Eric Brown: 0:05

You're listening to the Audit presented by IT Audit Labs. Welcome to the Audit. My name is Eric Brown and today we have Scott Risdall and Micah Kreiser and we are talking about certificates and vulnerabilities in certificates. We're gonna go through a bit of a demo here and we'll see one of the exploits that Micah has found and identified. And, micah, maybe a little bit about yourself. You're a pen tester by day.

Micah Kryzer: 0:43

Yeah, yep. So I work for a company based out of Iowa called ProCircular. I'm a red team consultant, so I perform pen tests kind of as my day job.

Eric Brown: 0:54

Awesome, of course, the famous Scott Risdahl. He and I hang out at IT Audit Labs and try to help companies get better. So, micah, before we jump into this, a little of an aside question for you, as we work with different clients all across the board. One of the questions that's asked sometimes on the vulnerability management side or I guess we could call them next-gen AV or whatever the buzzword is that's popular today. What is one of the, or maybe one or two of the things that you may run into as a pen tester that you're like oh no, that company's running x, it might be a little bit tougher to get through this pen test yeah, so defender like atp.

Micah Kryzer: 1:53

So the full paid version of defender is very nice. Um, that's probably one of the harder ones to bypass. And then all your big players, you know, like crowdst strike. Carbon black is good too. Uh, with carbon black you do their default policies aren't the best, so you do need to spend more time actually like fine-tuning it. I haven't touched palo alto's version too much, um, in pen testing, but I would assume it's probably pretty good. But yeah, I definitely am a big fan of, like CrowdStrike or Defender for Endpoint, the paid version.

Eric Brown: 2:27

Thanks, well, scott, I'll hand it over to you.

Scotty Rysdahl: 2:31

Yeah. So we have a few slides to share, Hopefully nothing too arduous, about how certificates work in general and then the exploitation paths that Micah has found. So let's jump in real quick with some overview. So certificates are a big topic and they transcend any one vendor or environment. But this specific kind of family of vulnerabilities affects the Microsoft Active Directory Certificate Services, which is Microsoft's own built-in PKI or public key infrastructure.

Scotty Rysdahl: 3:03

It comes included with Windows Server and Windows Domains. You don't have to buy it separately from Microsoft and it's available to deploy in a Windows domain environment as a role, as a server role. So you know you would just spin up a new server and go through the normal wizard to install roles and features and go ahead and deploy your own PKI in a box. Basically, One thing we'll run into in the rest of this conversation is that you know, when you deploy something like this, there's a lot of default settings and sort of default assumptions about how it's going to be used and those aren't always, you know, secure by default, and I might say even especially with Microsoft, because they, you know, try to make things pretty turnkey and pretty easy for admins to do through GUI tools and whatnot. So a great powerful, you know, essentially free tool from Microsoft. But you know, buyer beware and make sure to read the manual.

Scotty Rysdahl: 3:57

So a couple things we noted about certificates and certificate authorities like this one are that there's usually kind of a request or enrollment process for certificates. So before somebody gets one issued for whatever the use case might be, they have to either, you know, put in a ticket, maybe, and have an admin manually go through and generate a certificate, or, if you want to automate it, there's usually automated enrollment methods that you can use so a computer can just go out and say, hey, this is me and the certificate authority will say oh great, I see who you are, I'm going to issue the certificate that you want based on what you sent me. That automated certificate issuance process is again something we're going to talk about today and kind of where these vulnerabilities come in. The worst of these vulnerabilities that Micah is going to talk about a little more can be used to essentially take over an entire Windows domain. If the permissions are just so and you have some low-level access, even just like a member of that default domain users type group in Active Directory, you can use this to get a certificate that will let you authenticate to the domain as full domain admin, so you own the estate at that point, right?

Scotty Rysdahl: 5:08

So a digital certificate is basically an electronic passport that's baked into, you know, a digital file that includes other information like who issued it, how long is it valid? What are some of the uses for it, you know. Can you use it to authenticate to a system, or is it used to sign code, or whatever the case may be. They are issued typically, so you wouldn't build a certificate from scratch. Hopefully, in most cases you would request a certain type of certificate a server certificate, a client certificate, a code signing certificate and then, based on a template, you know, the certificate authority, ADCS in this case, would give you something back that kind of has all those predefined, pre-configured values in it, based on how it's intended to be used. So templates are, you know, the master image of these certificates that get issued and used in the domain Micah. Anything to add about certs in general?

Micah Kryzer: 6:03

Nope, I think that pretty much summarizes it Okay.

Eric Brown: 6:07

Question for you on if you didn't want to use Microsoft's PKI, is there another tool you could use? Or if you're running Active Directory, do you pretty much have to use it?

Scotty Rysdahl: 6:20

It makes it a lot easier because it's all ready to be plugged into an existing domain environment and have the right permissions and group and computer object access that you would need to manage certificates. But you can certainly use a different one. A company that I work with uses Sectigo, formerly Komodo. They have an enterprise kind of certificate authority as a service offering and so they even let you deploy little agents in your environment that your systems can call out to instead of the native ADCS endpoints to handle certificate requests and issuance and renewals. But like a lot of things in Microsoft land, you know if it comes included and it comes included for free and it does 80% of the things that you need it just usually makes sense to go with that option for a lot of companies.

Scotty Rysdahl: 7:12

So a little bit about how Active Directory Certificate Services works. It is a full-featured PKI tool. This is all you need to set up your own sort of trusted root certificate and then intermediates and leaf certs. It can handle certificate revocation. So if you need to say that a certificate is no longer valid, it can publish that list and clients can query it. It's the whole CA in a box, like we said. And again, certificates can be issued manually by administrators or in an automated fashion based on just templates and automated certificate issuance endpoints. Usually because there's a lot of these things that need to be maintained in a typical network, you try to automate as much as you can, which brings us to the vulnerabilities that affect this particular platform, and I'll pass it over to Micah to explain a little bit about the kind of the history of how these were discovered and specifically, how they work.

Micah Kryzer: 8:09

Yeah, so the thing to note is this isn't that old of an attack. It was first founded kind of in 2021 by a company called SpecOps. They published a white paper about it and it was really good, really well documented, laid out. They initially found eight vulnerabilities, I believe, and they labeled them esc1 through 8. And all of them are kind of related to those certificate templates that scott brought up, except for esc8. Esc8 is actually related to the adcf itself. That has to do with HTTP web enrollment being enabled on the server.

Micah Kryzer: 8:48

A lot of these attacks are pretty much from a normal user to a domain admin ESC8, the web enrollment one that I mentioned. That one is actually from an unauthenticated user to, depending on which password hash. It's a relay attack. So you need to have somehow captured someone's password hash and instead of cracking it, you can actually relay it to the ADCS server itself. So whatever password hash you captured, that's the password that you're going to, or that's the user that you're ultimately going to compromise. But if you have any like service account password hashes that are going across your network or anything like that, those are the accounts that can be compromised. In our demo today, the attack that we're going to be performing is actually ESC1. So that is assuming a authenticated user has enrolled rights and they're actually going to enroll a certificate of authentication for a different user. In this case it's going to be the administrator account, so the domain admin of the whole domain.

Eric Brown: 9:52

And Mike, are these more theoretical attacks or have you done these in practice during your pen test assessments?

Micah Kryzer: 10:01

Yeah. So this is kind of like the new, I would say, curb roasting. So, like a lot of companies, you kind of come into a pen test you might run like a curb roast and that used to be like the easy win, but a lot of companies have curb roasting kind of locked down. So I would say this is kind of the new easy win that the pen testers are doing, especially because you can go from in most cases when you find these from any authenticated user straight to domain admin. The two main ones that I find are ESC1 and ESC8, which is why I chose the demo ESC1 today.

Eric Brown: 10:38

That's cool.

Scotty Rysdahl: 10:40

All right, do we want to dive right into the demo? Micah, do you have that ready?

Micah Kryzer: 10:44

Yeah, I can share that here. Let me know when you can see I got it. Yeah, so in this example this is just a Linux box that's just plugged into the domain. So you can just think of any type of box that just gets plugged in. It's not domain joined, which is kind of another reason why this exploit is so critical. First, here I'm just going to run a command. It's using a tool called crack map. That's just going to show that I'm currently not a domain admin. I don't have domain on the domain controller.

Micah Kryzer: 11:15

Next we are going to run, we're going to be using a tool called certify. We're going to be running the find vulnerable command. That's in that tool that's going to scrape the ADCS server, looking for these vulnerable templates for us. So kind of right at the top here that's actually the, the CA information. So like I said, with that ESC-8, if you are vulnerable to it, that's where you're going to find the information about it. It'll be displayed in that section. And then kind of the second section here are going to be the certificate templates, and this one is a template called Voluntemp1.

Micah Kryzer: 11:57

I'll kind of highlight the sections here. So each of the ESC vulnerabilities they each have like a certain requirements, or like checkboxes, that they have to meet to be vulnerable. So with ESC 1, it obviously needs to be enabled. So any of these certificates need to be enabled for an attacker to use them. So that's one way to.

Micah Kryzer: 12:20

If you do have a vulnerable template going in there and disabling it is a solution. It needs to be for client authentication, because that's what we're trying to do. We're trying to authenticate as a different user and then the enrollee supply subject. That's where the vulnerability kind of is that and the fact that manager or manager approval is disabled. So that basically means any well and enrollment rates down. There is domain users. So what that's saying is that any domain user can enroll a certificate of authentication for any other user on the domain. So in this case I'll be enrolling a certificate for the administrator account and then using that to extract the NTLM hash of the administrator, which the NTLM hash can then be used in the pass, the hash attack. It's just as good as a password, so you can really use it for anything on the network.

Scotty Rysdahl: 13:20

Could you go back just a little bit and explain what subject supplies or enrollee supplies subject means, because that's really key, I think, to why this particular one works.

Micah Kryzer: 13:30

That's the ability. So that's giving the ability for those users to supply that name, so saying like I want to authenticate or I want to request a certificate for the administrator account even though I'm not the administrator. So that's that line that kind of tells that to happen.

Scotty Rysdahl: 13:47

Yeah. So going back to our passport example, this is sort of like if I could send order a passport from who is it the Department of State, or something? And I just said you know my name is Joe Biden, right? And they would just just said you know my name is Joe Biden, right? And they would just say, oh cool, your name is Joe Biden. Huh, here's your passport for Joe Biden. And all of a sudden, I can, you know, walk into the Oval Office or whatever, without another question being asked. Is that?

Micah Kryzer: 14:13

And one thing to note. So on the issued certificate itself, you will see that the user did supply a name. So that is one way that when you're kind of auditing for these, if you think maybe there are certificates out there that maybe have abused this attack, that's one way to kind of audit for it. It's kind of a manual process because you have to look at the certificates but in there it should say which user requested it and then what they supplied for a name.

Eric Brown: 14:42

And why would you have that set to true in any environment?

Micah Kryzer: 14:48

What's the purpose of that? It's a good question. I don't know if you've seen that on the blue side, Scott.

Scotty Rysdahl: 14:54

Yeah, so it's just kind of common. It's a common way to do certificate issuing when you want to automate the whole process. So let's say that you wanted every client device, every laptop in your organization to get a client cert. Right, you could have a template set up that allows the clients individually to to report their, their san, their or their subject name, which would just be based on their host name, and and then you could issue 10 000 certificates in an hour without any more configuration being needed.

Scotty Rysdahl: 15:31

Right, it's the easy button for this kind of thing, and I micah correct me if I'm wrong, but I think microsoft is soon making an effort to fix this by turning on something called soon making an effort to fix this by turning on something called strong binding. Is that the right term? Where there's more logic that checks whether a given client or enrollee is sort of authorized to use a given subject name? I probably butchered that a little bit, but rather than just be like a fill in the blank field on the certificate request form, digital form, it ties it back to an actual like Active Directory object. I don't know if you're ready, if you're comfortable talking about that, but that's my sense for why it would be allowed and maybe how Microsoft is trying to address it.

Micah Kryzer: 16:18

Yeah, I do know one thing too, to address it. I mentioned that manager approval setting. So that is a setting that you can set to. So these certificates actually have to be approved before they get issued. So that's kind of how you could audit it as well. But okay yeah, I haven't heard about Microsoft's new stance on that, so I'll have to look into that. Cool yeah maybe I'll throw to look into that?

Scotty Rysdahl: 16:41

Cool yeah, maybe I'll throw a link in the show notes. It's a pretty new change, but I think they're doing it this summer sometime and it's maybe not optional for domains at ECS. Anyway, back to our regularly scheduled program.

Micah Kryzer: 16:58

Yeah, so we have a vulnerable template that we found. So on the blue team, you can run that tool, you can run the find vulnerable command and you can get a list of templates that are vulnerable pretty much right off the bat from this tool. It's just a Python tool. The GitHub page explains how to install it. It's pretty simple to install. Like I said, you just need a Linux box, plug into the network and then an authenticated user.

Scotty Rysdahl: 17:24

There's a PowerShell version too, right.

Micah Kryzer: 17:27

There is Yep. So there's a PowerShell version and a C-sharp version. The PowerShell version and the C-sharp version will both set off whatever AV provider you have. So depending on your environment and depending on what resources you have access to, sometimes spinning up like a Linux VM on your host and doing a quick scan of your network, it's a bit easier. But yeah, there's definitely tools out there for Windows as well. So next is we're just going to request a certificate. So if you look at this command here, the UPN, so that's the administrator account that we're actually going to try to compromise. We're specifying the template, so it was called Voluntemp1. And then we have our basic user here. So now we have the PFX, which is just the certificate of authentication. So from this point we could actually request. You know, if we wanted to request like a ticket granting ticket, we could do that. But CertiPy has built-in command where you can actually it'll take care of multiple steps that you normally have to take to capture this user's NTLM hash.

Scotty Rysdahl: 18:37

Just to be clear, on the last command line you ran the password that you provided IHITPASSWRDS1 there. That's for the low level user right. That's Bobby in the mailroom. That's not the domain admin password.

Micah Kryzer: 18:50

Yep, that's correct. So right here, this is the NTLM hash now of that administrator account. So that's the actual password hashed, of course. But NTLM hashes, like I said, you can use in a pass to hash attack, so they're just as good as a password to an attacker. So then, just to demo it, I'll run that crack map again and crack map tool again from the beginning and you'll see here it'll say admin next to the domain controller, showing that we have domain admin. It does save the c cache of the administrator too, so you can use that for um curb authentication. So you pretty much own the user at that point. That's pretty much the demo. So, as you can tell, this is another reason why, like I say, it's kind of like Kerberosync, like it's a really simple attack to pull off and I know a lot of times people don't like to think about like the insider threat. But this is definitely one of those where it could be a direct path from like an insider threat perspective too. So any authenticated user.

Scotty Rysdahl: 20:02

Yeah. Or a vendor who has access to say, a Citrix environment, right yeah. Or any way that anybody gets the lowest level of access to your domain.

Eric Brown: 20:14

Yeah, absolutely Thanks, micah. That's great. How would maybe some defenses against this? I think we touched on a couple already. But what about something like network segmentation? Would that come into play here at all? Or if the admins are checking in and checking out passwords out of a PAM tool, would that help at all, just by limiting, maybe, the duration of the password?

Micah Kryzer: 20:41

Yeah, the PAM tool. I haven't experimented with to test out, but I would assume, depending on how, when you request that NTLM hash that's coming from the domain controller, so whatever hash is currently being used to authenticate is obviously you're going to be able to authenticate with it, so like if an attacker catches runs this attack when the administrator has their password checked out. I would assume that you could use it. I'm not 100% sure on that, but yeah, as soon as they check it back in and that password rotates, the attacker wouldn't be able to do it. You know this isn't just a domain admin though, because I mean, if maybe I just want to get access to like information on a SQL server, or I want to get access to some file share that I don't currently have access to, an attacker might not just target a domain admin, especially if he knows maybe it's a mature client and they are using like a PAM solution To answer the network segmentation.

Micah Kryzer: 21:41

It would work if, whatever host, you know it's the ADCS server. So if you can't talk to the ADCS server and you can't request a certificate, then you're good, but then eventually, if you have an ADCS server set up somewhere on your network, if you're using it. Something's going to have to talk to it, so to add one thing.

Scotty Rysdahl: 21:59

I think that once you have a certificate issued for, say, domain admin, I think they can change their password as much as they want, but as long as that certificate is still valid, I think they can still use it to authenticate. Is that right?

Micah Kryzer: 22:12

Yeah, and that's where I would have to do some testing. But I'm not 100% sure Because if that password is currently checked in, I don't know how the domain controller You'll be pulling that NTLM hash from that domain controller. But if that password's checked in, I don't know how the PAM solution works on the back end like that. I would assume that it would somehow expire that password in the domain controller. You could still request the NTLM hash or the ticket for the administrator, but I don't know if you'd be able to use that anywhere.

Eric Brown: 22:42

I think that gets to the question around the value of, or in the cost justification, the expense of, a privileged access management tool or PAM tool, versus more or less a password manager where you could store your passwords and they could be long and complex, but you're just pasting them into whatever tool you're using the password for and there's none of the auto rotation, check in, check out features. I mean, it's certainly good for the home user where you're maintaining a one-to-one relationship between the application you're logging into and the password, but in an enterprise environment it seems that that PAM tool that does that auto rotation adds that additional layer of security.

Micah Kryzer: 23:39

Yep, yeah, it definitely does. The nice part about the PAM solution, too, is you can put MFA in front of that as well.

Scotty Rysdahl: 23:45

Seeing the demo and knowing that this can take you from lowest possible user in the environment all the way to domain admin. In how long was the video, micah? Three minutes About? Yeah, yeah, so we wanted to share some ways that you could detect and or protect your Active Directory environment and ADCS installation against this type of attack. Micah, do you mind walking through these? Yeah, no.

Micah Kryzer: 24:10

So we kind of already touched base on the tool to find the vulnerabilities. We'll have some links to the tool that I used today. And then the other tools are called Certify. So that's a C-sharp version that's actually released, I think, by the spec ops people. So the people who published the white paper actually released that tool. Then they released a PowerShell version of that tool as well, if you're not too comfortable with compiling C-sharp code. So yeah, there's tools out there to audit and that's probably going to be.

Micah Kryzer: 24:41

Your first step is going to be auditing and seeing. Even if you're vulnerable to these templates. The quickest way to fix is to either unpublish or, like I said, disable those templates. So if you have a template that hasn't been used in a while and is vulnerable, you go ahead and just disable that. If vulnerable templates are found, obviously you're going to want to focus on the ones that will get you domain admin. So, like I mentioned that ESC8, that is the relay vulnerability there's a few more steps to take for an attacker to actually execute that vulnerability. So fixing that one's a little bit lower on the priority than fixing this ESC1 that we demoed.

Micah Kryzer: 25:24

Unfortunately, adcs doesn't have the verbose logging turned on by default. So if you're currently not logging your ADCS I think it's called debug logs or something like that you're going to want to go and flip those on and start ingesting them into whatever solution that you're currently ingesting logs into and that's going to help detect these being exploited. And then, yeah, this is one of those attacks where it's actually really hard to, I guess, kind of figure out if you've been compromised or not. Um, so I kind of recommend just reaching out to like an incident response team to investigate if you do think that you have been taken over from this type of attack. You can look at, like I said, the issued certs and you can sit there and dig through them and see if maybe like an ESC1 took place. But some of the other ESCs are kind of harder to detect and especially without logging being turned off by default. If you don't have that turned on, you're going to be missing a big chunk of the picture.

Eric Brown: 26:27

It's interesting that you bring up that insider threat piece. With these. We always think about attacks trying to go for a privileged account and then being able to operate operate at that privilege level. But from an insider perspective. If someone in one department maybe wanted to gain access to protected information, they wouldn't need to go through the the steps of gaining admin. They could just essentially get the privileges of another user in that department where they wanted to see data from. So that's kind of scary from the perspective of one detecting it but then two reporting on it, where there's that due care of data and a reporting responsibility if someone gained access to that data that wasn't authorized to do so yeah, I think yeah.

Scotty Rysdahl: 27:25

So the back story of how we all ended up here today really quick is that Micah did some work for a client of ours. Eric found a couple of these vulnerable templates and, as his proof of concepts, he took over the CISO's account, just for fun. You know, she wasn't a domain admin, or maybe she was, I forget. But you can pick and choose, once you find the right vulnerable template, who you want to be.

Micah Kryzer: 27:52

Yeah, they kind of play off the insider threat too. One kind of thinking exercise as well is like what if I paid a help desk employee 10k for access for, you know, 30 minutes or whatever? So, yeah, there's definitely. I think the insider threat's definitely a bigger threat than most companies are probably aware of.

Scotty Rysdahl: 28:12

Cool. I think all we have left is some links to resources and we can throw these up on the when we post the episode, eric. But we've got the white paper, at least one of the tools that Micah mentioned for auditing and or exploiting these vulnerabilities, and then some general guidance from Microsoft on kind of what ADCS is and how to secure it, how to implement it securely and maybe a last question for you, micah any projects that you're working on or anything that you wanted to call our attention to.

Micah Kryzer: 28:45

Nothing from my end. No, yeah, it's almost summertime, so I guess I spend more time outside now Nice.

Scotty Rysdahl: 28:55

All right, should we wrap it up? Sounds good yeah, all right. Well, micah, thanks for joining us again today. I'll note that this is the second time we've recorded this episode and I think we did a much better job this time of being professional about it. So thanks for coming back and we look forward to having you again sometime.

Micah Kryzer: 29:13

Yeah, thank you.

Eric Brown: 29:17

In the current technology landscape, managing risk, among other operations, can be incredibly challenging. Let IT Audit Labs experts provide a detailed, thorough examination in preparation for your upcoming audit. Contact us to learn more.