ADCS
π AD CS (Active Directory Certificate Services)
AD CS is Microsoft's PKI system integrated in AD. A CA (Certificate Authority) issues certificates for users, machines and services. A valid certificate can be used to request a TGT, making misconfigurations extremely dangerous.
Key concepts: - CA (Certificate Authority): Server that issues certificates. - Template: Defines who can request what type of certificate. - EKU (Enhanced Key Usage): Defines what the certificate can be used for. - Enrollee: User requesting the certificate.
Enumeration
# all registered CAs
Certify.exe cas
# enumerate templates
Certify.exe find
# enumerate vulnerable templates
Certify.exe find /vulnerable
# Enumerate templates where enrollee supplies subject
Certify.exe find /enrolleeSuppliesSubject
# Dump info
certutil -dump C:\AD\Tools\esc3-DA.pfx
Abuse
β οΈ Why is AD CS so powerful? - Certificates last months β even if the password changes, the cert remains valid. - Can be used to escalate across domain trusts (dollarcorp β moneycorp). - More stealthy than traditional Kerberos attacks.