Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

LDAP attack: dump ADCS enrollment services and certificate templates info #1214

Merged
merged 3 commits into from
Feb 8, 2022

Conversation

SAERXCIT
Copy link
Contributor

@SAERXCIT SAERXCIT commented Nov 21, 2021

Hi !

This PR adds a new LDAP attack dumping information about the domain's ADCS enrollment services (host, offered templates, principals allowed to enroll) and certificate templates (principals allowed to enroll).

The use case for this is being able to, without having a domain account, obtain available ADCS hosts and templates in order to perform further relay attacks targeting ADCS.

Example output:

[*] Authenticating against ldap://dc2.domain.local as DOMAIN\user1 SUCCEED
[*] Assuming relayed user has privileges to escalate a user via ACL attack
[*] Attempting to dump ADCS enrollment services info
[*] Found ADCS enrollment service `DOMAIN-DC1-CA` on host `DC1.DOMAIN.LOCAL`, offering templates: `UserVulnSAN`, `DirectoryEmailReplication`, `DomainControllerAuthentication`, `KerberosAuthentication`, `EFSRecovery`, `EFS`, `DomainController`, `WebServer`, `Machine`, `User`, `SubCA`, `Administrator`
[*] Principals who can enroll on enrollment service `DOMAIN-DC1-CA`: `DOMAIN.LOCAL\Authenticated Users`
[*] Attempting to dump ADCS certificate templates enrollment rights, for templates allowing for client authentication and not requiring manager approval
[*] Principals who can enroll using template `User`: `DOMAIN.LOCAL\Domain Admins`, `DOMAIN.LOCAL\Enterprise Admins`, `DOMAIN.LOCAL\Domain Users`
[*] Principals who can enroll using template `SubCA`: `DOMAIN.LOCAL\Domain Admins`, `DOMAIN.LOCAL\Enterprise Admins`
[*] Principals who can enroll using template `Machine`: `DOMAIN.LOCAL\Domain Admins`, `DOMAIN.LOCAL\Enterprise Admins`, `DOMAIN.LOCAL\Domain Computers`
[*] Principals who can enroll using template `Administrator`: `DOMAIN.LOCAL\Domain Admins`, `DOMAIN.LOCAL\Enterprise Admins`
[*] Principals who can enroll using template `DomainController`: `DOMAIN.LOCAL\Domain Admins`, `DOMAIN.LOCAL\Domain Controllers`, `DOMAIN.LOCAL\Enterprise Domain Controllers`, `DOMAIN.LOCAL\Enterprise Read-Only Domain Controllers`, `DOMAIN.LOCAL\Enterprise Admins`
[*] Principals who can enroll using template `KerberosAuthentication`: `DOMAIN.LOCAL\Domain Admins`, `DOMAIN.LOCAL\Domain Controllers`, `DOMAIN.LOCAL\Enterprise Domain Controllers`, `DOMAIN.LOCAL\Enterprise Read-Only Domain Controllers`, `DOMAIN.LOCAL\Enterprise Admins`
[*] Principals who can enroll using template `DomainControllerAuthentication`: `DOMAIN.LOCAL\Domain Admins`, `DOMAIN.LOCAL\Domain Controllers`, `DOMAIN.LOCAL\Enterprise Domain Controllers`, `DOMAIN.LOCAL\Enterprise Read-Only Domain Controllers`, `DOMAIN.LOCAL\Enterprise Admins`
[*] Done dumping ADCS info

In this example, we now know we can perform ADCS relay attacks by targeting dc1.domain.local and using template User for users and Machine for computers 🙂 (plug: since this is the default config, the correct template can be selected automatically using PR #1188 😉 ).

Thanks to @ly4k for Certipy, from which some of this code is taken from.

Cheers !

@jagotu
Copy link
Contributor

jagotu commented Dec 9, 2021

Used this in an engagement and can confirm it works and is actually really helpful :) Looking forward to when this gets merged.

@fsacer
Copy link

fsacer commented Jan 15, 2022

looking forward to that, definitely useful to get adcs info asap

@0xdeaddood 0xdeaddood added the in review This issue or pull request is being analyzed label Feb 3, 2022
@0xdeaddood
Copy link
Collaborator

Hi @SAERXCIT!

Great addition, thanks for the PR! Merging...

@0xdeaddood 0xdeaddood merged commit 0916329 into fortra:master Feb 8, 2022
@0xdeaddood 0xdeaddood removed the in review This issue or pull request is being analyzed label Feb 8, 2022
@SAERXCIT SAERXCIT deleted the ldaprelay-getadcsenrollmentsvc branch February 8, 2022 15:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants