By Cameron HomerSenior Threat Labs Consultant for Avertium

 

In the past 18 months, Avertium's penetration testers have frequently exploited a common Active Directory Certificate Services (ADCS) elevation of privileges vulnerability, allowing us to escalate privileges to Domain Administrator. This vulnerability typically evades detection by standard vulnerability scanners, making it a pervasive network equivalent to an Achilles' heel.

Additionally, this vulnerability cannot be fixed via a vendor pushed patch, but rather prevention requires proper configuration of ADCS.

As offensive security experts, Avertium aims to proactively help customers to remediate internal and external network vulnerabilities before bad actors discover them to improve security posture. ADCS is a subject that frequently warrants a deep dive with our customers, answering the questions, “What is ADCS?” “What are the problematic vulnerabilities associated with ADCS?”, and “How do I prevent ADCS vulnerabilities?”.

 

 

an overview of active directory certificate services

ADCS is a Windows Server role often found within an Active Directory environment. It is used to issue and manage public key infrastructure (PKI) certificates, which are used in secure communications and authentication. If misconfigured, some of the settings of ADCS are highly exploitable, leading to an escalation to administrative privileges within a domain.

There are many different escalation attacks, or ESCs, which are identified by their number, i.e., ESC8. The two most common ESC vulnerabilities Avertium often finds during assessments are ESC1 and ESC8. In both instances, exploiting these vulnerabilities requires first having a foothold in the environment as opposed to the administrator level. This means leveraging a simple user will do, including any domain user across various roles within the organization (accounting, HR, sales, etc.). Anybody with domain credentials can carry out this attack, which is why it's so prevalent in terms of success.



Related Resource Blog: What is Penetration Testing? (Not all Pen Tests are Created Equal)

 

A Look at esc8

The risk associated with this vulnerability is that it's a relatively easy way to escalate privileges, but it's also one that a typical vulnerability scanner wouldn't pick up. That's cause for alarm, because the potential negative outcomes—compromised customer data, compromised business data, ransomware—are dire.

ESC8 takes advantage of an enterprise certificate authority’s (CA) web enrollment feature. If enabled, this feature allows a user to request a certificate template via the HTTP/S web interface, which can also accept NTLM authentications. This enables an attacker to perform an NTLM relay attack in which the relay is directed to the web interface. When successful, the CA will issue a certificate for the relayed user, which the attacker can then use to authenticate to the domain.

 

 

esc8 walkthrough

We mentioned remediating this vulnerability involves attention to configuration. Let’s walk through the ESC8 vulnerability, what to look for that makes it vulnerable and how to remediate the weakness.

First, an attacker must verify that ADCS exists in the target environment. The attacker will need a domain user's credentials before arriving at this point. There are a variety of methods such as password spraying attacks or broadcast message spoofing attacks that could be used to obtain these credentials. These attacks will not be covered in this article, but an efficient way to discover ADCS including any potential associated vulnerabilities, is to use Certipy and target a Domain Controller (DC) with Certipy's "find" module.

 

Certipy ADCS Enumeration

Figure 1. Certipy ADCS Enumeration

 

Certipy returns the results of all certificate authorities and certificate templates it was able to find in the target environment.

 

Certipy Results

Figure 2. Certipy Results

 

Certipy highlights which ESC vulnerabilities are present in an environment; however, an attacker is looking for the following results when hunting for an ESC8 vulnerability:

  • Web Enrollment is enabled.
  • Request Disposition is set to "Issue."
  • The ability to control or relay a user belonging to the "Enroll" group.

In the above Figure, the ESSOS-CA allows for Web Enrollment and the Request Disposition is set to "Issue". If an attacker controls a user belonging to the enrollment group, an attacker can enroll in any template (if our controlled user is allowed to enroll in that template) that is offered by this CA. This includes not only users whose passwords the attacker has, but also users that can be relayed to this HTTP endpoint.

An attacker can take a variety of approaches at this point to enroll in a certificate. This article, however, will focus on using a coercion attack targeting a domain controller, which can be relayed to the HTTP endpoint. This results in a certificate template being issued that allows the attacker to authenticate to the domain as that specific domain controller.

While there are a variety of tools and methods to perform coercion attacks, we use PetitPotam in this example. If all goes as expected, the Domain Controller will attempt to authenticate to the attacker’s machine with its Password Hash.

 

PetitPotam

Figure 3. PetitPotam

 

Domain Controller Response

Figure 4. Domain Controller Response

 

Figure 4 shows that Responder was able to capture the authentication attempt, and that the coercion attack was successful!

Note: While this step isn't required, verifying the coercion is working is always a good practice when troubleshooting this attack path.

With the coercion attempt verified, the next step is to perform the relay attack.

To perform the relay attack, Impacket's NTLMRelayx script is configured with the flags shown below sending the authentication attempt to the HTTPS enrollment endpoint. This relay targets the "DomainController" Certificate Template, which generally exists in most ADCS environments, but I encourage anyone who is performing this attack path to verify its existence first to prevent headaches further down the road.

 

NTLMRelayx Setup

Figure 5. NTLMRelayx Setup

 

With the relay ready to go, Petitpotam, when executed as shown in the earlier example, triggers the authentication attempt from the Domain Controller. The authentication attempt is then relayed to the Certificate Authorities HTTP Enrollment endpoint, which should, if successful, provide a certificate.

 

Successful Relay

Figure 6. Successful Relay

 

If the relay is successful, the attacker now has a PFX file for the coerced domain controller. This certificate allows the attacker to authenticate to the domain as the domain controller. The attacker can then retrieve the Domain Controller’s NTLM hash using Certipy's auth module.

 

Certipy Auth

Figure 7. Certipy Auth

 

The attacker can now use the returned NTLM hash in Pass-the-Hash (PtH) attacks to authenticate as the Domain Controller. In the example above, where an attacker is able to authenticate as a DC, the attacker now has rights to the Domain Replication service, which allows an attacker to perform a DCSync attack.

Note: I would recommend enumerating the domain first and just retrieving one DA user's credentials rather than dumping NTDS right away with this attack.

In the below example, Impacket's secretsdump script is used to perform the DCSync attack.

 

DCSync Attack

Figure 8. DCSync Attack

 

With the Administrator user’s NTLM hash in hand, the attacker now has Domain Admin (DA) privileges and can PtH to authenticate to the Domain Controller to verify these privileges.

 

Administrator Authentication

Figure 9. Administrator Authentication

 

With DA privileges, the attacker can begin the post-exploitation phase, which can result in the compromise of sensitive data and systems.

 

Related Resource Blog: Password Spray Attack Q&A with a Penetration Tester

 

 

esc8 prevention and remediation

To prevent the above attack, IT administrators and security engineers can take a few steps to harden and remediate an ADCS environment against ESC8 attacks:

  • If ADCS HTTP endpoints are not in use or necessary, disable them
  • Enable and enforce Windows Extended Protection and HTTPS on the ADCS Enrollment Endpoint
  • Disable NTLM authentication wherever possible

 

 

Making the case for strong pen testing

Within the last year, Avertium has exploited ESC8 on multiple engagements, resulting in the ability to escalate privileges to Domain Admin and fully compromise clients’ environments. While scanning has its place within any client's overall vulnerability management plan, vulnerabilities like ESC8 can be difficult to detect within certain scanning configurations. Hands-on penetration testing with an experienced security consultant can greatly improve an environment's security and help prevent vulnerabilities like ESC8 from becoming an issue and improve.

 

 

avertium's penetration testing services

The Threat Labs team at Avertium simulates adversary tactics to find exploitable weaknesses in applications, infrastructure, and user behaviors—providing a roadmap to fix them before real threats strike. This also serves to advance the organization’s overall strategic efforts to improve security posture.  

Avertium's adversarial simulation (AdSim) identifies your vulnerabilities before an attack can exploit them. Learn more about our penetration testing services and get visibility into the health of your cybersecurity program today.

 

Cameron Homer is a Senior Threat Labs consultant on the Threat Labs team at Avertium. Cameron has four years of experience performing a wide range of offensive security assessments and holds multiple certifications such as the OSEP, OSCP and CRTO.

 

 

Looking for your next read?  HHS Tightens the Reins: What the New HIPAA Rules Mean for Healthcare
 
Chat With One of Our Experts



penetration testing password spray attack password spraying penetration test pen test Elevation of privilege active directory certificate services Blog