search

ly4k / Certipy

Tool for Active Directory Certificate Services enumeration and abuse
MIT License
2.44k stars 340 forks source link

hello can i exploit it? #153

Closed chibd2000 closed 1 year ago

chibd2000 commented 1 year ago

Hello, I am just starting to learn ADCS. Can I utilize ESC1 if I encounter the following situations?

{
  "Certificate Authorities": {
    "0": {
      "CA Name": "test-CA01-CA",
      "DNS Name": "CA01.test.com.cn",
      "Certificate Subject": "CN=test-CA01-CA, DC=test, DC=com, DC=cn",
      "Certificate Serial Number": "xxxxxxxxxxxxxxxxxxxx",
      "Certificate Validity Start": "2023-07-07 17:23:27+00:00",
      "Certificate Validity End": "2043-07-07 17:33:26+00:00",
      "Web Enrollment": "Enabled",
      "User Specified SAN": "Unknown",
      "Request Disposition": "Unknown",
      "Enforce Encryption for Requests": "Unknown",
      "[!] Vulnerabilities": {
        "ESC8": "Web Enrollment is enabled and Request Disposition is set to Unknown"
      }
    },
    "1": {
      "CA Name": "test-LG-V-CA01-CA",
      "DNS Name": "lg-v-CA01.test.com.cn",
      "Certificate Subject": "CN=test-LG-V-CA01-CA, DC=test, DC=com, DC=cn",
      "Certificate Serial Number": "xxxxxxxxxxxxxxxxxxxx",
      "Certificate Validity Start": "2020-03-04 07:47:15+00:00",
      "Certificate Validity End": "2040-03-04 07:57:15+00:00",
      "Web Enrollment": "Enabled",
      "User Specified SAN": "Unknown",
      "Request Disposition": "Unknown",
      "Enforce Encryption for Requests": "Unknown",
      "[!] Vulnerabilities": {
        "ESC8": "Web Enrollment is enabled and Request Disposition is set to Unknown"
      }
    }
  },
  "Certificate Templates": {
    "0": {
      "Template Name": "vmware \u7684\u526f\u672c",
      "Display Name": "vmware \u7684\u526f\u672c",
      "Enabled": false,
      "Client Authentication": true,
      "Enrollment Agent": false,
      "Any Purpose": false,
      "Enrollee Supplies Subject": true,
      "Certificate Name Flag": [
        "EnrolleeSuppliesSubject"
      ],
      "Enrollment Flag": [
        "None"
      ],
      "Private Key Flag": [
        "16777216",
        "65536",
        "ExportableKey"
      ],
      "Extended Key Usage": [
        "Client Authentication",
        "Server Authentication"
      ],
      "Requires Manager Approval": false,
      "Requires Key Archival": false,
      "Authorized Signatures Required": 0,
      "Validity Period": "15 years",
      "Renewal Period": "1 year",
      "Minimum RSA Key Length": 2048,
      "Permissions": {
        "Enrollment Permissions": {
          "Enrollment Rights": [
            "test.COM.CN\\Domain Admins",
            "test.COM.CN\\Domain Computers",
            "test.COM.CN\\Enterprise Admins"
          ]
        },
        "Object Control Permissions": {
          "Owner": "test.COM.CN\\viewadmin",
          "Write Owner Principals": [
            "test.COM.CN\\Domain Admins",
            "test.COM.CN\\Enterprise Admins",
            "test.COM.CN\\admin-lvcm",
            "test.COM.CN\\viewadmin"
          ],
          "Write Dacl Principals": [
            "test.COM.CN\\Domain Admins",
            "test.COM.CN\\Enterprise Admins",
            "test.COM.CN\\admin-lvcm",
            "test.COM.CN\\viewadmin"
          ],
          "Write Property Principals": [
            "test.COM.CN\\Domain Admins",
            "test.COM.CN\\Enterprise Admins",
            "test.COM.CN\\admin-lvcm",
            "test.COM.CN\\viewadmin"
          ]
        }
      },
      "[!] Vulnerabilities": {
        "ESC1": "'test.COM.CN\\\\Domain Computers' can enroll, enrollee supplies subject and template allows client authentication"
      }
    },
    "1": {
      "Template Name": "vmware",
      "Display Name": "vmware",
      "Certificate Authorities": [
        "test-LG-V-CA01-CA"
      ],
      "Enabled": true,
      "Client Authentication": true,
      "Enrollment Agent": false,
      "Any Purpose": false,
      "Enrollee Supplies Subject": true,
      "Certificate Name Flag": [
        "EnrolleeSuppliesSubject"
      ],
      "Enrollment Flag": [
        "None"
      ],
      "Private Key Flag": [
        "16777216",
        "65536",
        "ExportableKey"
      ],
      "Extended Key Usage": [
        "Server Authentication",
        "Client Authentication"
      ],
      "Requires Manager Approval": false,
      "Requires Key Archival": false,
      "Authorized Signatures Required": 0,
      "Validity Period": "15 years",
      "Renewal Period": "1 year",
      "Minimum RSA Key Length": 2048,
      "Permissions": {
        "Enrollment Permissions": {
          "Enrollment Rights": [
            "test.COM.CN\\Domain Admins",
            "test.COM.CN\\Domain Computers",
            "test.COM.CN\\Enterprise Admins"
          ]
        },
        "Object Control Permissions": {
          "Owner": "test.COM.CN\\admin-lvcm",
          "Write Owner Principals": [
            "test.COM.CN\\Domain Admins",
            "test.COM.CN\\Enterprise Admins",
            "test.COM.CN\\admin-lvcm"
          ],
          "Write Dacl Principals": [
            "test.COM.CN\\Domain Admins",
            "test.COM.CN\\Enterprise Admins",
            "test.COM.CN\\admin-lvcm"
          ],
          "Write Property Principals": [
            "test.COM.CN\\Domain Admins",
            "test.COM.CN\\Enterprise Admins",
            "test.COM.CN\\admin-lvcm"
          ]
        }
      },
      "[!] Vulnerabilities": {
        "ESC1": "'test.COM.CN\\\\Domain Computers' can enroll, enrollee supplies subject and template allows client authentication"
      }
    }
  }
}
chibd2000 commented 1 year ago

I see Domain Computers from the prompt below, does that mean I need a machine account to utilize it?

[!] Vulnerabilities:{

ESC1: 'test. COM. CN Domain Computers' can enroll, enrolle supplies subject and template allow client authentication'

}
Alh4zr3d commented 1 year ago

Correct. If you can authenticate as a domain computer, you should be able to use that domain computer account to request a certificate using this template with a SAN.

If you have credentials for a domain user but not a domain computer, you may be able to create a computer account using those domain user credentials; by default, domain users have the ability to create machine accounts in order to support logins from multiple computers. Create a machine account for a machine that doesn't exist, and use the account to enroll in this template.

chibd2000 commented 1 year ago

Haha, I didn't expect anyone to reply to me after a month. This was encountered during the project. I applied for the corresponding template certificate using the ntlm of the domain machine, but I still encountered the KDC ERROR CLIENT NOT TRUSTED (Reserved for PKINIT) problem. Have you encountered this before? If so, could you please provide a solution?

image

Ppsoft1991 commented 1 year ago

see it https://offsec.almond.consulting/authenticating-with-certificates-when-pkinit-is-not-supported.html @chibd2000