Hacktricks Adcs _verified_ (High-Quality →)

Active Directory Certificate Services (AD CS) is a critical Windows Server role that manages digital certificates for authentication and encryption. When misconfigured, AD CS often becomes the easiest path for an attacker to escalate from a low-privileged user to a Domain Admin. The following guide summarizes the core "ESC" (Escalation) techniques as documented on HackTricks . 1. Enumeration: Finding the Vulnerabilities To identify attack paths, you must first find the Certificate Authorities (CAs) and their templates. Standard tools include: Certipy (Linux/Python) : The most comprehensive tool for automated AD CS discovery and exploitation. Certify (Windows/C#) : A powerful tool for querying and requesting certificates directly from a Windows host. Key Command (Certipy): certipy find -u 'user@domain.local' -p 'password' -dc-ip 'DC_IP' -vulnerable Use code with caution. This command lists all templates where misconfigurations like ESC1 or ESC8 exist. 2. Core Escalation Techniques (ESC1 - ESC8) Attackers target "vulnerable" templates—those allowing low-privileged users to request certificates for high-privileged accounts. AD Certificates - HackTricks

Active Directory Certificate Services (ADCS) exploitation is a powerful method for privilege escalation and domain persistence . Attackers often target misconfigurations in certificate templates that allow them to impersonate any domain user or computer. Core Concepts & Components Certificate Authorities (CA): Servers that issue and manage certificates. Certificate Templates: AD objects defining settings for issued certificates, such as permissions and purposes (EKUs). Extended Key Usages (EKU): Define what a certificate can be used for (e.g., Client Authentication, Smart Card Logon). NTAuthCertificates: A critical AD object that stores the CA certificates trusted for domain authentication. Common Exploitation Paths (The "ESC" Attacks) Misconfigurations are categorized into different "ESC" types: 12 sites AD CS Domain Escalation - HackTricks The Active Directory (AD) prioritizes the subjectAltName (SAN) in a certificate for identity verification if present. This means t... book.hacktricks.xyz AD Certificates | Hacktricks Aug 19, 2024 —

Hacktricks: Active Directory Certificate Services (ADCS) Exploitation Introduction Active Directory Certificate Services (ADCS) is Microsoft’s PKI (Public Key Infrastructure) implementation. When integrated with Active Directory, ADCS enables certificate-based authentication, smart card logons, and encryption. However, misconfigurations in ADCS are notoriously common and can lead to domain compromise, privilege escalation, and persistence. This guide synthesizes key attack paths from research (notably Will Schroeder and Lee Christensen’s “Certified Pre-Owned”) and practical pentesting experience.

1. Core Concepts 1.1 ADCS Components

CA (Certification Authority) : Issues and manages certificates. Certificate Templates : Define certificate properties (usage, enrollment rights, issuance requirements). Enrollment : Process of requesting a certificate. PKINIT : Kerberos authentication using X.509 certificates (enables domain logon with smart cards or certificates).

1.2 Critical Attack Surfaces

Vulnerable certificate templates (e.g., allowing client authentication, SAN specification, low enrollment rights) Overly permissive ACEs on CA or certificate objects Weak key protection (exportable private keys) Misconfigured enrollment agent templates NTLM relay to ADCS HTTP endpoints (ESC8) hacktricks adcs

2. Enumeration of ADCS 2.1 Discovering ADCS in the Environment # Find AD CS servers via LDAP Get-ADObject -Filter {objectClass -eq 'pKIEnrollmentService'} -Properties * Using Certify (C# tool) Certify.exe find Using BloodHound (with ADCS support) SharpHound3 -c All,GPOLocalGroup,LoggedOn,Trusts,ACL,Container,RDP,ObjectProps,DCOM,SPNTargets,PSRemote,CertServices

2.2 Manual Enumeration with Built-in Tools certutil -CAInfo # Show CA info certutil -config - # List CA config certutil -TEMPLATE # List templates

2.3 LDAP Queries for ADCS Objects

Certificate templates are stored as pKICertificateTemplate objects in CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=domain,DC=local. Enrollment services: CN=Enrollment Services,CN=Public Key Services,CN=Services,…

3. Attack Primitives (ESC1–ESC13) Based on the “Certified Pre-Owned” whitepaper, here are the most common and impactful ADCS attack paths. ESC1 – Misconfigured Certificate Template (Supply SAN) Condition :