+ An attacker can add an explicit certificate mapping in the AltSecurityIdentities of the target referring
+ to a certificate in the attacker's possession, and then use this certificate to authenticate as the
+ target.
+
The certificate must meet the following requirements:
@@ -63,6 +68,34 @@ export const AdcsEsc14ScenarioALinux: FC = () => (
).
+
+
+
+ If the attacker cannot obtain a suitable certificate from the target environment, they may also be able
+ to use a third-party Client Authentication certificate.
+
+
+ This works because explicit certificate mapping differs from implicit certificate mapping. Implicit
+ mapping requires the certificate to chain to a CA certificate in the domain controller's NTAuth store.
+ Explicit mapping does not. For explicit mapping, the certificate only needs to chain to a trusted root
+ CA on the domain controller.
+
+
+ Windows trusts many third-party root CAs by default, so an attacker may be able to buy or steal a
+ third-party certificate with the Client Authentication EKU and use it for ESC14 Scenario A. For example,
+ providers such as{' '}
+
+ SSL.com
+ {' '}
+ are trusted by Windows and offer client authentication certificates.
+
+
+
+ Execution
+
Obtain a certificate meeting the above requirements for example by dumping a certificate from a computer, or
enrolling a new certificate as a computer:
@@ -71,18 +104,20 @@ export const AdcsEsc14ScenarioALinux: FC = () => (
{'certipy req -u computername -p Passw0rd -ca corp-DC-CA -target ca.corp.local -template ESC14'}
- If the enrollment fails with an error message stating that the Email or DNS name is unavailable and cannot
- be added to the Subject or Subject Alternate name, then it is because the enrollee principal does not have
- their mail or dNSHostName attribute set, which is required by the certificate template. The mail attribute
- can be set on both user and computer objects but the dNSHostName attribute can only be set on computer
- objects. Computers have validated write permission to their own dNSHostName attribute by default, but
- neither users nor computers can write to their own mail attribute by default.
-
-
- The abuse is possible with the strong explicit certificate mappings X509IssuerSerialNumber or
- X509SHA1PublicKey. In this example, we use X509SHA1PublicKey.
+
+ If the enrollment fails with an error message stating that the Email or DNS name is unavailable and
+ cannot be added to the Subject or Subject Alternate name, then it is because the enrollee principal does
+ not have their mail or dNSHostName attribute set, which is required by the certificate template. The
+ mail attribute can be set on both user and computer objects but the dNSHostName attribute can only be
+ set on computer objects. Computers have validated write permission to their own dNSHostName attribute by
+ default, but neither users nor computers can write to their own mail attribute by default.
+
+
+ The abuse is possible with the strong explicit certificate mappings X509IssuerSerialNumber or
+ X509SHA1PublicKey. In this example, we use X509SHA1PublicKey.
+
+
Get the SHA1 hash of the certificate using openssl:
- Get the SHA1 hash of the certificate using openssl:
{`openssl pkcs12 -info -in computername.pfx -nokeys | openssl x509 -noout -sha1 -fingerprint | tr -d ':' | tr '[:upper:]' '[:lower:]'
…
@@ -123,11 +158,15 @@ sha1 fingerprint=f61331a504cff8cb5e60c269632c31aa3032a54a`}
export const AdcsEsc14ScenarioAWindows: FC = () => {
return (
<>
- ADCS ESC14 Scenario A
+
+ ADCS ESC14 Scenario A
+
- An attacker can add an explicit certificate mapping in the altSecurityIdentities of the target referring
- to a certificate in the attacker's possession, and then use this certificate to authenticate as the
- target.
+
+ An attacker can add an explicit certificate mapping in the altSecurityIdentities of the target
+ referring to a certificate in the attacker's possession, and then use this certificate to
+ authenticate as the target.
+
The certificate must meet the following requirements:
@@ -161,6 +200,34 @@ export const AdcsEsc14ScenarioAWindows: FC = () => {
).
+
+
+
+ If the attacker cannot obtain a suitable certificate from the target environment, they may also be
+ able to use a third-party Client Authentication certificate.
+
+
+ This works because explicit certificate mapping differs from implicit certificate mapping. Implicit
+ mapping requires the certificate to chain to a CA certificate in the domain controller's NTAuth
+ store. Explicit mapping does not. For explicit mapping, the certificate only needs to chain to a
+ trusted root CA on the domain controller.
+
+
+ Windows trusts many third-party root CAs by default, so an attacker may be able to buy or steal a
+ third-party certificate with the Client Authentication EKU and use it for ESC14 Scenario A. For
+ example, providers such as{' '}
+
+ SSL.com
+ {' '}
+ are trusted by Windows and offer client authentication certificates.
+
+
+
+ Execution
+
Obtain a certificate meeting the above requirements for example by dumping a certificate from a
computer, or enrolling a new certificate as a computer using Certify (2.0):
@@ -171,15 +238,28 @@ export const AdcsEsc14ScenarioAWindows: FC = () => {
}
- Save the certificate as cert.pem and the private key as cert.key. Use certutil to obtain the certificate
- as a PFX file:
+
+ If the enrollment fails with an error message stating that the Email or DNS name is unavailable and
+ cannot be added to the Subject or Subject Alternate name, then it is because the enrollee principal
+ does not have their mail or dNSHostName attribute set, which is required by the certificate
+ template. The mail attribute can be set on both user and computer objects but the dNSHostName
+ attribute can only be set on computer objects. Computers have validated write permission to their
+ own dNSHostName attribute by default, but neither users nor computers can write to their own mail
+ attribute by default.
+
+
+ Save the certificate as cert.pem and the private key as cert.key. Use certutil to obtain the
+ certificate as a PFX file:
+
{'certutil.exe -MergePFX .\\cert.pem .\\cert.pfx'}
- The abuse is possible with the strong explicit certificate mappings X509IssuerSerialNumber or
- X509SHA1PublicKey. In this example, we use X509SHA1PublicKey.
+
+ The abuse is possible with the strong explicit certificate mappings X509IssuerSerialNumber or
+ X509SHA1PublicKey. In this example, we use X509SHA1PublicKey.
+
+
Get the SHA1 hash of the certificate public key using certutil:
- Get the SHA1 hash of the certificate public key using certutil:
{`certutil.exe -dump -v .\\cert.pfx
…
diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/WriteAltSecurityIdentities/LinuxAbuse.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/WriteAltSecurityIdentities/LinuxAbuse.tsx
index 81b71d343df2..241f3318fe2a 100644
--- a/packages/javascript/bh-shared-ui/src/components/HelpTexts/WriteAltSecurityIdentities/LinuxAbuse.tsx
+++ b/packages/javascript/bh-shared-ui/src/components/HelpTexts/WriteAltSecurityIdentities/LinuxAbuse.tsx
@@ -22,7 +22,9 @@ const LinuxAbuse: FC = () => {
return (
<>
- The write access to the AltSecurityIdentities may enable an ADCS ESC14 Scenario A attack.
+
+ The write access to the AltSecurityIdentities may enable an ADCS ESC14 Scenario A attack.
+
>
diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/WriteAltSecurityIdentities/WindowsAbuse.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/WriteAltSecurityIdentities/WindowsAbuse.tsx
index a1e3d32c57d6..3ac394903aea 100644
--- a/packages/javascript/bh-shared-ui/src/components/HelpTexts/WriteAltSecurityIdentities/WindowsAbuse.tsx
+++ b/packages/javascript/bh-shared-ui/src/components/HelpTexts/WriteAltSecurityIdentities/WindowsAbuse.tsx
@@ -23,7 +23,9 @@ const WindowsAbuse: FC = () => {
return (
<>
- The write access to the AltSecurityIdentities may enable an ADCS ESC14 Scenario A attack.
+
+ The write access to the AltSecurityIdentities may enable an ADCS ESC14 Scenario A attack.
+
>
diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/WritePublicInformation/LinuxAbuse.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/WritePublicInformation/LinuxAbuse.tsx
index 7b9f85a15b8a..59b349ba9361 100644
--- a/packages/javascript/bh-shared-ui/src/components/HelpTexts/WritePublicInformation/LinuxAbuse.tsx
+++ b/packages/javascript/bh-shared-ui/src/components/HelpTexts/WritePublicInformation/LinuxAbuse.tsx
@@ -23,18 +23,20 @@ const LinuxAbuse: FC = () => {
return (
<>
- The write access to the AltSecurityIdentities may enable an ADCS ESC14 Scenario A attack.
-
-
- Alternatively, the write access to the SPN enable a targeted Kerberoasting attack against user accounts
- with a weak password. See the{' '}
-
- WriteSPN
- {' '}
- edge for more details.
+
+ The write access to the AltSecurityIdentities may enable an ADCS ESC14 Scenario A attack.
+
+
+ Alternatively, the write access to the SPN enable a targeted Kerberoasting attack against user
+ accounts with a weak password. See the{' '}
+
+ WriteSPN
+ {' '}
+ edge for more details.
+
>
diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/WritePublicInformation/WindowsAbuse.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/WritePublicInformation/WindowsAbuse.tsx
index 9fdd1eed90a1..44db012fccca 100644
--- a/packages/javascript/bh-shared-ui/src/components/HelpTexts/WritePublicInformation/WindowsAbuse.tsx
+++ b/packages/javascript/bh-shared-ui/src/components/HelpTexts/WritePublicInformation/WindowsAbuse.tsx
@@ -23,18 +23,20 @@ const WindowsAbuse: FC = () => {
return (
<>
- The write access to the AltSecurityIdentities may enable an ADCS ESC14 Scenario A attack.
-
-
- Alternatively, the write access to the SPN enable a targeted Kerberoasting attack against user accounts
- with a weak password. See the{' '}
-
- WriteSPN
- {' '}
- edge for more details.
+
+ The write access to the AltSecurityIdentities may enable an ADCS ESC14 Scenario A attack.
+
+
+ Alternatively, the write access to the SPN enable a targeted Kerberoasting attack against user
+ accounts with a weak password. See the{' '}
+
+ WriteSPN
+ {' '}
+ edge for more details.
+