Abusing AD CS Certificate Template – ESC1, ESC2, ESC3

渗透技巧 2周前 admin

10 0 0

Understanding Active Directory Certificate Services (AD CS)
了解 Active Directory 证书服务（AD CS）

AD CS is a server role integral to Microsoft’s public key infrastructure (PKI) implementation. It tightly integrates with Active Directory and facilitates the issuance of X.509-formatted digitally signed electronic documents, known as certificates. In this blog, we’ll delve into the key functionalities of AD CS, explore its role in establishing a secure PKI infrastructure, discuss certificate management best practices, and examine practical use cases for leveraging AD CS within Microsoft environments.
AD CS 是 Microsoft 公钥基础结构（PKI）实现不可或缺的服务器角色。它与 Active Directory 紧密集成，便于颁发 X.509 格式的数字签名电子文档（称为证书）。在此博客中，我们将深入探讨 AD CS 的关键功能，探讨其在建立安全 PKI 基础结构中的作用，讨论证书管理最佳做法，并研究在 Microsoft 环境中利用 AD CS 的实际用例。

Functionality of Certificates
证书的功能
Certificates serve various purposes such as encryption, message signing, and authentication. Certificates provide identification of individuals through public/private key pairs that applications can use as proof of their identities.
证书有多种用途，例如加密、消息签名和身份验证。证书通过公钥/私钥对提供个人标识，应用程序可以使用这些密钥对作为其身份的证明。

Role of Certificate Authorities (CAs)
证书颁发机构（CA）的角色

Certificate Authorities (CAs) are responsible for issuing certificates. They play a crucial role in verifying the authenticity of the entities requesting the certificates.
证书颁发机构（CA）负责颁发证书。它们在验证请求证书的实体的真实性方面发挥着至关重要的作用。

Certificate Issuance Process
证书颁发流程

At a high level, the certificate issuance process involves the following steps:
概括地说，证书颁发过程涉及以下步骤：

Clients generate a public-private key pair.
客户端生成公钥-私钥对。
Certificate Signing Request (CSR) contains the public key along with other details related to the subject and template name for a certificate.
证书签名请求（CSR）包含公钥以及与证书的使用者和模板名称相关的其他详细信息。
CSRs are then submitted to an Enterprise CA server. Once attained, this server verifies both client eligibility for certificates as well as permissions of certificate templates specified within CSRs.
然后，CSR 将提交到企业 CA 服务器。获得证书后，此服务器将验证客户端是否有资格获得证书以及 CSR 中指定的证书模板的权限。
If the client meets all eligibility requirements and the template’s permissions allow, the CA will generate a certificate based on settings defined by its certificate template. Once signed with its private key, this certificate will then be distributed back to them client.
如果客户端满足所有资格要求，并且模板的权限允许，则 CA 将根据其证书模板定义的设置生成证书。使用其私钥签名后，此证书将分发回他们的客户端。

This process ensures secure and controlled certificate issuance within the network, enhancing system security and integrity.
此过程可确保网络内安全受控的证书颁发，从而增强系统的安全性和完整性。

Refer to the below diagram for better understanding:
请参阅下图以更好地理解：

Certificate Templates and AD CS Enterprise CAs
证书模板和 AD CS 企业 CA

AD CS Enterprise CAs issue certificates based on settings defined in AD objects known as certificate templates, which contain enrolment policies and predefined settings containing vital information needed to issue certificates such as:
AD CS 企业 CA 根据 AD 对象（称为证书模板）中定义的设置颁发证书，这些模板包含注册策略和预定义设置，其中包含颁发证书所需的重要信息，例如：

Validity period of the certificate
证书有效期

Intended usage of the certificate
证书的预期用途

Specification of the subject
主题的规范

Authorized entities for requesting a certificate
用于申请证书的授权实体

Various other settings 各种其他设置

EKU Object Identifiers and Certificate-Based Authentication
EKU 对象标识符和基于证书的身份验证

pKIExtendedKeyUsage on an AD certificate template object contains an array of object identifiers (OIDs). These Extended Key Usage object identifiers define which uses can be made of this certificate. Notably, certain EKU OIDs enable certificate-based authentication, including:
AD 证书模板对象上的 pKIExtendedKeyUsage 包含对象标识符（OID）数组。这些扩展密钥用法对象标识符定义可以对此证书进行哪些用途。值得注意的是，某些 EKU OID 支持基于证书的身份验证，包括：

Client Authentication OID (1.3.6.1.5.5.7.3.2)
客户端身份验证 OID （1.3.6.1.5.5.7.3.2）

PKINIT Client Authentication OID (1.3.6.1.5.2.3.4), which is not present in AD CS deployments by default and requires manual addition, but does work for client authentication
PKINIT 客户端身份验证 OID （1.3.6.1.5.2.3.4）默认情况下在 AD CS 部署中不存在，需要手动添加，但适用于客户端身份验证

Additional Settings and Issuance Requirements
其他设置和发行要求

In addition to EKU OIDs, templates encompass various other settings, which are further explored in detail in the Certified Pre-Owned whitepaper. The paper also delves into template “Issuance Requirements” that serve as preventive controls, a topic that will be briefly touched upon in this whitepaper.
除了 EKU OID 之外，模板还包含各种其他设置，这些设置在认证二手白皮书中进行了进一步详细探讨。本文还深入探讨了作为预防性控制措施的“发行要求”模板，本白皮书将简要介绍这一主题。

Exploring ADCS Misconfigurations
探索 ADCS 错误配置

The exploration of ADCS misconfigurations began with the release of SpecterOps’ influential White Paper titled “Certified Pre-Owned – Abusing Active Directory Certificate Services.” This paper delved into misconfigurations ranging from ESC1 to ESC8.
对 ADCS 错误配置的探索始于 SpecterOps 颇具影响力的白皮书的发布，该白皮书名为“认证二手 – 滥用 Active Directory 证书服务”。本文深入研究了从 ESC1 到 ESC8 的错误配置。

The Potential Risks and Attack Vectors
潜在风险和攻击媒介

Certificate Abuse: A Gateway for Attackers
证书滥用：攻击者的网关

Active Directory’s Certificate Services (AD CS) offers attackers an avenue to gain unauthorized entry and escalate privileges within an Active Directory environment. By exploiting misconfigurations or vulnerabilities within AD CS, attackers could leverage certificates to fraudulently authenticate as any user or machine within an environment, giving them extensive privileges that compromise all domains within it.
Active Directory 的证书服务（AD CS）为攻击者提供了在 Active Directory 环境中获取未经授权的进入和升级权限的途径。通过利用 AD CS 中的错误配置或漏洞，攻击者可以利用证书以欺诈方式对环境中的任何用户或计算机进行身份验证，从而为他们提供广泛的权限，从而危及其中的所有域。

Common Misconfigurations in AD CS
AD CS 中的常见错误配置

AD CS can be vulnerable to various misconfigurations that could lead to privilege escalation and compromise, including giving low-privileged users enrolment rights, disabling manager approval, not requiring authorized signatures, and overly permissive certificate template security descriptors. Furthermore, errors related to certificate templates, subject alternative names, enrolment agent templates can enable attackers to request certificates without authorization from AD CS servers.
AD CS 可能容易受到各种错误配置的影响，这些错误配置可能导致权限提升和泄露，包括授予低特权用户注册权限、禁用管理员批准、不需要授权签名以及过于宽松的证书模板安全描述符。此外，与证书模板、使用者备用名称、注册代理模板相关的错误可能使攻击者能够在未经授权的情况下从 AD CS 服务器请求证书。

Domain Escalation: A Serious Security Concern
域名升级：严重的安全问题

One of the most significant risks associated with AD CS is domain escalation. Through various misconfigurations and vulnerabilities in AD CS, attackers can escalate their privileges within the domain and gain unauthorized access to sensitive resources. This can have severe consequences for the security and integrity of an organization’s infrastructure.
与 AD CS 相关的最重大风险之一是域升级。通过 AD CS 中的各种错误配置和漏洞，攻击者可以提升其在域中的权限，并获得对敏感资源的未经授权的访问。这可能会对组织基础结构的安全性和完整性产生严重后果。

Practical: Domain Escalation using ESC1
实用：使用 ESC1 进行域升级

Understanding ESC1 Domain Escalation Scenario
了解 ESC1 域升级方案

The ESC1 (Escalation 1) scenario is the initial domain escalation scenario and is part of a collection of escalation scenarios that exploit misconfigured AD CS certificate templates.
ESC1 （升级 1）方案是初始域升级方案，是利用错误配置的 AD CS 证书模板的升级方案集合的一部分。

Misconfiguration in ESC1 ESC1 中的配置错误

The primary misconfiguration in this domain escalation scenario involves “Client Authentication” EKU and the ability to specify an alternate user in the certificate request. If a certificate template permits the inclusion of a subjectAltName (SAN) different from the user initiating the certificate request (CSR), it opens the possibility to request a certificate as any user within the domain.
此域升级方案中的主要错误配置涉及“客户端身份验证”EKU 以及在证书请求中指定备用用户的功能。如果证书模板允许包含与发起证书请求（CSR）的用户不同的 subjectAltName （SAN），则可以以域中的任何用户身份请求证书。

Exploiting ESC1 for Unauthorized Access and Privilege Escalation
利用 ESC1 进行未经授权的访问和权限提升

Suppose we compromise the domain account Sara; we can utilize it to enumerate the CA’s certificate templates to identify those that allow the inclusion of alternate names (SAN) and specified “Client Authentication” EKU. If such templates are found, we can request a certificate using the compromised Sara account’s credentials, including the desired alternate account (e.g., Administrator) in the SAN field. Upon successful issuance of the certificate, the ADCS server sends the certificate back, enabling us to use it to authenticate as the specified account in the SAN. This could potentially lead to unauthorized access and privilege escalation by authenticating as a higher-privileged user using the acquired certificate as credentials.
假设我们破坏了域帐户 Sara;我们可以利用它来枚举 CA 的证书模板，以识别那些允许包含备用名称（SAN）和指定“客户端身份验证”EKU 的模板。如果找到此类模板，我们可以使用已泄露的 Sara 帐户的凭据请求证书，包括 SAN 字段中所需的备用帐户（例如管理员）。成功颁发证书后，ADCS 服务器会发回证书，使我们能够使用它作为 SAN 中的指定帐户进行身份验证。这可能会导致未经授权的访问和权限提升，方法是使用获取的证书作为凭据以更高权限的用户进行身份验证。

ESC1 Abuse Requirements ESC1 滥用要求

The following conditions should be met to abuse ESC1:
滥用 ESC1 应满足以下条件：

The Enterprise CA’s configuration should permit low-privileged users to request certificates.
企业 CA 的配置应允许低特权用户请求证书。
Manager approval should be disabled.
应禁用经理审批。
No authorized signatures should be required.
不需要授权签名。
An overly permissive certificate template security descriptor should grant certificate enrolment rights to low-privileged users.
过于宽松的证书模板安全描述符应向低特权用户授予证书注册权限。
The certificate template defines EKU that enable authentication.
证书模板定义启用身份验证的 EKU。
The certificate template should allows requesters to specify a subjectAltName in the CSR.
证书模板应允许请求者在 CSR 中指定 subjectAltName。

ESC1 Enumeration ESC1 枚举

This section will cover how to enumerate ADCS to find vulnerable components like, misconfigured certificate templates.
本部分将介绍如何枚举 ADCS 以查找易受攻击的组件，例如配置错误的证书模板。

Using Certipy tool and its vast options we can find vulnerable templates and use the same tool to abuse it to compromise the domain. refer to the Certipy github for its command and usage.
使用 Certipy 工具及其大量选项，我们可以找到易受攻击的模板并使用相同的工具滥用它来破坏域。请参阅 Certipy github 了解其命令和用法。

Finding Vulnerable Template ESC1
查找易受攻击的模板 ESC1

The following command will show information about certificate authorities and vulnerable certificate templates.
以下命令将显示有关证书颁发机构和易受攻击的证书模板的信息。

$ Certipy find -u Sara -p ‘s@ra@123’ -dc-Ip 10.0.2.4 -stdout -enabled -vulnerable
$ Certipy find -u Sara -p ‘s@ra@123’ -dc-ip 10.0.2.4 -stdout -enabled -vulnerable

Vulnerable certificate template “ESC-1” found, which have “Client Authentication” EKU, manager approval is set to “False”, and Enrollment Rights set to “Domain Users” means any user can enroll for this certificate template using any user’s UPN.
找到易受攻击的证书模板“ESC-1”，该模板具有“客户端身份验证”EKU，经理批准设置为“False”，注册权限设置为“域用户”意味着任何用户都可以使用任何用户的 UPN 注册此证书模板。

Abusing Vulnerable Template ESC1
滥用易受攻击的模板 ESC1

To abuse ESC-1 vulnerable template, we can use Certipy tool to request for the new certificate by specifying UPN of Administrator user, by doing this, it will request for ESC-1 certificate using Administrator UPN, later we can use this certificate to authenticate as Administrator.
为了滥用 ESC-1 易受攻击的模板，我们可以使用 Certipy 工具通过指定管理员用户的 UPN 来请求新证书，通过这样做，它将使用管理员 UPN 请求 ESC-1 证书，稍后我们可以使用此证书作为管理员进行身份验证。

$ Certipy req -u Sara -p ‘s@ra@123’ -dc-Ip 10.0.2.4 -ca badcs-BADCS-CA-2 -template ESC-1 -upn [email protected]
$ Certipy req -u Sara -p ‘s@ra@123’ -dc-IP 10.0.2.4 -ca badcs-BADCS-CA-2 -template ESC-1 -upn [email protected]

Using the saved certificate administrator.pfx, we can authenticate to domain as administrator user or using certipy tool, we can retrieve the NT hash of the administrator user.
使用保存的证书 administrator.pfx，我们可以以管理员用户的身份向域进行身份验证，或者使用 certipy 工具，我们可以检索管理员用户的 NT 哈希。

The following certipy command try to authenticate using the administrator.pfx certificate and try to retrieve the NT hash of the administrator user.
以下 certipy 命令尝试使用 administrator.pfx 证书进行身份验证，并尝试检索管理员用户的 NT 哈希。

Using the retrieve NT hash of Administrator user, we can authenticate to “Domain Controller” using PassTheHash method, The following tools can be utilized for this: smbexec.py, wmiexecpy, psexec.py and Rubeus.exe
使用管理员用户的检索 NT 哈希，我们可以使用 PassTheHash 方法向“域控制器”进行身份验证，可以使用以下工具：smbexec.py、wmiexecpy、psexec.py 和 Rubeus.exe

Practical: Domain Escalation using ESC2
实用：使用 ESC2 进行域升级

Understanding ESC2 Domain Escalation Scenario
了解 ESC2 域升级方案

The ESC2 (Escalation 2) scenario is the initial domain escalation scenario and is part of a collection of escalation scenarios that exploit misconfigured AD CS certificate templates.
ESC2 （升级 2）方案是初始域升级方案，是利用错误配置的 AD CS 证书模板的升级方案集合的一部分。

Misconfiguration in ESC2 ESC2 中的配置错误

The primary misconfiguration in this domain escalation scenario involves “Any Purpose” EKU and the ability to specify an alternate user in the certificate request. If a certificate template permits the inclusion of a subjectAltName (SAN) different from the user initiating the certificate request (CSR), it opens the possibility to request a certificate as any user within the domain.
此域升级方案中的主要错误配置涉及“任何用途”EKU 以及在证书请求中指定备用用户的功能。如果证书模板允许包含与发起证书请求（CSR）的用户不同的 subjectAltName （SAN），则可以以域中的任何用户身份请求证书。

Exploiting ESC2 for Unauthorized Access and Privilege Escalation
利用 ESC2 进行未经授权的访问和权限提升

Suppose we compromise the domain account Sara; we can utilize it to enumerate the CA’s certificate templates to identify those that allow the inclusion of alternate names (SAN) and specified “Any Purpose” EKU. If such templates are found, we can request a certificate using the compromised Sara account’s credentials, including the desired alternate account (e.g., Administrator) in the SAN field. Upon successful issuance of the certificate, the ADCS server sends the certificate back, enabling us to use it to authenticate as the specified account in the SAN. This could potentially lead to unauthorized access and privilege escalation by authenticating as a higher-privileged user using the acquired certificate as credentials.
假设我们破坏了域帐户 Sara;我们可以利用它来枚举 CA 的证书模板，以识别那些允许包含备用名称（SAN）和指定的“任何用途”EKU 的模板。如果找到此类模板，我们可以使用已泄露的 Sara 帐户的凭据请求证书，包括 SAN 字段中所需的备用帐户（例如管理员）。成功颁发证书后，ADCS 服务器会发回证书，使我们能够使用它作为 SAN 中的指定帐户进行身份验证。这可能会导致未经授权的访问和权限提升，方法是使用获取的证书作为凭据以更高权限的用户进行身份验证。

ESC2 Abuse Requirements ESC2 滥用要求

The following conditions should be met to abuse ESC2:
滥用 ESC2 应满足以下条件：

The Enterprise CA’s configuration should permit low-privileged users to request certificates.
企业 CA 的配置应允许低特权用户请求证书。
Manager approval should be disabled.
应禁用经理审批。
No authorized signatures should be required.
不需要授权签名。
An overly permissive certificate template security descriptor should grant certificate enrolment rights to low-privileged users.
过于宽松的证书模板安全描述符应向低特权用户授予证书注册权限。
The certificate template defines Any Purpose EKU or no EKU.
证书模板定义“任何用途 EKU”或“无 EKU”。
The certificate template should allows requesters to specify a subjectAltName in the CSR.
证书模板应允许请求者在 CSR 中指定 subjectAltName。

ESC2 Enumeration ESC2 枚举

Using certipy tool and its vast options we can find vulnerable templates and use the same tool to abuse it to compromise the domain. refer to the Certipy github for its command and usage.
使用 certipy 工具及其广泛的选项，我们可以找到易受攻击的模板并使用相同的工具滥用它来破坏域。请参阅 Certipy github 了解其命令和用法。

Finding Vulnerable Template ESC2
查找易受攻击的模板 ESC2

The following command will show information about certificate authorities and vulnerable certificate templates.
以下命令将显示有关证书颁发机构和易受攻击的证书模板的信息。

$ certipy find -u Sara -p ‘s@ra@123’ -dc-Ip 10.0.2.4 -stdout -enabled -vulnerable
$ certipy find -u Sara -p ‘s@ra@123’ -dc-Ip 10.0.2.4 -stdout -enabled -vulnerable

Vulnerable certificate template “ESC-2” found, which have “Any Purpose” EKU, manager approval is set to “False”, and Enrollment Rights set to “Domain Users” means any user can enroll for this certificate template using any user’s UPN
找到易受攻击的证书模板“ESC-2”，该模板具有“任何用途”EKU，经理批准设置为“False”，注册权限设置为“域用户”意味着任何用户都可以使用任何用户的 UPN 注册此证书模板

Abusing Vulnerable Template ESC2
滥用易受攻击的模板 ESC2

To abuse ESC-2 vulnerable template, we can use certipy tool to request for the new certificate by specifying UPN of Administrator user, by doing this, it will request for ESC-2 certificate using Administrator UPN, later we can use this certificate to authenticate as Administrator.
为了滥用 ESC-2 易受攻击的模板，我们可以使用 certipy 工具通过指定管理员用户的 UPN 来请求新证书，通过这样做，它将使用管理员 UPN 请求 ESC-2 证书，稍后我们可以使用此证书作为管理员进行身份验证。

$ certipy req -u Sara -p ‘s@ra@123’ -dc-Ip 10.0.2.4 -ca badcs-BADCS-CA-2 -template ESC-2 -upn [email protected]
$ certipy req -u Sara -p ‘s@ra@123’ -dc-Ip 10.0.2.4 -ca badcs-BADCS-CA-2 -template ESC-2 -upn [email protected]

Using the saved certificate administrator.pfx, we can authenticate to domain as administrator user or using certipy tool, later, we can retrieve the NT hash of the administrator user.
使用保存的证书administrator.pfx，我们可以以管理员用户的身份或使用certipy工具向域进行身份验证，稍后，我们可以检索管理员用户的NT哈希。

Practical: Domain Escalation using ESC3
实用：使用 ESC3 进行域升级

Understanding ESC3 Domain Escalation Scenario
了解 ESC3 域升级方案

The ESC3 (Escalation 3) scenario is similar to ESC1 and ESC2, but it involves the exploitation of a different EKU and necessitates an extra step for the abuse to occur.
ESC3（升级 3）方案类似于 ESC1 和 ESC2，但它涉及利用不同的 EKU，并且需要额外的步骤才能发生滥用。

Misconfiguration in ESC3 ESC3 中的配置错误

The EKU Certificate Request Agent, identified by the Object Identifier (OID) 1.3.6.1.4.1.311.20.2.1, commonly known as the Enrollment Agent, enables a principal to request a certificate on behalf of another user. Imagine a scenario where a user with a smart card meets an IT administrator in person for identity verification, and the administrator needs to submit a certificate request on behalf of that user.
EKU 证书请求代理由对象标识符（OID） 1.3.6.1.4.1.311.20.2.1（通常称为注册代理）标识，使主体能够代表其他用户请求证书。假设使用智能卡的用户亲自与 IT 管理员会面进行身份验证，管理员需要代表该用户提交证书请求。

AD CS accomplishes this by utilizing a certificate template that includes the Certificate Request Agent OID (1.3.6.1.4.1.311.20.2.1) within its Extended Key Usages. The enrollment agent enrolls in this template and utilizes the resulting certificate to jointly sign a Certificate Signing Request (CSR) on behalf of the other user. Afterwards, the enrollment agent submits the co-signed CSR to the Certification Authority while enrolling in a template that grants permission to enroll on behalf of others. In response, the CA issues a certificate for the designated user.
AD CS 通过利用证书模板来实现此目的，该模板在其扩展密钥用法中包含证书请求代理 OID （1.3.6.1.4.1.311.20.2.1）。注册代理在此模板中注册，并利用生成的证书代表其他用户共同签署证书签名请求（CSR）。之后，注册代理将共同签名的 CSR 提交给证书颁发机构，同时注册一个模板，该模板授予代表其他人注册的权限。作为响应，CA 会为指定用户颁发证书。

To abuse this for privilege escalation, a CA required at least two templates matching conditions below.
要滥用此功能进行权限提升，CA 至少需要两个与以下条件匹配的模板。

Condition 1: 条件 1：

The following conditions should be met for the primary template to abuse ESC3:
要使主模板滥用 ESC3，应满足以下条件：

The Enterprise CA’s configuration should permit low-privileged users to request certificates.
企业 CA 的配置应允许低特权用户请求证书。
Manager approval should be disabled.
应禁用经理审批。
No authorized signatures should be required.
不需要授权签名。
An overly permissive certificate template security descriptor should grant certificate enrolment rights to low-privileged users.
过于宽松的证书模板安全描述符应向低特权用户授予证书注册权限。
The Certificate Request Agent OID (1.3.6.1.4.1.311.20.2.1) allows for requesting other certificate templates on behalf on other principals.
证书请求代理 OID （1.3.6.1.4.1.311.20.2.1）允许代表其他主体请求其他证书模板。

Condition 2: 条件 2：

The following condition should be met for secondary template to abuse ESC3.
要使辅助模板滥用 ESC3 需要满足以下条件。

The Enterprise CA’s configuration should permit low-privileged users to request certificates.
企业 CA 的配置应允许低特权用户请求证书。
Manager approval should be disabled.
应禁用经理审批。
The template schema version 1 or greater than 2 mandates an Application Policy Issuance Requirement, necessitating the Certificate Request Agent EKU.
模板架构版本 1 或大于 2 要求应用程序策略颁发要求，因此需要证书请求代理 EKU。
The certificate template defines EKU that enable authentication.
证书模板定义启用身份验证的 EKU。
Enrollment agent restrictions should not be implemented on the CA.
不应在 CA 上实施注册代理限制。

ESC3 Enumeration ESC3 枚举

Finding Vulnerable Template ESC3
查找易受攻击的模板 ESC3

The following command will show information about certificate authorities and vulnerable certificate templates.
以下命令将显示有关证书颁发机构和易受攻击的证书模板的信息。

$ certipy find -u Sara -p ‘s@ra@123’ -dc-Ip 10.0.2.4 -stdout -enabled -vulnerable
$ certipy find -u Sara -p ‘s@ra@123’ -dc-Ip 10.0.2.4 -stdout -enabled -vulnerable

Vulnerable certificate template “ESC-3” found, which have “Any Purpose” EKU, manager approval is set to “False”, and Enrollment Rights set to “Domain Users” means any user can enroll for this certificate template using any user’s UPN
找到易受攻击的证书模板“ESC-3”，该模板具有“任何用途”EKU，经理批准设置为“False”，注册权限设置为“域用户”意味着任何用户都可以使用任何用户的 UPN 注册此证书模板

Abusing Vulnerable Template ESC3
滥用易受攻击的模板 ESC3

To abuse ESC-3 vulnerable template, we can use certipy tool to request for the new certificate for ESC-3 template as Sara user.
为了滥用 ESC-3 易受攻击的模板，我们可以使用 certipy 工具以 Sara 用户的身份请求 ESC-3 模板的新证书。

$ certipy req -u Sara -p ‘s@ra@123’ -dc-Ip 10.0.2.4 -ca badcs-BADCS-CA-2 -template ESC-3
$ certipy req -u Sara -p ‘s@ra@123’ -dc-IP 10.0.2.4 -ca badcs-BADCS-CA-2 -template ESC-3

Afterwards, we can request a certificate on behalf of any user from any other template by including the above exported certificate sara.pfx. It is crucial to request a certificate from a template that allows Client Authentication EKU. The built-in “User” template can be utilized for this (Condition 2).The following certipy command request a certificate on behalf of the Administrator user using the saved sara.pfx certificate.
之后，我们可以通过包含上述导出的证书 sara.pfx 来代表任何其他模板中的任何用户请求证书。从允许客户端身份验证 EKU 的模板请求证书至关重要。内置的“用户”模板可用于此目的（条件 2）。以下 certipy 命令使用保存的 sara.pfx 证书代表管理员用户请求证书。

$ certipy req -u Sara -p ‘s@ra@123’ -dc-Ip 10.0.2.4 -ca badcs-BADCS-CA-2 -templet User -on-behalf-of administrator -pfx sara.pfx
$ certipy req -u Sara -p ‘s@ra@123’ -dc-IP 10.0.2.4 -ca badcs-BADCS-CA-2 -templet 用户 -代表管理员 -pfx sara.pfx

With the saved certificate administrator.pfx, authentication as the administrator user on the domain or retrieving the NT hash using certipy tool is possible.
使用保存的证书 administrator.pfx，可以作为域上的管理员用户进行身份验证或使用 certipy 工具检索 NT 哈希。

Mitigations 缓解措施

Auditing Active Directory Certificate Services Architecture and Certificate Templates
审核 Active Directory 证书服务体系结构和证书模板

Regular auditing of AD CS architecture and certificate templates is crucial for promptly identifying and addressing vulnerabilities. Organizations must conduct thorough audits of AD CS security settings, including enrolment rights, manager approval, authorized signatures, and access control for each managed certificate template. Additionally, it’s imperative to recognize CA servers, including subordinate CAs, as Tier 0 assets that require robust protection measures.
定期审核 AD CS 体系结构和证书模板对于及时识别和解决漏洞至关重要。组织必须对 AD CS 安全设置进行全面审核，包括每个托管证书模板的注册权限、经理批准、授权签名和访问控制。此外，必须将 CA 服务器（包括从属 CA）识别为需要强大保护措施的第 0 层资产。

Treating CA Servers as Tier 0 Assets
将 CA 服务器视为第 0 层资产

Given their critical role in AD CS, organizations should treat CA servers like Domain Controllers – applying stringent access controls, regular patching and monitoring, restricting physical and logical access, etc. In doing so, organizations can increase overall AD CS security through such measures.
鉴于 CA 服务器在 AD CS 中的关键作用，组织应将 CA 服务器视为域控制器 – 应用严格的访问控制、定期修补和监视、限制物理和逻辑访问等。在此过程中，组织可以通过此类措施提高整体 AD CS 安全性。

TL;DR TL;博士

Active Directory Certificate Services (AD CS) serves a vital function in safeguarding digital certificates within an enterprise setting. However, its security implications are frequently underestimated, potentially leaving organizations vulnerable to attacks or compromise. To bolster the security of their AD CS infrastructure and mitigate risks linked to certificate abuse and domain escalation, organizations must grasp potential threats, institute robust security measures, and adhere to industry best practices.
Active Directory 证书服务（AD CS）在保护企业环境中的数字证书方面发挥着至关重要的作用。然而，其安全影响经常被低估，可能使组织容易受到攻击或损害。为了增强其 AD CS 基础结构的安全性并降低与证书滥用和域升级相关的风险，组织必须掌握潜在威胁，制定强大的安全措施，并遵守行业最佳实践。

Redfox Security is a diverse network of expert security consultants with a global mindset and a collaborative culture. If you are looking to improve your organization’s security posture, contact us today to discuss your security testing needs. Our team of security professionals can help you identify vulnerabilities and weaknesses in your systems and provide recommendations to remediate them.
Redfox Security 是一个由具有全球思维和协作文化的专家安全顾问组成的多元化网络。如果您希望改善组织的安全状况，请立即联系我们，讨论您的安全测试需求。我们的安全专家团队可以帮助您识别系统中的漏洞和弱点，并提供修复建议。