Breaking Active Directory Certificate Services - Vietnamese Blog

Introduction

Active Directory Certificate Services (ADCS) plays a crucial role in enterprise PKI infrastructure. However, misconfigurations in ADCS can lead to serious security vulnerabilities. This blog post explores common attack vectors and defense strategies.

Understanding AD CS

AD CS is Microsoft's Public Key Infrastructure (PKI) implementation that provides:

• Digital certificate management
• Certificate enrollment services
• Key archival and recovery

Common Misconfigurations

EDITF_ATTRIBUTESUBJECTALTNAME2
CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT
No Manager Approval

Attack Vectors

ESC1: User Certificate Abuse

ESC1 is the simplest ADCS attack, and honestly, it's my favorite because it's so reliable. It exploits certificate templates that allow attackers to specify arbitrary Subject Alternative Names (SAN).

ESC2: Machine Certificate Abuse

ESC2 targets templates with "Any Purpose" in Extended Key Usage, meaning the certificate can be used for any purpose. This becomes particularly dangerous when combined with other vulnerabilities.

ESC3: Enrollment Agent Template Abuse

ESC3 exploits certificate templates that grant Certificate Request Agent privileges. It allows requesting certificates on behalf of other users.

ESC4: Certificate Template Permissions

ESC4 involves modifying a secure template to make it vulnerable, exploiting it, then removing your tracks.

ESC5: Vulnerable PKI Object Access

ESC5 exploits weak permissions on PKI objects themselves, including CA servers and certificate template containers.

ESC6: EDITF_ATTRIBUTESUBJECTALTNAME2 Flag

ESC6 exploits the EDITF_ATTRIBUTESUBJECTALTNAME2 flag on CAs, allowing specification of SANs in any certificate request.

ESC7: Certificate Authority Access

ESC7 involves direct access to the CA. If you have ManageCA or ManageCertificates rights, you essentially own the entire certificate infrastructure.

ESC8: NTLM Relay to HTTP Endpoints

ESC8 combines ADCS with NTLM relay attacks, targeting HTTP-based certificate enrollment endpoints.

ESC9: No Security Extension

ESC9 exploits certificate templates that don't require the szOID_NTDS_CA_SECURITY_EXT security extension in issued certificates.

ESC10: Certificate Mapping Vulnerabilities

ESC10 exploits weak certificate-to-account mapping configurations and certificate mapping vulnerabilities.

ESC11: ICERTREQUEST Interface

ESC11 targets CAs configured with the IF_ENFORCEENCRYPTICERTREQUEST flag, which can be bypassed under certain conditions.

ESC12: CA Server Configuration

ESC12 involves vulnerabilities in the CA server configuration itself, including YubiHSM vulnerabilities.

ESC13: OID Group Policy Links

ESC13 exploits certificate templates with issuance policies linked to Active Directory groups.

ESC14: Shadow Credentials

ESC14 represents advanced certificate mapping techniques beyond basic altSecurityIdentities exploitation.

ESC15: Version 1 Template Application Policies

ESC15, also known as "EKUwu", exploits a vulnerability in version 1 certificate templates where attackers can specify arbitrary Application Policies in certificate requests.

ESC16: ADCS Web Enrollment Relay

ESC16 exploits NTLM relay capabilities to ADCS web enrollment interfaces, allowing certificate theft through NTLM relay.

Defense Strategies

• Regular template auditing
• Implement strict access controls
• Monitor certificate requests
• Enable certificate request logging

Conclusion

Securing AD CS requires continuous monitoring and proper configuration management. Regular security assessments and staying updated with the latest security recommendations are essential.