Attack Overview
- Find vulnerable certificate templates.
- Use a vulnerable template to generate a certificate for a target user.
- Authenticate using the certificate.
Enumerate vulnerable templates using Certify:
beacon> execute-assembly C:\Tools\Certify\Certify\bin\Release\Certify.exe find /vulnerableRequirements for a certificate to be usable in an attack:
msPKI-Certificate-Name-FlagcontainsENROLLEE_SUPPLIES_SUBJECT, which allows an attacker to specify an Subject Alternative Name (i.e. create a certificate under anyone) while creating the certificate.pkiextendedkeyusagecontainsClient Authentication, which means certificates generated from this template can be used for authentication.Enrollment Rightscontains a principal that the attacker controls.- Alternatively, a certificate template can be modified to fit the above requirements if the attacker has
WriteOwner,WriteDacl, orWritePropertypermission on the template.
To generate a certificate, run Certify.exe request with the FQDN of the CA that serves the template, the name of the template, and what user this certificate may authenticate as. All of the information is avilable in find output.
execute-assembly C:\Tools\Certify\Certify\bin\Release\Certify.exe request /ca:[cert-ca-fqdn] /template:[template-name] /altname:[target-user]Save the generated private key and certificate into a cert.pem file. The Certify command above will also output an openssl command to convert cert.pem to a cert.pfx usable for authentication (do this on a Linux host). Base64-encode the pfx file contents for Rubeus.
To obtain a TGT with the certificate base64:
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe asktgt /user:nlamb /certificate:[cert-base64] /password:pass123