Playing and Hacking Active Directory Certificate Authority

Brief Active Directory Certificate Authority

Microsoft Active Directory Certificate Services provide a platform for generating and issuing and managing PKI Public Key Infrastructure certificates. In short AD CS provides certificates for securing HTTP traffic and also supports other authentication mechanism such as computer, user or device accounts on a network.
No point for me to describe what the certificate authority is used for as Microsoft has covered this here in details  here and here.

The objective with this brief technical article is to demonstrate common mis-configuration with the certificate generation and issuing keys to domain joined end users. The idea is to show an attacker can enumerate certificate authority using built-in windows MMC managed certificate Snap-in in windows 10 and export private keys to our attacking machine for offline PKCS12 PFX password recovery.
You probably ask why do you want to extract private key and recover the password? Well that depends on the type o certificate but generally speaking certificate used for encrypting traffic or perhaps use machine authentication to a domain controller or can be used as internal code signing certificate.
In my personal opinion I think CA Certificate Authority is significant attack vector and often overlooked by system administrators and security professionals, for years’ bad actors utilized and abused certificate authority to circumvent external/internal technical controls and security operations, often these attacks go undetected by third part and built-in signature based anti-virus products.

So let’s assume breach scenario here and an attacker managed to gain foothold on your end user windows 10 workstation and we also assume the workstation is domain joined, and there is a single tier domain joined active directory certificate authority installed on server that issues automated client machine/user certificates to the workstations once  joined the domain controller (AutoEnrollment Group Policy Configured)

LAB Setup and Break down:

Cryotoambient.com SEC-PRI-DC-1 (Primary Lab Domain Controller)

SEC-PRI-DC-02 (Secondary Domain Controller – Certificate Authority installed

Windows10 Domain Joined with active directory low privilege user ambient10

Let’s assume the attacker is on post exploitation phase and enumerating the workstation for vulnerabilities weakness to elevate higher privilege access from zero to hero domain administrator privilege. There are different methodology and techniques to elevate privilege from windows environment, unpatched vulnerabilities, powershell, vulnerable services, pass the hash,  credential theft and the list goes on.

Let’s focus on how an attacker abuse exportable certificates and reuse the certificate for other malicious use cases.

Certificate authority  we replicated an exiting template and named it User_V2.

1

Figure 1  Notice Private Key is to be exported ticked.

 

Enabled Certificate Templates we created.

2

Figure 2 Published User/Workstation authentication template.

 

Group Policy change to enable automatic enrollment.

comes just after 2 with commens

Figure 3  PKI Group Policy created to allow AutoEnrollement to end user workstations.

Joined our target windows10 to the domain controller.

comes before 2

Figure 4 DESKTOP-BOB1 Windows 10 Joined to the domain controller and waiting for the certificate to be pushed to the user workstation upon first login.

 

Issued Certificates to workstations.

3

Figure 5 User/Machine certificate issued to newly joined window10 with the user ambient10 as low privileged user.

 

Next we check newly joined Windows 10 MMC console under the Personal  Certificate we see ambient10 user been issued a certificate.

4

Figure 6 We use export wizard to export the private key in PKCS12 PFX format.

 

Certificate Export Wizard.

5

Figure 7 we select the export private key from abmient10 user personal certificate

 

ExportPrivateKey certificate saved on the ambient10 user desktop.

6

Figure 8  private key saved on to the ambient user workstation desktop

 

Next we move the file to the c:\cert folder on the target workstation 192.168.1.73 for quick certificate transfer to our attacking machine.

7

Figure 9 from our lab kali machine we use mount -t cifs to mount the remote folder to our /mnt folder on our attacking machine with the user ambient10 credential.

 

Now that we have copy of the private key in pfx format we github crackpkcs12 source code here and compile it on our kali machine.  Crackpkcs12 -b  certificatefile.pfx or pkc12 format.

8

Figure 10  Successful Brute force attack and recovered the Password “123”

 

When was the last time did you review/audit your internal Certificate Authority published certificates ? Do you know if the keys are exportable?