At the BlackHat conference in 2021, Will Schroeder and Lee Christensen released
a white paper on the use of Active Directory Certificate Services "Certified Pre-Owned - Abusing Active Directory
Certificate
Services", which contains a large number of attack methods against ADCS. attack, which expands the attack surface of domain penetration to the maximum. Although ADCS is not installed in the domain environment by default, it is widely deployed in the domain environment of some large enterprises.
This article is divided into three parts, focusing on how to use ADCS technology to attack domain controllers in a domain environment, and how to use object ACL to maintain higher permissions. At the same time, we will dive into the basic architecture, attack surface, and post-exploitation of ADCS. These contents will be explained through practical exercises.
## 1. Technical background
1. What is PKI?
Public Key Infrastructure (PKI)
is a set of infrastructure consisting of hardware, software, participants, managers and processes, with the purpose of creating, managing, distributing, using, storing and revoking digital certificates
. PKI relies on the exchange of digital certificates between authenticated users and trusted resources. You can use certificates to secure data and manage identification credentials from users and computers inside and outside your organization.
2. What is a CA?
Certificate Authority (CA for short)
is an authoritative organization responsible for issuing certificates, authenticating certificates, and managing issued certificates. It needs to formulate policies and specific steps to verify and identify user identities, and sign user certificates to ensure the identity of the certificate holder and the ownership of the public key.
3. What is a certificate?
A certificate is a small file, which contains public key information, owner identity information, and a digital signature of the digital certificate certification authority on the file to ensure that the overall content of the file is correct.
With this file, the owner can identify himself to the computer system or other users, thereby gaining the trust of the other party and authorizing access to or use of certain sensitive computer services. During the certificate registration process, the client will generate a public key/private key pair, and then the client will send the public key to the CA, and the CA will confirm the client information, sign it with its own private key, and then include the client A certificate for the client's public key is sent back to the client.
In concept, a certificate is equivalent to a driver's license, and the traffic police department is equivalent to a CA. Submit the identity information and assessment situation to the traffic police department, and they will give us a driver's license with a unique stamp, so that we can drive on the road. Passengers will trust your driving skills because of your driver's license, because the traffic police department will only issue you a driver's license if you pass the test. If you seriously violate the traffic rules, your driver's license will be revoked and you will not be able to drive or drive other people.
4. What is ADCS?
The AD domain is a centralized management solution widely used in the office intranet of the current enterprise. Its domain controller plays the role of "brain" in the AD domain, which is very important. Many enterprises will install the ADCS certificate server while installing the AD domain. To manage certificates, attackers will attack ADCS to obtain domain control rights, which will threaten the centralized security of AD.
5. Build ADCS
To build ADCS , please refer to the article [
https://learn.microsoft.com/zh-cn/windows-server/networking/core-network-guide/cncg/server-certs/install-the-certification-authority](https:/ /link.zhihu.com/?target=https%3A//learn.microsoft.com/zh-cn/windows-server/networking/core-network-guide/cncg/server-certs/install-the-certification-authority
_
_ ), be careful not to set up the certificate server and domain controller on one host.
## 2. What is a certificate template?
A certificate template defines how users and devices request and use certificates issued by an enterprise CA based on the template. For example, you could create a template to provide file encryption or email signing functionality. CA relies on ADDS to store configuration templates. Note that certificate templates are only available when using an enterprise CA, which means that when using a stand-alone CA, each certificate request must be manually created and include the required information that needs to be included in the certificate.
CA provides templates for users and computers, and corresponding permissions can be assigned to certificate templates
to define who can manage templates, who can perform registration or automatic registration, and the default validity period and renewal period. Additional modifications can be applied by copying the predefined certificate templates .
1. Template version
The CA in Windows Server AD CS supports four versions of certificate templates with the following functional differences: * Version 1 templates. These templates only allow modification of certificate-related permissions. When a CA is installed, a version 1 certificate template is created by default. * Version 2 template. Using these templates, other settings such as expiration and renewal periods can be customized. This is also the minimum version that supports automatic registration. A default installation of AD CS includes several preconfigured version 2 templates. You can create a version 2 template, or copy a version 1 certificate template to create a new version 2 template. * Version 3 template. Version 3 certificate templates support Cryptography Next Generation (CNG). CNG supports advanced encryption algorithms. You can copy the default version 1 and version 2 templates and upgrade them to version 3. When using version 3 certificate templates, CNG encryption and hashing algorithms can be used for certificate requests, issued certificates, and private key protection for key exchange and key archival schemes. * Version 4 template. Version 4 certificate templates support cryptographic service providers (CSPs) and key storage providers. It can also be configured to require the same key for renewals.
You can use certtmlp.msc to open the Certificate Templates console and certsrv.msv to open the Certificate Authority.
The version structure is the template version we mentioned above. The expected use is what the certificate template is used for after application, such as client authentication, server authentication, etc. If you want to set the
specific purpose of the template, you can right-click the template properties in the application Add or delete the certificate template usage in the policy.
In the certificate template properties we mainly focus on Subject Name, Publishing Requirements, Extensions and Security.
2. Username
The user name is the SAN (subjectAltname) we will use to apply for the certificate later to specify the identity. If it is set to be provided in the request, the certificate can be generated for the specified person when applying for the certificate.
3. Publishing Requirements
In the release requirements, the main concern is whether CA certificate management program approval is checked. If the user has the right to register, but the CA certificate management program approval is checked in the certificate template, then the certificate can only be applied for after being approved by the CA administrator.
4. Expand
The main focus of the extension is the application policy (pKIExtendedKeyUsage) EKU
we mentioned above . According to Specterops research, the following certificates can be used for kerberos authentication. * Client Authentication* PKINIT Client Authentication* Smart Card Login* Any Purpose* Sub-CA
PKINIT does not exist by default, we can create it manually.
where the object identifier is as follows
Describe Object Descriptor (OID)
Client authentication 1.3.6.1.5.5.7.3.2
PKINIT client authentication 1.3.6.1.5.2.3.4
Smart Card Login 1.3.6.1.4.1.311.20.2.2
Any Purpose 2.5.29.37.0
Child CA (no EKUs) 5. Safety
In security, we mainly pay attention to whether the Authenticated User group has full control, write and registration permissions. If they have these permissions, it will cause some security problems.
3. How to register the certificate?
- Certificate Registration Process
(1) The client creates public and private keys
(2) The client sends a certificate request (CSR) to the enterprise CA server
(3) The CA will judge whether the certificate template exists? Does the certificate template allow settings in the CSR? Is the user allowed to enroll certificates?
(4) If the above conditions are met, the CA generates a certificate and signs it with the CA private key 2. Manually apply for a certificate
(1) The client first generates a certificate application file, which we can generate through openssl. First generate the private key
openssl genrsa -out server.key 1024
generate public key
openssl rsa -in server.key -pubout -out public.key
(2) Generate the certificate application file CSR according to the private key
openssl req -new -key server.key -out server.csr
(3) The client sends the certificate request file (CSR) to the CA, and then selects a certificate template. Then the CA will judge whether the certificate template exists, whether the content requested by the CSR is allowed to be used in the template, and whether the user is allowed to register the certificate. Note that at this point I have installed the certificate web service.
(4) The CA signs the certificate with its own private key and returns it to the client.
3. Use the web page to register the certificate
Before this, I have installed the certificate web service, use http://ip/certsrv/ to open and enter the domain account password
Click to apply for a certificate, advanced certificate application
Then create and submit an application to this CA
4. Users in the domain use the GUI to request a certificate
If you are in the domain, you can start certmgr.msc to apply for a user certificate, or use certlm.msc to apply for a computer certificate.
## four, the embodiment of ADCS in LDAP
The location of ADCS in the ldap container is
CN=Public Key Services,CN=Services,CN=Configuration,DC=,DC=
Among them, Certification Authorities store trusted root certificates, AIA is certificate authorization information access, CDP is a revocation distribution point, certificate
Templates is a certificate template, Enrollment Services is an enterprise CA, and OID is an object descriptor.
## Five, PKINIT protocol
The PKINIT protocol is
an extension protocol of the kerberos protocol. The TGT ticket of kerberos can be obtained through the X.509 certificate. The difference between PKINIT and kerberos is mainly in the AS stage. One is based on symmetric key encryption. Key encryption authentication method, we can first look at the normal kerberos AS authentication process:
(1) When a client user Client in the domain accesses a service in the domain and enters the user name and password, the Kerberos service of the client will send an AS_REQ authentication request to the AS authentication service of the KDC. The requested credentials are the client's hash value NTLM-
Hash encrypted timestamp, data such as Client-info, Server-info, and some other information.
(2) After the client sends the identity information to the AS, the AS will first request the active directory AD to ask if there is such a Client user, and if so, it will take out its NTLM-Hash, and encrypt the time in the AS_REQ
request If the decryption is successful, it proves that the password provided by the client is correct. If the timestamp is within five minutes, the pre-authentication is successful.
Then AS will generate a temporary secret key Session-Key AS, and use the client NTLM-Hash to encrypt Session-key AS
as part of the response packet. This Session-key AS is used to ensure the communication security between the client and TGS. Another part is TGT, which uses the NTLM-
Hash of a specific account in KDC to encrypt Session-key AS, timestamp, and Client-info. This specific account is the Krbtgt user automatically generated when creating a domain controller
, and then reply the two parts and the PAC and other information to the Client, ie AS_REP. The PAC contains some information such as the user's SID and the group the user belongs to.
Next, look at the PKINIT authentication process:
(1) The client uses the certificate applied for from the CA and the time stamp encrypted with the client's own private key to send to the KDC.
(2) KDC verifies the identity of the client through the CA certificate chain, and obtains the public key in the client certificate, then decrypts the timestamp with the public key, and judges whether the timestamp meets the specified time.
(3) If the above identity verification is passed and the time stamp conforms to the rules, return TGT and a session key (where the session key is generated using the following two algorithms).
PKINIT is a less common asymmetric key method. Clients have a public/private key pair and use their private key to encrypt pre-authentication data, and the KDC decrypts it with the client's public key. The KDC
also has a public/private key pair that allows session keys to be exchanged using one of two methods:
(1)Diffie-Hellman Key Delivery
This method allows the KDC and client to securely establish a shared session key, even if an attacker possesses either the client's or the KDC's private key. The session key will be stored in the encrypted part of the TGT, which is
encrypted with the key (hash) of the Krbtgt account. For Diffie-Hellman, please refer to this article
https://www.liaoxuefeng.com/wiki/1252599548343744/1304227905273889
(2)Public Key Encryption Key Delivery
This method wraps the session key generated by the KDC with the KDC's private key and the client's public key.
For specific traffic analysis, I will introduce the difference between normal kerberos and PKINIT in a later article.
## 6. Certificate template misconfiguration attack
In the "Certified_Pre-Owned" white paper released by BlackHat in 2021
, the abuse method of ADCS is introduced in detail. The following is a configuration and analysis of the attack method that leads to domain privilege escalation under different certificate template errors.
1.ESC1 * Issuing CA grants low-privileged users permission to request (default) * CA administrator approval is not enabled in the template (default) * Authorized signatures are not required in the template (default) * The template allows low-privileged users to register * The template defines enable Authenticated EKU* certificate templates allow requestors to specify a SAN in the CSR
When the above conditions are met, when the attacker requests a certificate, he can pass
CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT field to declare its own identity, so as to obtain a fake identity certificate.
Use certsrv.msc to open the certificate authority, first create a template, right click on the certificate template -> manage -> right click on the existing certificate template -> copy template, then configure the error template.
We can use certify.exe find to view our configuration and find that the attribute value of our msPKI-Certificate-Name-
Flag is ENROLLEE_SUPPLIES_SUBJECT, that is, the user identity can be specified, which can be provided in the request.
Use this template to apply for a certificate. At this time, my account name is test1, which is a local administrator authority in the domain.
Use the command:
Certify.exe request /ca:DC03Server.lohack.cm\lohack-DC03Server-
CA-2/template:ESC1 /altname:administrator
View the username of the user we are requesting a certificate for.
Then copy from -----BEGIN RSA PRIVATE KEY----- to -----END CERTIFICATE----- , save it as ESC1.pem, and then use openssl to convert it to ESC1.pfx without setting password.
①The key suffix contains only the private key
②crt/cer suffix, only contains the public key
③Csr suffix, the certificate application file does not contain public key or private key. useless
④ pfx, pem, p12 suffixes, including public and private keys, our favorite.
Use the tool Rubeus.exe to apply for the TGT we need. The ESC1.pfx here is the certificate we just applied for. It can be found that before we apply for the certificate, our dir domain controller is not available.
At this time, the dir domain controller can find the successful dir.
Check the credentials at this point, there is a cifs service ticket.
2.ESC2 * Issuing CA grants low-privileged users permission to request * Administrator approval is not enabled in the template * Authorized signatures are not required in the template * Templates allow low-privileged users to register * No EKU or Any EKU is defined in the certificate template
Same as ESC1, generate a template. At this time, set the application policy to be empty, that is, EKU is empty or ANY EKU.
Use the certify.exe find command to view the template ESC2 configuration, you can find that msPKI-Certificate-Name-
Flag is ENROLLEE_SUPPLIES_SUBJECT, pkiextendedkeyusage and mspki-certificafte-
application-policy are both empty.
At this time, use certify to generate a certificate
Certify.exe request /ca:DC03Server.lohack.cm\lohack-DC03Server-
CA-2/template:ESC2 /altname:administrator
Generate a pfx certificate like ESC1, then use rubues to request a TGT ticket, and try to list the domain control directory
3.ESC3
Template 1 is to issue "Enrollment Agent" certificate* Issuing CA grants low-privileged users permission to request* CA administrator approval is not enabled in the template* Authorized signatures are not required in the template* Templates allow low-privileged users to register* Certificate requests are defined in the certificate template Proxy EKU(1.3.6.1.4.1.311.20.2.1)
Template 2 is to allow the use of "enrollment agent" certificates to apply for identity authentication certificates on behalf of other users: * Issuing CA grants low-privileged users request permissions (default); * CA administrator approval is not enabled in the template (default); * Not required in the template Authorized signature (default); * template allows low-privileged users to register; * template defines the EKU that enables authentication; * template mode version 1 or greater than 2 and specifies the application policy, and the issuance requires a certificate request proxy EKU; * not on the CA Registered proxy to limit (default).
Certify.exe request /ca:DC03Server.lohack.cm\lohack-DC03Server-CA-2
/template:ESC3
Certify.exe request /ca:DC03Server.lohack.cm\lohack-DC03server-
CA-2/template:ESC32 onbehalfof:lohack\administrator /enrollcert:ESC32
Rubeus.exe asktgt /user:administrator /certificate:ESC44.pfx /dc:10.10.21.2
/ptt
4.ESC4
Certificate templates are securable objects in AD, which means they have a security descriptor specifying which AD
principals have specific permissions on the template. If the template has permission to allow unprivileged AD hosts to edit, then this template is open to attack.
If the attacker has the writeProperty permission on the template object and can modify the template AD object attributes, then the wrong configuration can be written into the template, such as allowing domain members to enable the CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT flag in the mspki-certificate-name-flag attribute, which is the same as
ESC1 abuse scenarios.
Configure the template below
View template configuration
Then use admod to modify mspki-certificate-name-flag
Apply for a certificate
Finally, you can apply for a certificate and import a ticket
1 with the same abuse scenario.
Configure the template below
[External link image transfer...(img-nn8LWkgl-1690358002210)]
View template configuration
[External link image transfer...(img-UDstIZHY-1690358002210)]
Then use admod to modify mspki-certificate-name-flag
[External link image transfer...(img-aKRIVEiW-1690358002210)]
[External link image transfer...(img-2Afl484j-1690358002211)]
Apply for a certificate
[External link image transfer...(img-dXhwV99z-1690358002211)]
Finally, you can apply for a certificate and import a ticket
[External link image transfer...(img-bp6Ev1Z3-1690358002211)]
at last
Share a quick way to learn [Network Security], "maybe" the most comprehensive learning method:
1. Network security theoretical knowledge (2 days)
① Understand the industry-related background, prospects, and determine the development direction.
②Learn laws and regulations related to network security.
③The concept of network security operation.
④Multiple guarantee introduction, guarantee regulations, procedures and norms. (Very important)
2. Penetration testing basics (one week)
①Penetration testing process, classification, standards
②Information collection technology: active/passive information collection, Nmap tools, Google Hacking
③Vulnerability scanning, vulnerability utilization, principles, utilization methods, tools (MSF), Bypass IDS and anti-virus reconnaissance
④ Host attack and defense drill: MS17-010, MS08-067, MS10-046, MS12-20, etc.
3. Operating system basics (one week)
①Common functions and commands of Windows system
②Common functions and commands of Kali Linux system
③Operating system security (system intrusion troubleshooting/system reinforcement basis)
4. Computer network foundation (one week)
①Computer network foundation, protocol and architecture
②Network communication principle, OSI model, data forwarding process
③Common protocol analysis (HTTP, TCP/IP, ARP, etc.)
④Network attack technology and network security defense technology
⑤Web vulnerability principle and defense: active/passive attack, DDOS attack, CVE vulnerability recurrence
5. Basic database operations (2 days)
①Database basics
②SQL language basics
③Database security reinforcement
6. Web penetration (1 week)
①Introduction to HTML, CSS and JavaScript
②OWASP Top10
③Web vulnerability scanning tools
④Web penetration tools: Nmap, BurpSuite, SQLMap, others (chopper, missing scan, etc.)
Congratulations, if you learn this, you can basically work in a network security-related job, such as penetration testing, web penetration, security services, security analysis and other positions; if you learn the security module well, you can also work as a security engineer. The salary range is 6k-15k.
So far, about a month. You've become a "script kiddie". So do you still want to explore further?
Friends who want to get involved in hacking & network security, I have prepared a copy for everyone: 282G, the most complete network security data package on the entire network, for free!
Click [Card at the end of the article] to get it for free
With these foundations, if you want to study in depth, you can refer to the super-detailed learning roadmap below. Learning according to this route is enough to support you to become an excellent intermediate and senior network security engineer:
[High-definition learning roadmap or XMIND file (click the card at the end of the article to get it)]
There are also some video and document resources collected in the study, which can be taken by yourself if necessary:
supporting videos for each growth path corresponding to the section:
of course, in addition to supporting videos, various documents, books, materials & tools are also organized for you , and has helped everyone to classify.
Due to the limited space, only part of the information is displayed. If you need it, you can [click the card below to get it for free]