Exploitation - Active Directory Certificate Services
Overview
Active Directory: Public Key Services containers
A number of Active Directory objects, stored in the Configuration
naming context, are related to Active Directory Certificate Services
(and potentially third-party Certification Authority
). As any objects stored in the Configuration
naming context, the objects are replicated on all the Domain Controllers forest-wide.
NTAuthCertificates
CN=NTAuthCertificates,CN=Public Key Services,CN=Services,CN=Configuration,<DOMAIN>
The NTAuthCertificates
store, also known as the Enterprise NTAuth store
store, hold the certificate of the trusted Certificate Authorities
(in the cACertificate
attribute).
Enrollment Services
CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,<DOMAIN>
Certificate Authority
CN=Certification Authorities,CN=Public Key Services,CN=Services,CN=Configuration,<DOMAIN>
Certificate Templates
CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,<DOMAIN>
Container holding the certificate templates
defined in the domain, whether they are enabled in a Certificate Authority
or not.
CDP
CN=<CA_NAME>,CN=<ADCS_SERVER>,CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,<DOMAIN>
Container storing the Certificate Revocation Lists (CRL)
, with one separate container per CA
and each CA
thus having its own CRL
.
Certificate template
Certificate templates
are domain objects of type pKICertificateTemplate
, stored under the CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=<DOMAIN>,DC=<TLD>
container, that govern the certificates that can be requested to and delivered by the Active Directory Certificate Services (AD CS)
.
A certificate template
notably defines a number of parameters for the certificates issued through the template:
The way the
Subject Name
andSubject Alternative Name (Subject Alternative Name)
of the certificates will be constructed. The subject information can be either build:automatically based on
Active Directory
information of the principal making the request (User Principal Name (UPN)
,Service Principal Name (SPN)
,DNS
name, etc.).using user-supplied data provided in the certificate request. In such case, the
CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT
(0x1
) in themsPKI-Certificate-Name-Flag
attribute is set (and the attribute thus has an odd value).
The issued certificates validity period.
The cryptographic parameters of the certificates (the
Cryptographic Services Provider (CSP)
and the minimum key size used for instance).The
X509v3
extensions added to the certificates, including theExtended / Enhanced Key Usage (EKU)
extension (introduced in more details below). The extensions define the purpose of the certificates.Eventual issuance requirements:
Approval of a certificate manager to validate (or deny) the certificate request. This setting will set the
CT_FLAG_PEND_ALL_REQUESTS
(0x02)
flag in the certificate templatemsPKI-Enrollment-Flag
attribute. Certificate requests will be keep in a pending state, awaiting for action of the certificate manager.
Additionally, certificate templates
are securable objects
, and the access control rights defined in a certificate template
's Access Control List (ACL)
govern the operations that can be conducted on the template itself and the principals that can enroll to the template. Refer to the [Active Directory] ACL exploiting - Active Directory Certificate Services
note for more information on the certificate templates
ACL
.
Extended / Enhanced Key Usage extension
The Extended / Enhanced Key Usage (EKU)
extension is a certificate extension (i.e an additional attribute) that defines the purposes of the certificate, effectively restricting what the certificate can be used for in an Active Directory environment. This extension is implemented by the pKIExtendedKeyUsage
attribute on Active Directory certificate template object.
The EKU
extension is composed of 0 or more Object Identifier (OID)
, each OID
corresponding to a specific purpose. The following notable OIDs
are supported in Active Directory:
2.5.29.37.0
anyExtendedKeyUsage
Certificate that can be used for any usage.
Yes.
1.3.6.1.5.5.7.3.2
clientAuth
Certificate used for client authentication (be it SSL
/ TLS
authentication for web client or to remote servers in Active Directory).
Yes.
1.3.6.1.5.5.7.3.3
codeSigning
Code signing certificate used to digitally sign executables (such as PE
binaries or PowerShell scripts).
No.
1.3.6.1.5.5.7.3.4
emailProtection
Certificate used to encrypt or digitally sign emails through the S/MIME
standard.
No.
1.3.6.1.5.5.7.3.5
1.3.6.1.5.5.7.3.6
1.3.6.1.5.5.7.3.7
ipsecEndSystem
ipsecTunnel
ipsecUser
Certificates used in an Internet Protocol SECurity (IPSEC) infrastructure.
No.
1.3.6.1.5.2.3.4
keyPurposeClientAuth
Certificate used in Active Directory for PKINIT client authentication (not present by default and requires to be manually added in the certificate template).
Yes.
1.3.6.1.4.1.311.10.3.4
msEFS
Certificate used to encrypt / decrypt Encrypting File System (EFS)
NTFS
filesystems on Windows.
No.
1.3.6.1.5.5.7.3.1
serverAuth
Certificate used for server authentication (for instance using the SSL
/ TLS
protocol).
No.
1.3.6.1.4.1.311.20.2.2
Smartcard logon
Certificate used for smart card logon.
Yes.
If no OID
is specified in the EKU
extension, the certificate will by default be valid for all usages in Windows, including client authentication. Applications may however rely on the Constrained
EKU
validation mode, as implemented by Microsoft, which determine the valid usage of the certificate using only the explicitly specified purposes (in all the certificate of the chain).
Arbitrary / user-controlled Subject Alternative Name
As specified in the certificate processing logic in the Microsoft documentation, if an User Principal Name (UPN)
is specified in a certificate's subjectAltName
field, the UPN
is used to map the certificate to an user account in Active Directory and conduct the PKINIT
authentication as that user. Having control on the Subject Alternative Name
for which the certificate will be emitted can thus be leveraged for privilege escalation, notably if the certificate template
supports client authentication (and can be requested under the current privileges). For example, in such circumstances, an unprivileged user could request a certificate specifying a more privileged principal, such as the domain Administrator
account or a member of the Domain Admins
group, and later use the certificate to authenticate under the impersonated principal.
The Subject Alternative Name
for which the certificate will be emitted is user-controlled if either:
The specific
certificate template
is configured to use user-supplied data provided in the certificate request to define thesubjectAltName
(i.e, as noted above, the templatemsPKI-Certificate-Name-Flag
attribute'sCT_FLAG_ENROLLEE_SUPPLIES_SUBJECT
(0x1
) flag is set).A
Certificate Authority
server has, in itsHKEY_LOCAL_MACHINE
registry hive, theEDITF_ATTRIBUTESUBJECTALTNAME2
(0x00040000
) flag set. As stated in the Microsoft documentation, if this flag is set, user-supplied alternative names are allowed for anycertificate template
published by the givenCertificate Authority
server.
Enrollment rights
To enroll for a certificate template
, the following conditions must be meet:
The
certificate template
must be published by at least oneCertificate Authority
. Thecertificate templates
published by a givenCA
are defined in thecertificateTemplates
attribute of theCA
'sEnrollment Service
(pKIEnrollmentService
) object.The given principal must be able to enroll to a
CA
publishing thecertificate template
(Certificate-Enrollment
orCertificate-AutoEnrollment
extended rights).The given principal must have enrollment rights for the
certificate template
. The enrollment rights are defined on thecertificate template
object'sACL
(notably theCertificate-Enrollment
orCertificate-AutoEnrollment
rights).
Certificate Authorities enumeration
The certutil
built-in utility and Certify
can be used to enumerate the Certification Authorities
configured.
The certutil
utility and Certify
as well as direct remote registry queries can be attempted to determine if the EDITF_ATTRIBUTESUBJECTALTNAME2
flag is set for a given CA
. The request can usually be done under an authenticated but unprivileged context.
The following PowerShell script uses the ActiveDirectory
module to enumerate each CA
's published certificate templates
and enrollment rights. An attempt is made to determine if the EDITF_ATTRIBUTESUBJECTALTNAME2
flag is set for each CA
by remotely querying their HKLM
registry hive.
Certificate templates enumeration
Multiple tools and utilities, including certutil
, Certify
, Invoke-Leghorn
, and Certipy
can be used to enumerate the certificate templates
. PingCastle
's healthcheck
module also includes a review of the certificate templates
.
For the enumeration (and exploitation) of the access rights defined on certificate templates
, refer to the [ActiveDirectory] ACL exploiting - Active Directory Certificate Services
note.
The following PowerShell code enumerates all the certificate templates
and returns a number of information for each template:
Certificate Authorities
publishing thecertificate template
, if any.Purposes, highlighting client authentication.
Principals having direct enrollment rights (
GenericAll
,Certificate-Enrollment
, orCertificate-AutoEnrollment
).Whether the
Subject Alternative Name
is user-supplied and the certificate request requires an approval.
The published certificate templates
supporting client authentication, allowing anyone to enroll without approval, and construct the subjectAltName
from user-supplied data are highlighted as vulnerable.
Dangerous rights on certificate template or on the Certificate Authority itself
Refer to the [ActiveDirectory] ACL exploiting
note (section Active Directory Certificate Services
) for more information, techniques, and tools to enumerate and exploit dangerous rights on CA
objects or certificate templates
.
Certificates request
Certificates for published certificate templates
can be requested with Windows built-in utilities or specific tools. The certificates obtained (that support client authentication) can be used to request Ticket Granting Ticket (TGT)
through PKINIT
authentication. As with any TGT
obtained through a PKINIT
preauthentication, the NTLM
/ NTHash
hash of the user can be retrieved through a subsequent Kerberos User-to-User (U2U)
special service tickets (ST)
(see the section below). For more information on how to use and manipulate the TGT
retrieved, refer to the [ActiveDirectory] Kerberos - tickets usage
note.
Certificates format
Certificates in the PEM
format with public and private keys (such as certificates obtained using Certify
) must be converted in the PFX
format, supported by Windows, to be further usable by some utilities (such as Rubeus
to request TGT
).
openssl
can be used to convert a PEM
file (with both public and private keys) to a PFX
certificate file:
Standard certificates requests
Certificates can be requested manually using the graphical built-in certmgr.msc
(for user certificates) and certlm.msc
(for machine certificates) snap-ins:
Certify
(on Windows) and Certipy
can be used to request a certificate:
[Privilege escalation] Certificate request with arbitrary subjectAltName (CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT or EDITF_ATTRIBUTESUBJECTALTNAME2)
For certificate templates
allowing an user-supplied subjectAltName
(msPKI-Certificate-Name-Flag
attribute's CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT
flag set), an arbitrary username or an User Principal Name (UPN)
can be specified to impersonate any security principal.
The subjectAltName
can be specified for certificate requests made with the certmgr.msc
and certlm.msc
utilities. If a certificate template
requires an user-supplied subjectAltName
, a warning will be displayed (More information is required to enroll for this certificate. Click here to configure settings
) and an subjectAltName
will be specifiable:
For CA
allowing user-supplied alternative names for their published certificate templates
(EDITF_ATTRIBUTESUBJECTALTNAME2
flag set), the built-in certreq
utility and the following policy file can be used to request a certificate for an arbitrary user. The certificate is tagged as exportable in the policy, and can thus be simply exported as a PFX
file containing the private key. Refer to the [Windows] Post exploitation
note (section Certificates retrieval
) for more information on how to export certificates.
Then the certreq
utility can be used to request a certificate based on the policy and install locally the retrieved certificate:
Alternatively, both Certify
and Certipy
support specifying an arbitrary subjectAltName
for either vulnerable certificate template
(CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT
) or vulnerable CA
(EDITF_ATTRIBUTESUBJECTALTNAME2
).
[Privilege escalation] Certificate request through NTLM relaying
Certificate template with Certificate Request Agent EKU but not Enrollment agent restrictions CA-side
Certificates usage
Client authentication certificate usage and NTHash / NTLM hash retrieval
Ticket Granting Ticket (TGT)
obtained through a PKINIT
preauthentication can be leveraged to retrieve the principal's NTLM
/ NTHash
hash through a special User-to-User (U2U)
service tickets
.
PKINIT
is a Kerberos
preauthentication mechanism which uses digital certificates to mutually authenticate the Key Distribution Center (KDC)
and clients for TGT
requests (in AS-REQ
and AS-REP
messages). PKINIT
requires a valid X.509
certificate for the KDC
(Domain Controllers in Active Directory) and one for each client principal that will authenticate using PKINIT
. In environments with a PKI
trusted by both parties, such as Active Directory Certificate Services (ADCS)
, digital certificates generated and signed by the trusted Certificate Authority (CA)
will be used for the PKINIT
authentication.
To support subsequent NTLM
SSO
authentications for users that authenticated using PKINIT
, Kerberos User-to-User (U2U)
special service tickets (ST)
allow a client to retrieve their NTLM
hash. U2U
tickets indeed contain, in their Privilege Attribute Certificate (PAC)
, the NTLM
hash of the principal that requested the U2U ST
. The NTLM
hash is stored encrypted using the client's TGT
session key in the PAC
's PAC_CREDENTIAL_INFO
(NTLM_SUPPLEMENTAL_CREDENTIAL
structure) additional field. Using a valid TGT
, clients can thus request a U2U ST
from themselves to themselves in order to obtain their NTLM
hash.
Rubeus
and certipy
can be used to conduct a Kerberos
PKINIT
preauthentication to retrieve a Ticket-Granting Ticket (TGT)
using the obtained certificate. Rubeus
retrieves a TGT
in the KRB_CRED
format (and can inject it in the current session) while Certipy
will export the ticket in the credential cache (ccache)
format.
Both tools can make a subsequent U2U
ST
request using the retrieved TGT
in order to obtain the NTLM
hash / NTHash
of the principal the certificate was issued to.
For certificates obtained with an arbitrary subjectAltName
, the username of the user specified in the certificate's subjectAltName
field should be specified (and not the username of the subject).
Client authentication certificate usage over LDAPS through Schannel
If the KDC
does not support PKINIT
authentication, as may be the case if its certificate does not have the Smart Card Logon
enhanced key usage extension, a KDC_ERR_PADATA_TYPE_NOSUPP
error will arise. In such circumstances, PassTheCert
can be used to authenticate to LDAPS
over TLS
Schannel
.
PassTheCert
implements a few privilege escalation / persistence techniques to further access the domain with out relying on the certificate:
Grating
DS-Replication-Get-Changes
andDS-Replication-Get-Changes-All
rights to the specified user to conductDCSync
replication.Adds an SPN to the
msDS-AllowedToActOnBehalfOfOtherIdentity
attribute of the specified target (to take over the targeted computer through aRBCD
attack).Reset the password of the specified account.
Add an account to the specified group.
Code signing certificate
Code Signing
certificates (OID 1.3.6.1.5.5.7.3.3
) can be used to sign PE
binaries or PowerShell scripts.
Digitally signed executables can be exempted from User Account Control (UAC)
or Windows SmartScreen
prompt. Additionally, on systems with AppLocker
enabled, Windows Installer
files digitally signed by a trusted publisher can be installed by non-privileged users, resulting in a potential local privilege escalation.
References
https://www.riskinsight-wavestone.com/en/2021/06/microsoft-adcs-abusing-pki-in-active-directory-environment/
https://posts.specterops.io/certified-pre-owned-d95910965cd2
https://www.specterops.io/assets/resources/Certified_Pre-Owned.pdf
https://www.sysadmins.lv/blog-en/understanding-active-directory-certificate-services-containers-in-active-directory.aspx
https://ldapwiki.com/wiki/ExtendedKeyUsage
https://www.sysadmins.lv/blog-en/constraining-extended-key-usages-in-microsoft-windows.aspx
https://www.keyfactor.com/blog/hidden-dangers-certificate-subject-alternative-names-sans/
Last updated