GitHubPsMapExec

ESC11

Description

ADCS exposes an RPC endpoint for certificate enrollment. The endpoint MS-ICPR is an RPC interface. The RPC protocol allows each interface to define its NTLM signature management policy. In this case, the flag IF_ENFORCEENCRYPTICERTREQUEST determines if a signature check is performed. As the RPC protocol supports NTLM authentication, when there are no signature checks performed the endpoint is vulnerable (similar in concept to SMB NTLM relaying when SMB signing is disabled).

Default ADCS settings enforce the signature check. However, in some cases this may be disabled in ADCS in ensure compatability with legacy clients such as Windows Server 2012 and 2008. When this check is enabled, it becomes possible to perform a NTLM relay attack over the RPC endpoint.

Requirements for attack path

  • IF_ENFORCEENCRYPTICERTREQUEST flag is not enabled on the CA

Linux

Enumeration

certipy find -u 'Moe@Security.local' -p 'Password123' -dc-ip 10.10.10.100 -stdout -vulnerable

Performing the attack

There are two ways to perform this attack. Either using certipy or using a fork of Impacket which supports the appropriate RPC calls.

Run certipy, targeting the Certificate Authority and using the required template.

Ensure to select the correct template based on the machine account you are attempting to relay authentication to the web enrollement server for:

  • DomainControllers --> -template DomainController

  • Machine Accounts --> -template Machine

Then force coertion with coercer, selecting the intended target (Domain Controller in the example below)

Alternitavely we can use a fork of impacket which supports the required RPC calls.

After setup execute ntlmrelayx.py, targeting the Certificate Authority and selecting the appropriate certificate template.

Then force coertion with coercer, selecting the intended target (Domain Controller in the example below)

This Impacket fork does not appear to auto save the pfx file. We need to copy the Base64 encoded certificate data and either decode into a .pfx file or we can use the Base64 encoded data with Rubeus on Windows to generate a RC4 hash or Kerberos TGT.

Ensure when copying the data to only copy between the first ' and last '. As shown in the example above, the output is slightly malformed.

Convert the Base64 encoded data to a pfx file

Regardless of using certipy or ntlmrelayx, we should now have a .pfx file for the system we performed coercion against. We can then use certipy to request credentials.

Post Exploitation

Various post-exploitation steps can be undertaken after obtaining a machine account hash. The below example will focus on post-exploitation with a Domain Controller hash.

DCSync

A simple approach would be to perform a DCsync with impacket-secretsdump using the domain controller hash obtained from the certificate.

Silver Ticket

As an alternative option we can generate a silver ticket for a particular service such as CIFS and then gain direct command execution over the target, in this case the Domain Controller.

Firstly, identify the domain SID.

Next, we use ticketer to forge a silver ticket for a given service. In this case CIFS over Domain Controller.

Then export the TGS.

Finally, authenticate and issue commands.

Windows

This section is yet to be completed.

Mitigation

To resolve this issue the Certificate Authority needs to have enforced encryption on MS-ICPR requests. The following command should be issued on the ADCS server.

Then restart the services to allow changes to take place.

Last updated