Exploiting Certificates

Resources

1. Task 8 of TryHackMe Exploiting AD room

TryHackMe | Cyber Security TrainingTryHackMe

1. Certificate template concepts

Certificate template concepts in Windows ServerMicrosoftLearn

1. Manage certificate templates

Manage certificate templates in Windows ServerMicrosoftLearn

1. [MS-CRTD] Certificate Templates Structure

[MS-CRTD]: Certificate Templates StructureMicrosoftLearn

1. Certutil

certutilMicrosoftLearn

CertutilMicrosoftLearn

1. PSPKIAudit

• AD CS auditing

GitHub - GhostPack/PSPKIAudit: PowerShell toolkit for AD CS auditing based on the PSPKI toolkit.GitHub

1. Further readings on AD Certificate exploitation (as a result of misconfigurations)

AD Certificate TemplatesTryHackMe

Certified Pre-Owned - SpecterOpsSpecterOps

What is AD Certificate Services?

A Microsoft's Public Key Infrastructure (PKI) implementation. It leverages on the fact that Active Directory (AD) provides a level of trust in an organisation, which allows it be act as a Certificate Authority (a PKI that issues certificates) to prove and delegate trust.

Certificate templates

Certificate templates can greatly simplify the task of administering an Active Directory Certificate Services (AD CS) certification authority (CA) by allowing an administrator to issue certificates preconfigured for selected tasks.

Certificate templates are the sets of rules and settings that are configured on a CA to be applied against incoming certificate requests. Certificate templates also give instructions to the client on how to create and submit a valid certificate request.

Exploitation example

1. View the configured templates

C:\>certutil -Template -v > templates.txt

• This command allows us to view all the configured certificate templates. The following tool can be used too

• A combination of certain certificate parameter values (misconfiguration) may allow us to exploit the certificate to perform privilege escalation

  • refer to the linked titled: "Further readings on AD Certificate exploitation (as a result of misconfigurations)" under the resources section above for more information

1. Request for a TGT using the newly retrieved certificate (to impersonate a particular user, eg. Administrator)

Given that we are able to retrieve a certificate with configured parameters of our choice: User Principal Name (UPN), etc., we can now use the certificate to request for a TGT to impersonate a user with rubeus.exe:

• Note: we can retrieve the certificate using the Microsoft Management Console (MMC))

• The following attack works due to the permissions provided by the certificate template. Particularly in this example, the ability to specify the Subject Alternative Name (SAN), and to be able to use the certificate for client authentication

rubeus.exe asktgt /user:<user> /enctype:aes256 /certificate:<path_to_certificate> /password:<certificate_file_password> /outfile:<output_filename> /domain:<domain> /dc:<IP_of_DC>

• /user: Username to impersonate. This value has to match the UPN specified in the certificate

• /enctype: This specifies the encryption type for the ticket.

  • Setting a value for this field is important for evasion, since the default encryption algorithm is weak, which may result in an overpass-the-hash alert

• /certificate: Path to the certificate was generated previously

• /password: Password for the certificate file

• /outfile: The file to output the TGT to

• /domain: The FQDN of the domain we are attacking

• /dc: The IP of the domain controller which we are requesting the TGT from

  • It is best to select a DC that has a CA service running

Next, we can load the TGT into memory with mimikatz:

mimikatz # privilege::debug
mimikatz # kerberos::ptt <TGT_file_location>.kirbi
mimikatz # exit

1. Test the validity of our TGT against the target

Given that we have crafted a TGT for the Administrator on the DC named DC.TEST.COM, we can now attempt to view the directory listing on that machine:

C:\> dir \\DC.TEST.COM\C$

We can confirm that our TGT is working if we are able to view the directory listing.

Note

This attack variant works due to certain parameter value misconfigurations provided by the certificate template. Checkout the linked titled: "Further readings on AD Certificate exploitation (as a result of misconfigurations)" under the resources section above for more information on different attack variants.