search
SecurityVulnerabilityTerminalCode

AD Certificates

See HEREarrow-up-right.

A CA (Certification Authority) is part of the Active Directory Certificate Services (AD CS).

A CA is installed when the organization wants to use:

  • Authentication via certificates (Kerberos authentication with certificate (PKINIT) instead of using passwords/hashes)

  • Smart cards, VPN certificates, corporate Wi-Fi

  • Single Sign-On with certificates

  • Or when certificates are needed for machines/users/services

hashtag
Identification

Use Certipyarrow-up-right for enumeration and identifying vulnerable templates.

certipy find -vulnerable -u <USER>@<DOMAIN> -p <PASSWORD> -dc-ip <DC> -stdout

hashtag
Attacks

hashtag
Golden Certificate

If you compromise the CA (obtain its .pfx), you can:

  • Sign a certificate for Administrator

  • Use it to obtain a TGT via PKINIT

  • Access the domain as if you were him

If you have read access to the disk, from the Windows victim:

Obtain its .pfx

Use Certipyarrow-up-right from linux to craft Golden Certificate.

Always use sudo ntpdate <DC_IP> before.

hashtag
PERSISTarrow-up-right

Account Persistance.

hashtag
ESCarrow-up-right

Domain Escalation. (see also herearrow-up-right)

hashtag
DPERSISTarrow-up-right

Domain Persistance

hashtag
THEFTarrow-up-right

Certificate Theft

Last updated