Smart Card Logon (OID 1.3.6.1.4.1.311.20.2.2) - The certificate is for use in smart card authentication.Client Authentication (OID 1.3.6.1.5.5.7.3.2) - The certificate is for authentication to another server (e.g., to AD).Secure Email (1.3.6.1.5.5.7.3.4) - The certificate is for encrypting email.Encrypting File System (OID 1.3.6.1.4.1.311.10.3.4) - The certificate is for encrypting file systems.Code Signing (OID 1.3.6.1.5.5.7.3.3) - The certificate is for signing executable code.Also known as Enhanced Key Usage in Microsoft parlance. Extended Key Usages (EKUs) - Object identifiers (OIDs) that describe how the certificate will be used.Basic Constraints - Identifies if the certificate is a CA or an end entity, and if there are any constraints when using the certificate.SubjectAlternativeName - Defines one or more alternate names that the Subject may go by.Issuer - Identifies who issued the certificate (commonly a CA).Serial Number - An identifier for the certificate assigned by the CA.NotBefore and NotAfter dates - Define the duration that the certificate is valid.Public Key - Associates the Subject with a private key stored separately.Subject - The owner of the certificate.A certificate typically has various fields, including some of the To give you an overview of how a cert is issued, have a look at the following pic:Ī certificate is an X.509-formatted digitally signed document used for encryption, message PKINIT: A Kerberos extension that enables the usage of certs to request tickets. Subject: The identity the cert is bound to.It ties an identity to a key pair (public/private), which allows applications to identify them. Certificate: A digitally signed (by the CA) “document” that can be used for the stuff specified within the EKU.Extended Key Usage: These are OIDs that define what a cert can be used for, for example signing, authentication etc.Certificate Signing Request: That is the data one sends to the CA in order to get a cert.Certificate Template: Thats like a blueprint for a cert, which defines what a cert is for, what an enrollee needs to supply as info, who is allowed to enroll and so on.Enterprise CA: The AD integrated CA, which offers certificate templates.Certificate Authortiy: That is the PKI server that generates and issues the certificates.Well, there are some components/terms that we first need to be aware of: Later on Oliver Lyak extended the list of vulns (Certifried, ESC9&10) and even wrote according tools to abuse those. We will mainly (and maybe only) focus on the escalation ones in this blog post. They split the attacks into certain groups, which are: Theft, Persistence, Escalation and Domain Persistence. a PowerShell script or executable.ĭuring their research, Will and Lee stumbled upon a lot of possible ways to abuse ADCS, and have the Certificate Authority do things like issue certs for other users to us, relay a Domain Controller’s authentication to the cert enrollment endpoint, so we could “become” a Domain Controller, and so on. It’s Microsoft’s Public Key Infrastructure implementation for AD, or if you are as dumb as me, the service that introduces and handles certificates to your Active Directory.Ĭertificates can be used to authenticate users and computers, proof validity of a website (you know the little thingy in your browsers searchbar, where it warns you when the cert is invalid) or signing, e.g. During my pentests, I have not seen one environment, where ADCS was not installed and in use. The Active Directory Certificate Service(s) is one of the 5 main Active Directory services from Microsoft, included (or at least installable) since Windows Server 2008 -> Microsoft. If you are just here to pwn stuff, you can directly jump to your desired section: It is the research from the SpecterOps guys Will Schroeder and Lee Christensen in the field of ADCS abuses and their mitigations. If you have not already done so, go and read the fundamental work which this blog relies on: Certified Pre-Owned. Prepare yourself for a shitload of pictures, memes, usefull as well as meaningless information. Same is true if you live on the blue side, as you can proactively mitigate issues an earn some bonus points with your boss, maybe. If you want to leave an impression on your next pentest, this one’s for you, as Microsoft’s PKI implementation is widely used but little understood (well at least in terms of security). We are going to explore the wonderful world of Active Directory Certificate Services, aka ADCS. My dear Bagginses and Boffins, Tooks and Brandybucks, Grubbs, Chubbs, Hornblowers, Bolgers, Bracegirdles and Proudfoots - it is time for some new shit.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |