ADCS 枚举
1. ADCS 枚举
在靶场或者实验环境中,ADCS通常被安装在域控上,但在大多数情况下,企业更倾向于将其安装在独立的服务器上。
1.1. On Windows
是否安装了ADCS其一个关键性的标识就是是否有内置的Cert Publishers组存在。该组通常授权证书颁发机构(CA)将证书发布到目录中,这通常预示着 ADCS 服务器的存在,也说明ADCS 服务器将是该组的成员。可以使用 net group、net localgroup 或任何其他组枚举工具来发现
1.1.1. 判断是否存在ADCS
PS C:\Tools> net localgroup "Cert Publishers"
Alias name Cert Publishers
Comment Members of this group are permitted to publish certificates to the directory
Members
-------------------------------------------------------------------------------
LAB-DC$
The command completed successfully.
还可以查看AD数据库的Public Key Services container容器
CN=Public Key Services, CN=Services, CN=Configuration, DC={forest root domain}
还可以用001-Inbox/certify来进行枚举。他是由Flangvik SharpCollection repository.创建的一个ADCS利用开源工具
1.1.2. certify.exe
PS C:\Tools> .\Certify.exe find
_____ _ _ __
/ ____| | | (_)/ _|
| | ___ _ __| |_ _| |_ _ _
| | / _ \ '__| __| | _| | | |
| |___| __/ | | |_| | | | |_| |
\_____\___|_| \__|_|_| \__, |
__/ |
|___./
v1.1.0
[*] Action: Find certificate templates
[*] Using the search base 'CN=Configuration,DC=lab,DC=local'
...SNIP...
CA Name : LAB-DC.lab.local\lab-LAB-DC-CA
Template Name : ESC9
Schema Version : 2
Validity Period : 99 years
Renewal Period : 6 weeks
msPKI-Certificate-Name-Flag : SUBJECT_ALT_REQUIRE_UPN, SUBJECT_ALT_REQUIRE_EMAIL, SUBJECT_REQUIRE_EMAIL, SUBJECT_REQUIRE_DIRECTORY_PATH
mspki-enrollment-flag : INCLUDE_SYMMETRIC_ALGORITHMS, PUBLISH_TO_DS, AUTO_ENROLLMENT, NO_SECURITY_EXTENSION
Authorized Signatures Required : 0
pkiextendedkeyusage : Client Authentication, Encrypting File System, Secure Email
mspki-certificate-application-policy : Client Authentication, Encrypting File System, Secure Email
Permissions
Enrollment Permissions
Enrollment Rights : LAB\Domain Admins S-1-5-21-2570265163-3918697770-3667495639-512
LAB\Domain Users S-1-5-21-2570265163-3918697770-3667495639-513
LAB\Enterprise Admins S-1-5-21-2570265163-3918697770-3667495639-519
Object Control Permissions
Owner : LAB\Administrator S-1-5-21-2570265163-3918697770-3667495639-500
WriteOwner Principals : LAB\Administrator S-1-5-21-2570265163-3918697770-3667495639-500
LAB\Domain Admins S-1-5-21-2570265163-3918697770-3667495639-512
LAB\Enterprise Admins S-1-5-21-2570265163-3918697770-3667495639-519
WriteDacl Principals : LAB\Administrator S-1-5-21-2570265163-3918697770-3667495639-500
LAB\Domain Admins S-1-5-21-2570265163-3918697770-3667495639-512
LAB\Enterprise Admins S-1-5-21-2570265163-3918697770-3667495639-519
WriteProperty Principals : LAB\Administrator S-1-5-21-2570265163-3918697770-3667495639-500
LAB\Domain Admins S-1-5-21-2570265163-3918697770-3667495639-512
LAB\Enterprise Admins S-1-5-21-2570265163-3918697770-3667495639-519
...SNIP...
Certify.exe通常从当前上下文会话中获取凭据。
1.2. On Linux
1.2.1. nxc
可以使用nxc进行枚举
netexec ldap 10.129.205.199 -u "blwasp" -p "Password123!" -M adcs
SMB 10.129.205.199 445 LAB-DC [*] Windows 10.0 Build 17763 x64 (name:LAB-DC) (Domain:lab.local) (signing:False) (SMBv1:False)
LDAP 10.129.205.199 389 LAB-DC [+] lab.local\blwasp:Password123!
ADCS 10.129.205.199 389 LAB-DC [*] Starting LDAP search with search filter '(objectClass=pKIEnrollmentService)'
ADCS Found PKI Enrollment Server: LAB-DC.lab.local
ADCS Found CN: lab-LAB-DC-CA
ADCS Found PKI Enrollment WebService: https://lab-dc.lab.local/lab-LAB-DC-CA_CES_Kerberos/service.svc/CE
certipy
还可以用certipy
certipy find -u 'BlWasp@lab.local' -p 'Password123!' -dc-ip 10.129.205.199 -stdout
[*] Finding certificate templates
[*] Found 40 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 18 enabled certificate templates
[*] Trying to get CA configuration for 'lab-LAB-DC-CA' via CSRA
[*] Got CA configuration for 'lab-LAB-DC-CA'
[*] Enumeration output:
Certificate Authorities
0
CA Name : lab-LAB-DC-CA
DNS Name : LAB-DC.lab.local
Certificate Subject : CN=lab-LAB-DC-CA, DC=lab, DC=local
Certificate Serial Number : 16BD1CE8853DB8B5488A16757CA7C101
Certificate Validity Start : 2022-03-26 00:07:46+00:00
Certificate Validity End : 2027-03-26 00:17:46+00:00
Web Enrollment : Enabled
User Specified SAN : Enabled
Request Disposition : Issue
Enforce Encryption for Requests : Disabled
Permissions
Owner : LAB.LOCAL\Administrators
Access Rights
Enroll : LAB.LOCAL\Authenticated Users
LAB.LOCAL\Black Wasp
LAB.LOCAL\user_manageCA
ManageCa : LAB.LOCAL\Black Wasp
LAB.LOCAL\user_manageCA
LAB.LOCAL\Domain Admins
LAB.LOCAL\Enterprise Admins
LAB.LOCAL\Administrators
ManageCertificates : LAB.LOCAL\Domain Admins
LAB.LOCAL\Enterprise Admins
LAB.LOCAL\Administrators
[!] Vulnerabilities
ESC6 : Enrollees can specify SAN and Request Disposition is set to Issue. Does not work after May 2022
ESC7 : 'LAB.LOCAL\\Black Wasp' has dangerous permissions
ESC8 : Web Enrollment is enabled and Request Disposition is set to Issue
ESC11 : Encryption is not enforced for ICPR requests and Request Disposition is set to Issue
Certificate Templates
...SNIP...