Red Teaming: Taking advantage of Certify to attack AD networks
A vulnerability tracked as CVE-2022–26923 has been abused by criminals to exploit Active Directory (AD) networks and escalate privileges internally. With this flaw in place, obtaining Domain Admin privileges over the AD network is possible, making this one of the most dangerous scenarios to be explored in the wild.
As published by Oliver Lyak on his blog, Certipy is a tool that contains many features, techniques and improvements. This tool can be used to get relevant information about the Windows Public Key Infrastructure, namely Active Directory Certificate Services (AD CS) misconfigurations.
Earn two pentesting certifications at once!
Enroll in one boot camp to earn both your Certified Ethical Hacker (CEH) and CompTIA PenTest+ certifications — backed with an Exam Pass Guarantee.
At this moment, 10 exploitable scenarios were described as ESC-1 to ESC 10, and they can be abused to obtain privilege escalation over Active Directory networks with AD CS enabled.
The 10 possible scenarios can be described as follows:
- ESC-1: Misconfigured Certificate Templates
- ESC-2: Misconfigured Certificate Templates (2nd scenario)
- ESC-3: Misconfigured Enrollment Agent Templates
- ESC-4: Vulnerable Certificate Template Access Control
- ESC-5: Vulnerable PKI Object Access Control
- ESC-6: EDITF_ATTRIBUTESUBJECTALTNAME2
- ESC-7: Vulnerable Certificate Authority Access Control
- ESC-8: NTLM Relay to AD CS HTTP Endpoints
- ESC-9: No Security Extension
- ESC-10: Weak Certificate Mappings
How to use ESC-1 to gain domain admin privileges
While it is not possible in this article to present all potential scenarios, we will focus on the simplest one denominated as ESC-1: Misconfigured Certificate Templates.
1. Collect all the relevant information
The first step for carrying out this exploration is using the Certipy tool to get information about the configured CAs and enabled templates and import the information into the BloodHound tool. The option –bloodhound must be used to generate the proper format.
Figure 1: Details about the AD CS obtained and compiled into a zip format to be imported into the BloodHound tool.
In the next step, we can observe all the possible paths. The BloodHound custom queries need to be installed, as shown here. Once the queries are installed, it is possible to observe some paths, namely:
- Find all the enabled Certificate Templates
- Find the Certificate Authorities; and
- Find the escalation paths, in this case, ESC-1.
Figure 2: Image obtained from the BloodHound tool with the ESC-1 scenario highlighted.
2. Check if the target certificate allows “Client Authentication” and enroll arbitrary SAN
As described by the Certipy author, “the most common misconfiguration we’ve seen during our engagements is ESC1. ESC1 is when a certificate template permits Client Authentication and allows the enrollee to supply an arbitrary Subject Alternative Name (SAN)”.
Figure 3: Shortest paths to misconfigured certificate templates from owned principals — JOHN account.
This path checks if the target certificate allows “Client Authentication” and if any SAN can be specified. A potential attack via ESC-1 can be executed, as demonstrated below.
To explore this scenario via the Certipy tool, the -alt parameter (SAN) must be added.
Figure 4: SAN name specified during the ESC-1 escalation scenario.
As expected, a certificate and private key are requested and obtained in the pfx format. After that, a TGT ticket can be retrieved by using the following command. The NT hash for the target users is then received.
Figure 5: Obtained a TGT ticket for the target users, and NT hash is received.
From this point, the NT hash can be used in different scenarios on the Active Directory networks. For instance, Pass-the-Hash (PTH) attacks are possible, and accessing all the available machines on the networks can be achieved.
More details and information about other escalation scenarios can be obtained from:
With these scenarios, criminals typically dump all the domain users from the Domain Controller (ntds.dit), exfiltrate secrets and critical information from the internal networks, and finally create special GPOs to deploy and allow the execution of ransomware to end the infection chain.
Red teaming and Certify
AD CS misconfigured certificates are on the TOP of explorations in 2022, with criminals abusing these scenarios to escalate privileges on internal networks after an initial foothold. Although the mitigation of this flaw is not trivial, a set of measures must be taken into account to make this exploration hard.
In short:
- HTTP-based endpoints must be disabled if not needed or not in use.
- NTLM authentication must be disabled via GPO or by configuring associated IIS applications to only accept requests via Kerberos.
Eventually, imagine that it was not possible to perform the above two steps. In that case, only HTTPS should be allowed in the enrollment process, and the usage of EPA (Extended Protection for Authentication) must be configured.
What should you learn next?
In addition:
- Removing the "ENROLLEE_SUPPLIES_SUBJECT" flag will prevent certificates from being requested by any domain account. If the flag cannot be removed, the certificate approval management must be activated (CA Certificate Manager Approval) before the certificate is issued, and not allow "AutoEnrollment" by default. This measure should be applied whenever possible.
- Restrict enrollment rights only to users and groups that require these settings
- Monitor certificate Enrollments (event ID 4886): Ensure certificate requests do not request certificates with critical SANs (or any SAN).
Finally, ensure the configuration and hardening of the AD CS service according to Microsoft guidelines:
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26923
Sources:
- Certipy - ESC1 to ESC8, research.ifcr.dk
- Certipy - ESC9 to ESC10, research.ifcr.dk
- CVE-2022-26923 mitigation, Microsoft
Enroll in an Ethical Hacking Boot Camp and earn two of the industry’s most respected certifications — guaranteed.
- CEH exam voucher
- PenTest+ exam voucher
- Exam Pass Guarantee
- Live online hacking training
In this Series
- Red Teaming: Taking advantage of Certify to attack AD networks
- Intelligence-led pentesting and the evolution of Red Team operations
- How ethical hacking and pentesting is changing in 2022
- Ransomware penetration testing: Verifying your ransomware readiness
- Red Teaming: Main tools for wireless penetration tests
- Fundamentals of IoT firmware reverse engineering
- Red Teaming: Top tools and gadgets for physical assessments
- Red teaming: Initial access and foothold
- Top tools for red teaming
- What is penetration testing, anyway?
- Red Teaming: Persistence Techniques
- Red Teaming: Credential dumping techniques
- Top 6 bug bounty programs for cybersecurity professionals
- Tunneling and port forwarding tools used during red teaming assessments
- SigintOS: Signal Intelligence via a single graphical interface
- Top tools for mobile android assessments
- Top tools for mobile iOS assessments
- Red Team: C2 frameworks for pentesting
- Inside 1,602 pentests: Common vulnerabilities, findings and fixes
- Red teaming tutorial: Active directory pentesting approach and tools
- Red Team tutorial: A walkthrough on memory injection techniques
- Python for active defense: Monitoring
- Python for active defense: Network
- Python for active defense: Decoys
- How to write a port scanner in Python in 5 minutes: Example and walkthrough
- Using Python for MITRE ATT&CK and data encrypted for impact
- Explore Python for MITRE ATT&CK exfiltration and non-application layer protocol
- Explore Python for MITRE ATT&CK command-and-control
- Explore Python for MITRE ATT&CK email collection and clipboard data
- Explore Python for MITRE ATT&CK lateral movement and remote services
- Explore Python for MITRE ATT&CK account and directory discovery
- Explore Python for MITRE ATT&CK credential access and network sniffing
- Top 10 security tools for bug bounty hunters
- Kali Linux: Top 5 tools for password attacks
- Kali Linux: Top 5 tools for post exploitation
- Kali Linux: Top 5 tools for database security assessments
- Kali Linux: Top 5 tools for information gathering
- Kali Linux: Top 5 tools for sniffing and spoofing
- Kali Linux: Top 8 tools for wireless attacks
- Kali Linux: Top 5 tools for penetration testing reporting
- Kali Linux overview: 14 uses for digital forensics and pentesting
- Top 19 Kali Linux tools for vulnerability assessments
- Explore Python for MITRE ATT&CK persistence
- Explore Python for MITRE ATT&CK defense evasion
- Explore Python for MITRE ATT&CK privilege escalation
- Explore Python for MITRE ATT&CK initial access
- Top 18 tools for vulnerability exploitation in Kali Linux
- Explore Python for MITRE PRE-ATT&CK, network scanning and Scapy
- Kali Linux: Top 5 tools for social engineering
- Basic snort rules syntax and usage [updated 2021]
- Exploiting NFS share [updated 2021]
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Penetration testing
Intelligence-led pentesting and the evolution of Red Team operations
Penetration testing
Penetration testing
Ransomware penetration testing: Verifying your ransomware readiness
Penetration testing