Abusing AD CS can be achieve in multiple ways. The SpecterOps white paper points at least 8 vectors leading to privilege escalation.
AD CS
The Active Directory Certificate Service corresponds to the Active Directory PKI infrastructure. Among others things, it aims to manage certificates delivery (issuing and revoking), verify digital signature and verify authentication for services and users part of the internal Active Directory environment. AD CS usually runs on the Domain Controller (DC). Windows Server is needed to install AD CS and its different roles.
Some vocabulary specifics to AD CS:
PKI | Public Key Infrastructure | Infrastructure issuing and verifying certificates and encryption keys |
Enterprise CA | Enterprise Certificate Authority | Authority delivering and revoking certificates to clients (users, computers and services). |
CSR | Certificate Signing Request | Request sent to the Enterprise CA to get issued a signed certificate |
Certificate Templates | - | Represent a set of policies and settings applied to the certificate (renewal & validity periods, usage, enrollment permissions, etc.). To be used by clients, templates need to be published. *Apply only to Enterprise CA |
EKU | Extended/Enhanced Key Usage | Corresponds to OID (Object Identifiers) that determine how the certificate can be used. |
The diagram below from the SpecterOps White paper illustrates the steps for a certificate to be issued to a client by the Entreprise CA.
The client sends his public key when asking for a certificate. Then, the CA signs the certificate issued with is own private key. The certificate contains the client public key.
Domain Escalation
AD CS supports client authentication. This functionality can be abused by attackers to elevate their privilege on the domain. Attackers can request a certificate as a elevated users or machine and then authenticate as this user on the domain.
Certificate Templates
Enterprise CA (as opposed to Standalone CA) can issue certificates to client based on pre-configured templates. Some templates allows the issued certificate to be used for Client Authentication.
User and Machine Certificate Templates
By default, every domain users can enroll (request) for a certificate based on the User
template and every computers machine can enroll for a certificate based on the Machine
template. These templates both allow for Client Authentication by default.
When a user is requesting a certificate based on the User
template, the certificate is mapped to its identity using its User Principal Name (UPN). For certificates issued from the Machine
template, the request is performed based on the dnsHostName. The dnsHostName of the machine account is embedded in the issued certificate.
Certificate templates enumeration
An attacker can perform CA and certificate templates enumeration using the tool Certify.
Certificate templates enumeration can also be performed using the utility certutil.exe
We can also use certi which is the Impacket version of Certify.
Subject Alternative Name (SAN)
Certificates issued from the CA have a properties named Subject Alternative Name (SAN). This property allows to bind multiple identities to a single certificate. A practical use case of SAN is to bind multiple host names to a single TLS/SSL certificate.
The SAN property can be abused by attacker. We can imagine the impact if an attacker is able to request a certificate and specify a high privilege user in the Subject Alternative Name field. If the certificate allows for Client Authentication, an attacker would be able to use that certificate to authenticate himself as a domain admin or any other high privilege user specified in the SAN field.
PKINIT
PKINIT (Public Key Cryptography for Initial Authentication) allows users to authenticate themselves to the KDC (Key Distribution Center) using a certificate as long as the certificate permit Client Authentication.
Identify the PKI Enrollment Service on the Domain
It is possible to list all PKI Enrollement server using CrackMapExec. See here.
Abuse paths
Check PetitPotam. ECS8.
Resources
Chandel, Raj. Febuary 25th 2022. Domain Escalation: PetitPotam NTLM Relay to ADCS Endpoints. HackingArticles. Here
Lyak, Oliver. May 10th 2022. Certifried: Active Directory Domain Privilege Escalation (CVE-2022–26923). On Medium. Here
Mollema, Dirk-Jan. (July 2021). NTLM relaying to AD CS - On certificates, printers and a little hippo. Here
Last updated