Introduction to Active Directory Certificate Services (AD CS)
Many organisations use Windows Server as the basis of their system infrastructure. Not only that, but many organisations also use public key infrastructure (PKI) for their cyber security needs because they enable electronic workflows for example; certificate-based authentication, digital signatures and securing web servers. What you may not realise, however, is that the two can be connected. This is where Active Directory Certificate Services (AD CS) come into play. Why? It’s proven that certificates are more secure and user-friendly than passwords.
It’s perhaps pertinent to understand certificates before we take a deep dive into understanding AD CS. Digital certificates are in effect, very similar to traditional certificates, in that they both contain the issuing authority’s name. In the case of a digital certificate, however, it will also contain the electronic signature of the issuing authority. Similarly, a digital certificate will also hold the recipient’s, contains further information validity period, beyond which it cannot be utilised. And finally, in order to encrypt sensitive data, the public key address. Given the importance of certificates within your environment, an attacker will be on the lookout for AD CS misconfiguration. In this blog, we’ll share some more information on AD CS, its common weaknesses and how it can become vulnerable to attack through misconfiguration. We have successfully used the techniques in this blog during client testing, so this blog is very much a real-world view.
What are Active Directory Certificate Services?
Active Directory Certificate Services or AD CS for short allows companies to provide an on-site Public / Infrastructure (PKI) so it can generate, check and revoke public key certificates. In turn, these certificates have various uses including encryption of network traffic, files and emails.
This infrastructure is normally hosted on a separate Windows Server hosting the ‘Certificate Authority’ (of which there can be more than one) and is responsible for managing the on-site certificates. Overall, the infrastructure is made up of 6 components:
- Certification Authorities – these manage certificate validation and issue certs.
- CA Web enrolment – this connects users to a Certificate Authority via a Web Browser
- Certificate Enrolment Policy Web Service – this allows computers and users to query their enrolment rights
- Certificate Enrolment Web Service – this allows computers and users to enrol certificates
- Network Device Enrolment Service – this lets network devices without domain accounts retrieve certificates
- Online Responder – this responds to requests about a certificate’s status
Active Directory Certificate Services Vulnerability
Back in 2021, Will Schroeder (@harmj0y) from SpecterOps released a research white paper entitled “Certified Pre-Owned: Abusing Active Directory Certificate Services” which caused quite a stir in the offensive and defensive security world. It became obvious that a whole new avenue of attacks had opened up for would-be attackers due to consistent misconfiguration in AD CS by many companies.
They classified each attack vector with the prefix ESC of which there are 8 in the original white paper. The 8 attack vectors can lead to lots of avenues of attack which they highlighted in this quote from their whitepaper:
“AD CS is widely deployed, and provides attackers opportunities for credential theft, machine persistence, domain escalation, and subtle domain persistence.”
For this blog post, I will focus on ESC8 which we at Evalian had some recent success in exploiting which led to a complete Domain takeover.
ESC8 can be abused because some enrolment HTTP endpoints do not have HTTPS enabled and in general AD CS rarely has NTLM relay protections enabled by default. What this means is the Certificate Authority’s enrolment page pictured below can be passed data from another server within the network and it will not check that the data is coming straight from that specific server or if the data has instead been passed (relayed) by an attacker.
Certificate Enrolment page
This opens up an avenue of attack for a threat actor (in this case an Evalian pen tester) to exploit. A full abuse sequence of ESC8 is pictured below. Keep in mind the Certificate Authority on the right contains the webpage pictured above that we want to relay the ‘Target’ authentication to, but it won’t verify it is actually the Target doing so.
ESC8 Abuse Sequence
The sequence of attack is as follows:
- The Attacker (Evalian using Kali Linux in our case) uses a bug known as ‘PetitPotam’ which makes an RPC call to our Target, which in our case was the Domain Controller, which tricks the Target to authenticate back to our Attacker machine.
- Our Attacker machine then receives the Target authentication and instead of storing it immediately passes it on to the vulnerable website at the Certificate Authority.
- The Certificate Authority then thinks that we are the Target and responds to us as if we are the Target.
- The response, in this case, is that the CA sends a valid Certificate intended for the Target, but instead to us.
- We then take the Target certificate and convert it to a TGT, which is essentially like a machine’s credentials. Now that we have the Target’s TGT, we have now become for all intents and purposes (or at least authentication-based ones!) the Target machine. Given the Target is a Domain Controller, which is the most powerful machine on the network, we can run from our Kali machine the DC Sync process which Domain Controllers run to keep in sync with other Domain Controllers. This sync process provides us with every username/password hash in the whole domain so we can log in as the Administrator.
At this point, we can add our Evalian user to the ‘Domain Admins’ as an ‘Indication of Compromise’ (IOC).
As we see daily, the next step for groups who use Ransomware would be to encrypt all of the data on the domain so we can see how dangerous this type of attack can become.
Remediation for the above vulnerabilities. We recommend the following steps:
- Organisations should disable these HTTP-based enrolment server roles if they are not in use.
- Disable NTLM authentication using GPOs or configure the associated IIS applications to only accept Kerberos authentication.
- If organisations cannot remove the endpoints or outright disable NTLM authentication, they should only allow HTTPS traffic and configure the IIS applications to use Extended Protection for Authentication.
Further remediation detail: Mitigating NTLM Relay Attacks on Active Directory Certificate Services (AD CS)
If we were providing a penetration test for your organisation, we’d set out our findings and these remediation recommendations in a detailed penetration testing report (you can view what to expect from a pen test report in our recent blog). We’d then arrange a wash-up call with you to walk through our findings and recommendations and answer any questions.
Active Directory is used by tens of thousands of companies including 90 per cent of the Fortune 1000 companies. The majority of these will likely use Active Directory Certificate Services meaning that attackers could have rich pickings if AD CS has not been securely configured.
As we have covered in previous posts such as When to carry out a penetration test, any changes to the environment, software or systems should prompt a pen test to ensure all vulnerabilities are remediated. Companies should carry out a full and thorough assessment of their Active Directory Certificate Services configuration to ensure that no weaknesses have crept in during the years of IT change that every company experiences.
If your organisation needs help with web application pen resting, or an Infrastructure penetration test we’re here to help. We can assess your environment with our full penetration testing services. In the meantime, you can download a copy of our Guide to Penetration Testing which has plenty of information to help you understand the service and its benefits.
We can also advise you on any follow-up actions or remediations from our findings. Contact us for a friendly chat.