AD CS – What Can Be Misconfigured?

Introduction

The aim of this post is to go into more detail on the attacks described within the excellent ‘Certified Pre-Owned’ blog post & whitepaper produced by SpecterOps. This post will show how to configure a test environment which is vulnerable to the attacks they describe. If you are unfamiliar with AD CS, I have a separate post which covers the basics.

In summary, the attacks which are possible within a default installation of AD CS are terrifying. The now ubiquitous ‘ESC8‘ attack can lead to DC compromise from a low-priv user, and the other attacks are impressive in their own right. To learn more about how to perform the attacks, I have another post covering that.

What Can Be Vulnerable In AD CS?

This section will cover some of the misconfigurations covered within the whitepaper, showing how we can create a vulnerable AD CS environment. The ‘VULN’ numbers used below are something I used whilst researching into these attacks and made the configuration a little easier for myself.

In summary, the vulnerabilities can be shown in the table below:

	ESC1 (p.56)	ESC2 (p.63)	ESC3.1 (p.64)	ESC3.2 (p.64)	ESC4 (p.68)	ESC5 (p.70)	ESC6 (p.71)	ESC7 (p.74)
`VULN1` – Enterprise CA ACE	✔️	✔️	✔️	✔️	–	–	–	✔️(*)
`VULN2` – Template ACE	✔️	✔️	✔️	✔️	✔️(1)	–	–	–
`VULN3` – Manager Approval Disabled	✔️	✔️	✔️	✔️	–	–	–	–
`VULN4` – No signature required	✔️	✔️	✔️	–	–	–	–	–
`VULN5` – Vulnerable EKU OID	✔️	✔️(2)	✔️(3)	✔️	–	–	–	–
`VULN6` – SAN in CSR	✔️	–	–	–	–	–	–	–
`VULN7` – EDITF_* attribute	–	–	–	–	–	–	✔️(*)	–

1 – Requires write permissions, 2 – Requires either ‘Any Purpose’ or no OID, 3 – Requires ‘Certificate Request Agent’ OID, * – Not relevant if ESC6 or ESC7 is possible

For example, to perform ESC6, we need VULN7 to be present in the estate. Likewise, if VULN4 is present on a given certificate, then ESC1, 2 or 3 could be possible should the other conditions be met.

One key point for this table, is that if ESC6 or ESC7 is possible, then ESC1-4 can be performed against any principal!

VULN1 – “The Enterprise CA Grants Low-Priv Users Enrollment Rights”

The Enterprise CA must be configured to allow our target user to request a certificate. This setting can be found via certsrv by right clicking on the CA object, then Properties then Security. A vulnerable server will have an ACE containing the target user (Such as Domain Users) allowing that user to request certificates. (Figure 8, Page 23)

By default, the Authenticated Users group is able to request certificates

This setting is enabled by default, as we can see above. This allows any authenticated user to request certificates from the AD CS server. In order to obtain a certificate, we will also need a certificate template to be (mis)configured to allow us to enrol on it. This is covered in VULN2 below.

These ACEs are also involved in VULN7, where we have the ‘Manage CA‘ or ‘Issue and Manage Certificates‘ ACE enabled for our user.

VULN2 – “An Overly Permissive Certificate Template Security Descriptor Grants Certificate Enrollment Rights To Low-Privileged Users.”

Despite the mouthful of a title, this is another ACE misconfiguration, which allows our standard user account to enroll on a certificate template. As we can see below, the default User template allows the Domain Users group to enroll on it.

There are several permissions which can be abused here, for example the Enroll and AutoEnroll permissions are specific to certificate template objects.

We also have the more ‘traditional’ permissions such as Full Control and Write, which should be familiar from BloodHound. Either of these permissions would allow us as an attacker to edit the template, granting our user the Enroll or AutoEnroll permissions to enroll on it.

VULN3 – “Manager Approval Is Disabled”

Following the same steps as VULN2, we can view details on the certificate templates. On the ‘Issuance Requirements‘ tab, we can see the authorisations required before a certificate is issued. If CA Certificate manager approval is not required, then we can request a cert and it will be automatically created for us.(Assuming we meet the other criteria such as those in VULN1 and VULN2.)

This is understandably quite risky, as there is no peer reviewing of these certificates, so an Administrator would not be aware of their issuance.

A template which does not require CA Certificate Manager approval

VULN4 – No Authorized Signatures Are Required

In a very similar method to VULN3, we can check if any authorized signatures are required. This is another pre-requisite which can make the process of issuing certificates better protected.

VULN5 – “The Certificate Template Defines EKUs That Enable Authentication.”

Using the method detailed in VULN3, we then go to the ‘Extensions‘ tab to view the EKUs which are set on the template.

The EKU OIDs which have been found to allow client authentication are on Page 19 of the whitepaper:

EKU Usage	OID Value
Client Authentication	1.3.6.1.5.5.7.3.2
PKINIT Client Authentication	1.3.6.1.5.2.3.4
Smart Card Logon	1.3.6.1.4.1.311.20.2.2
Any Purpose	2.5.29.37.0
“SubCA”	No EKUs

We can view this by selecting the ‘Application Policies‘ extension. By clicking on ‘Edit’ and then ‘Edit’ we can view the EKU value. As we can see below, the ‘Client Authentication‘ OID is included in the template below.

Example plaintext EKU OIDs for an example template

We can also view this using PowerView with the following query:

Get-DomainObject -SearchBase "CN=<TEMPLATE_NAME>,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=forest,DC=com" | Select-Object -ExpandProperty PKIExtendedKeyUsage

Getting the OIDs for a template with PowerView

VULN6 – The Certificate Template Allows Requesters To Specify A SubjectAltName (SAN) in the CSR

As a reminder here, a CSR is the request we send to an AD CS server to obtain a certificate. A SAN is an option we can set to obtain a certificate to authenticate as another user.

This misconfiguration allows for an attacker to request a certificate for any(!) target user for a given, vulnerable certificate template. Typically certificates can only be requested for the requestor, so this misconfiguration is very powerful.

With this setting enabled, we can request a certificate as any valid user on the domain. There is more detail on this on page 58.

This value is set via the CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT flag, which is a bitmask. We can find its value on the MSPKI-Certificate-Name-Flag value on the template. This can be requested with the following PowerView query:

Get-DomainObject -SearchBase "CN=<TEMPLATE_NAME>,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=forest,DC=com"

Or we can view it in the GUI if we have access to the AD CS server by going on the Properties of the certificate template, then onto the Subject Name tab.

VULN7 – EDITF_ATTRIBUTESUBJECTALTNAME2

According to Microsoft:

If this flag is set on the CA, any request (including when the subject is built from Active Directory) can have user defined values in the subject alternative name.
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn786426(v=ws.11)#controlling-user-added-subject-alternative-names

This is a slightly different request as the SAN must be passed as an attribute, instead of a certificate extension, as with VULN6. This is still a very easy attack, even with this small change. Page 70 of the whitepaper contains more information on this.

Conclusion

Now we have looked at the misconfigurations, this post will show more detail on how we can attack a vulnerable environment.

AD CS – The Basics

Introduction

This post will cover the basics of Active Directory Certificate Services (AD CS) and how we can use certificates for offensive security. I have two other posts on this subject. The first of which covers some of the dangerous misconfigurations. And secondly, how we can actually perform the attacks.

For those unfamiliar, AD CS is the server role used to issue and manage digital certificates within a server estate. This is a role which can have massive security implications if it is incorrectly configured. Certificates can be used for a large number of uses, from HTTPS through to authenticating to a domain.

All of the page references in this post refer to the white-paper produced by SpecterOps.

Installation

We will assume we already have Server 2019 installed and running as a domain controller. Dinika-15 on Medium has made a great guide to follow for the installation of AD CS.

For our purposes, we will add the ‘Active Directory Certification Services‘ role to the server. Optionally, will can install ‘CA Web Enrollment‘ to have some fun with NTLM relays as part of the ‘ESC8’ attack. This is shown below:

If we do want to perform the ESC8 attack, ensure that you install AD CS on a server that isnt operating as a domain controller, due to their enhanced SMB signing protection. I didnt realise this for a few days and so most of my screenshots will reference my DC (DC01)!

Click through the wizard until we get to the confirmation screen. By default, I allow it to restart as needed! It didn’t seem to need it, but I have seen other server roles require several restarts.

Now we have it installed!

I would then recommend a restart to ensure the server is more predicable.

Then run certutil.exe on the CS server to show AD CS details & confirm we have it installed.

Core Concepts

Certficates

Certificates in AD can be used for many different functions, but this research focuses on those certificates which allow for domain authentication. In effect, a certificate which allows for authentication has a lot of similarities with an SSH private key – as you can authenticate without knowing the current password and the credentials are stored in a single file.

Certificate Template

A certificate template is effectively a blueprint for a certificate. Each certificate request must use a template, and so the settings of a template will dictate the resulting certificate. For example, a vulnerable template might allow any AD user to authenticate to AD with it. (Page 16)

Certificate Signing Request (CSR)

A CSR is the request made by a client to the AD CS server, in order to obtain a certificate. For example, Joe Bloggs will submit a CSR to the AD CS server in order to obtain a certificate.(Page 15)

Extended Key Usages (EKU) Object Identifiers (OIDs)

Despite the incredibly complex name (EKU OIDs), these are a reasonably straight-forward concept at a high level. These values dictate what a certificate template can be used for. These uses can be things such as authenticating to the domain to signing code.

As described on page 18, the 1.3.6.1.5.5.7.3.2 OID can be used for Client Authentication. This means if we can obtain a certificate which includes that OID, we can use the certificate to authenticate to the domain. We will cover these more later on!

Subject Alternative Names (SANs)

On a certificate template, there is an option to allow the requester to specify which principal the certificate can be used as. For example, if the SAN option is set on a template, and the template allows for client authentication then you could leverage the certificate to log in as any user. This is as bad as it sounds, and is covered in more detail within ESC1 (Page 54).

Interacting with AD CS

There are a number of tools which can be used to interact with AD CS, the table below lists a number of them:

Tool Name	Description	Usage
MMC	MMC can be used to request, import and export certificates from a device.	Run -> `mmc`
ADSI Edit	This can show us the raw AD information on the certification services. This is handy for debugging issues and the various ACEs and ACLs we will encounter!	On a DC, search for `ADSI Edit`
Certification Authority	This tool will show details on the Certificate Templates, issued certificates and failed requests.	On the CS server, Run -> `certsrv`
Certificate Templates Console	Shows more detail on Certificate Templates.	Right click on Certificate Templates within `certsrv`
Certify	Automates a large part of this work, used for interacting with AD CS via CLI.	Download from GitHub
ForgeCert	If you manage to steal a CA certificate, this will allow ‘Golden Certificate’ attacks. Covered under DPERSIST1.	Download from GitHub

For ADSI Edit, we must use the ‘Configuration’ naming context. To do this, open ADSI edit and right click on the ‘ADSI Edit’ entry at the top of the navigation tree.

Then click on Connect To and select the ‘Configuration’ option in the dropdown.

Click on ok and we can view information on AD CS at CN=Services -> CN=Public Key Services. We should now be able to see the container for Certificate Templates and other configuration items.

Dealing With Certificates

Requesting a Certificate

For this guide, we will use MMC to request our certificates. At the time of writing, Certify and ForgeCert were yet to be released. Therefore, we will focus on using built-in Windows tooling to achieve these attacks, which has the added advantage of living off the land! certreq can be used to perform these attacks via the CLI if desired.

On your domain-joined low-privilege machine, open up mmc by searching for it in the search bar.

Click on File -> Add/Remove Snap-in, then select the ‘Certificates’ option and click ok. We will now have loaded in the Certificates snap-in, which we can use to request certificates. To request a certificate, right click on the Personal entry, then All Tasks and then Request New Certificate.

Click through the wizard and then we will select the default User template.

Then click on Enroll and we will get a certificate in our ‘personal’ folder.

This is effectively the ‘PERSIST1‘ attack within the whitepaper (Page 49).

Exporting a Certificate

We will often want to export a certificate in order to maintain persistance over an account or machine. For example, if we abuse ESC1 or ESC2, we can login as a user or machine without having valid credentials for the account – so long as we have a valid certificate.

To export a certificate, go to the Personal folder within mmc and right click on the certificate to export. Select Export, at the wizard we will export the private key as well.

And we must include the private key in order to use it on other systems!

Because we are exporting the private key, we must password protect the exported certificate file. Oddly there are no password restrictions here, so we will use a password of ‘a‘.

Importing a Certificate

Importing a certificate is very straight-forward. Right click on the ‘Personal’ folder within MMC, we will then select ‘Import’.

Click through the wizard, on the file selector make sure you select ‘All Files’ as it will default to .cer and *.crt files. You will need to put in your password from when you exported it.

Conclusion

Hopefully this very brief introduction was of use! To put this knowledge into action, I have posts on both how to configure a vulnerable AD CS environment and how to perform the various AD CS attacks here. Below are some errors which I encountered, which didnt have very simple explanations on Google!

Common Errors

CRL Server is not reachable (CRYPT_E_REVOCATION_OFFLINE)

To get around this error, we can disable CRL checking by running the following on the DC:

certutil -setreg ca\CRLFlags +CRLF_REVCHECK_IGNORE_OFFLINE

This will commonly show the “The revocation function was unable to check revocation because the revocation server was offline” or CRYPT_E_REVOCATION_OFFLINE error

KRB-ERROR (16) : KDC_ERR_PADATA_TYPE_NOSUPP

This error typically appears when you haven’t imported the Domain Controller Authentication certificate onto the Domain Controller. This process is covered in more detail by Citrix here.

In short, go onto your DC and open MMC. In MMC add the Certificates add-on for the computer account and request the Domain Controller Authentication certificate.

KRB-ERROR (62) : KDC_ERR_CLIENT_NOT_TRUSTED

Thanks to a tweet from GentilKiwi, we can fix this by running the following on a Domain Controller.

certutil -pulse

I found I had to reinstall the Domain Controller Authentication certificate again, as shown in KRB-ERROR(16) above, but this will depend on your environment!

The requested certificate template is not supported by this CA

This error occurs when you attempt to request a certificate template which has not been enabled. A template can be enabled within certsrv by selecting ‘Certificate Template to Issue’. Select the certificate you want to issue and click OK.

Other KRB-ERROR codes

If you encounter other error codes, eventid.net is a great resource to explain what they mean. Often the codes are fairly self-explanatory!