Certificate Services (AD-CS)
Theory
AD CS is Microsoft’s PKI implementation that provides everything from encrypting file systems, to digital signatures, to user authentication (a large focus of our research), and more. While AD CS is not installed by default for Active Directory environments, from our experience in enterprise environments it is widely deployed, and the security ramifications of misconfigured certificate service instances are enormous. (specterops.io)
In their research papers, Will Schroeder and Lee Christensen shared their research on AD CS and identified multiple theft, escalation and persistence vectors.
- Credential theft (dubbed THEFT1 to THEFT5)
- Account persistence (dubbed PERSIST1 to PERSIST3)
- Domain escalation (dubbed ESC1 to ESC14)
- based on misconfigured certificate templates
- based on dangerous CA configuration
- related to access control vulnerabilities
- based on an NTLM relay vulnerability related to the web and RPC endpoints of AD CS
- Domain persistence (dubbed DPERSIST1 to DPERSIST3)
- by forging certificates with a stolen CA certificates
- by trusting rogue CA certificates
- by maliciously creating vulnerable access controls
Practice
Escalation techniques
- ESC1 "template-allows-san"
- ESC2 "any-purpose-eku"
- ESC3 "certificate-agent-eku"
- ESC4 "certificate-templates"
- ESC5 "other-objects"
- ESC6 "editf_attributesubjectaltname2"
- ESC7 "certificate-authority"
- ESC8 "web-endpoint-esc8
- ESC9 "no-security-extension"
- ESC10 "weak-certificate-mapping"
- ESC11 "rpc-endpoint"
- ESC12 "shell-access-to-adcs-ca-with-yubihsm"
- ESC13 "issuance-policiy-with-privileged-group-linked"
- ESC14 "weak-explicit-mapping"
- ESC15 "arbitrary application policy"
- Certifried.md
Terminology
- PKI (Public Key Infrastructure) — a system to manage certificates/public key encryption
- AD CS (Active Directory Certificate Services) — Microsoft’s PKI implementation
- CA (Certificate Authority) — PKI server that issues certificates
- Enterprise CA — CA integrated with AD (as opposed to a standalone CA), offers certificate templates
- Certificate Template — a collection of settings and policies that defines the contents of a certificate issued by an enterprise CA
- CSR (Certificate Signing Request) — a message sent to a CA to request a signed certificate
- EKU (Extended/Enhanced Key Usage) — one or more object identifiers (OIDs) that define how a certificate can be used
- Application Policy — this does the same thing as EKUs, but with a few more options. Specific to Windows environments
Recon
While AD CS offers attackers a wide range of exploitation and persistence scenarios, this set of services is not always installed, and when it is, it is a requirement to identify its different parts in the domain.
Cert Publishers
An initial indicator is the "Cert Publishers" built-in group whose members usually are the servers where AD CS is installed (i.e. PKI/CA).
- From UNIX-like systems:
rpc net group members "Cert Publishers" -U "DOMAIN"/"User"%"Password" -S "DomainController"
- From Windows systems:
net group "Cert Publishers" /domain
pKIEnrollmentService
objects
Alternatively, information like the PKI's CA and DNS names can be gathered through LDAP.
Attack paths
Certipy (Python) and Certify (C#) can also identify the PKI enrollment services and potential attack paths.
From UNIX-like systems, the Certipy (Python) tool can be used to operate multiple attacks and enumeration operations.
# enumerate and save text, json and bloodhound (original) outputs
certipy find -u 'user@domain.local' -p 'password' -dc-ip 'DC_IP' -old-bloodhound
# quickly spot vulnerable elements
certipy find -u 'user@domain.local' -p 'password' -dc-ip 'DC_IP' -vulnerable -stdout
Certipy also supports BloodHound. With the -old-bloodhound
option, the data will be exported for the original version of BloodHound. With the -bloodhound
option, the data will be exported for the modified version of BloodHound, forked by Certipy's author (default output when no flag is set).
The tool also supports multiple output types (text, json, stdout).
By default, Certipy uses LDAPS, which is not always supported by the domain controllers. The -scheme
flag can be used to set whether to use LDAP or LDAPS.
Abuse
The different domain escalation scenarios are detailed in the following parts.
- ESC1 to ESC3, ESC9, ESC10, ESC13, ESC14 and ESC15: Certificate Templates
- ESC6 and ESC12: Certificate Authority
- ESC4, ESC5 & ESC7: Access Controls
- ESC8, ESC11: Unsigned Endpoints
Resources
https://posts.specterops.io/certified-pre-owned-d95910965cd2
https://http418infosec.com/ad-cs-what-can-be-misconfigured
https://http418infosec.com/ad-cs-the-certified-pre-owned-attacks
https://trustedsec.com/blog/ekuwu-not-just-another-ad-cs-esc