CA/Template Discovery

More in-depth information on AD CS can be found in the Certified Pre-Owned whitepaper by SpecterOps.

That bish is 143 pages long, so I'm going to be describing the important parts of the most commonly seen escalation (ESC) attacks.

Finding the Active Directory Certificate Service (AD CS) server is as simple as querying a domain controller on the target domain using Lightweight Directory Access Protocol (LDAP).

In order to query a computer via LDAP, you must have a valid set of credentials for a domain user (or access to a domain computer if using certutil.exe).

This is made even easier as several tools already exist to do this easily!

GitHub - Pennyw0rth/NetExec: The Network Execution ToolGitHub

Linux

netexec ldap -u [username] -p [password] -M adcs

The ldapsearch Command-Line Tooldocs.ldap.com

Linux

ldapsearch \
  -H ldap://dc.domain.local -D 'user@domain' -w 'password' \
  -b 'CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,DC=sccm,DC=lab' \
  -s one '(objectClass=pKIEnrollmentService)' \
  cn dNSHostName

Finding Vulnerable Templates

Similar to finding the AD CS server, we can use LDAP to query the AD CS server for information about what templates are available, as well as information about the template, such as permissions required to obtain a certificate.

GitHub - ly4k/Certipy: Tool for Active Directory Certificate Services enumeration and abuseGitHub

Linux (Attacker)

certipy find -u [username]@[domain] -p [password] -dc-ip [DC IP] -vulnerable

To get a list of all available certificate templates (including non-vulnerable ones), simply remove the --vulnerable flag.

These tools will output a list of templates potentially vulnerable to AD CS exploits known as ESC1 through ESC11.

PreviousAD CS Architecture NextESC1

Last updated 12 days ago

hashtagFinding Vulnerable Templates

Finding Vulnerable Templates