Understanding ADCS 101

August 19, 2024 Celia Catalán

In this publication we will be discussing the basic aspects of ADCS, as well as the ESC1 exploitation technique.

Introduction to ADCS

Active Directory Certificate Services (ADCS) is a Windows server role that provides customizable services for issuing and managing public key infrastructure (PKI) certificates used in software security systems. It allows organizations to secure network communication, authenticate users and devices, and ensure data integrity using cryptographic services. ADCS supports several types of certificates, such as SSL/TLS certificates, code signing certificates, and smart card login certificates, among others.

The use of ADCS is very useful for organizations, since they can deploy certificate templates, so that domain users can request to enroll in said template and obtain certificates, thus obtaining access or privileges over different elements of the domain.

Poor configuration of the Active Directory Certificate Services role and its components, such as certificate templates, can lead to different vulnerabilities that can allow elevation of privileges in the domain.

Vulnerabilities enumeration

To review ADCS services during an audit exercise, tools such as Certify.exe or Certipy are often used.

These two tools allow you to list and request certificates from ADCS, making it easier to identify templates whose configuration is not correct and allows some type of abuse.

Enumeración de entidad certificadora (CA) en un entorno de Directorio Activo con certify.exe.

During the enumeration of vulnerabilities related to ADCS, different abuse techniques can be identified depending on the situation of the audited environment. These types of situations or poorly configured environments are associated with escalation techniques (ESC), and there are currently a total of 13 (ESC1 – ESC13) which can allow an elevation of privileges in the domain.

ESC1 exploitation

ESC1 refers to a common vulnerability in ADCS configurations where enrollment permissions are incorrectly configured. This misconfiguration can allow domain users to request certificates on behalf of any other account in the organization, thus allowing any of these to be impersonated with the escalations of privileges that this entails.

With Certify.exe it is possible to list which templates allow you to request certificates on behalf of another user as follows:

Terminal


                Certify.exe find /enrolleeSuppliesSubject.

Enumeración Plantilla vulnerable a ESC1.

Once a template has been detected that allows self-enrollment to any authenticated domain account and that allows specifying the name of the account to obtain the certificate, it is possible to obtain said certificate in the following way:

Terminal


              Certify.exe request /ca:'domain'\'certifying authority (CA)' /template:"'vulnerable template name'" /altname:'domain account to impersonate'

Solicitud de certificado en nombre de la cuenta “administrator”.

After executing the above command, a certificate can be obtained in the name of any domain account, in this case the “administrator” account. Later, using tools such as openssl, it is possible to transform this type of .pem certificates into .pfx certificates, which can be interpreted by Rubeus to obtain a ticket in the name of the account associated with the issued certificate.