Certificate Service Relaying
Share
After forcing authentication and obtaining the NetNTLM hash of the password of the victim's machine user, we are presented with different exploitation scenarios which we will discuss in various blog entries.
Next, we will talk about Certificate Service Relaying with a practical example in a testing laboratory.
In this first case, the attack consists of reusing the credential captured through a “Coerce Authentication” to authenticate in a misconfigured ADCS (Active Directory Certificate Service) (which is by default), in order to escalate privileges in the domain.
Below are some of the conditions that must be met in order to perform this attack:
- The ADCS must be configured to accept NTLM authentications.
- NTLM authentication is not EPA protected or SMB signed.
- The ADCS is running any of the following services:
- Certificate enrollment policy web service.
- Certificate enrollment web service.
Summary
The exploitation process of this attack is briefly explained below:
1. Gain access to a network configured with Active Directory and a misconfigured ADCS instance. For certain coercion attacks, a domain user will also have to be compromised, regardless of their privileges.
2. Configure listening software on a computer controlled by the attacker to reuse NTLM authentication against the misconfigured ADCS instance.
3. Force authentication of the domain controller (Any “Coerce Authentication” vulnerability) against the machine controlled by the attacker with the software to reuse NTLM authentication.
4. The domain controller authenticates on the machine controlled by the attacker.
5. The credential obtained from the domain controller's machine user is reused to authenticate to the ADCS.
6. The ADCS issues a certificate to the domain controller machine user.
7. Using the certificate obtained in the previous step, a Kerberos TGT ticket is requested.
8. Use the TGT ticket of the domain controller's machine user to request the TGS of any user, or perform a DCSync to obtain the NTDS of the domain.
Test Laboratory Components
Below we briefly describe the assets found in the testing laboratory:
- Attack_Machine – This machine refers to a Kali Linux from where we will carry out the attack to obtain a “Coerce Authentication” and have the software listening for the reuse of the authentication.
- DC.corp.lab – Domain controller with the domain “corp.lab” configured, which will be a victim of the attack. A user named “Bob” will be configured in said domain without privileges to emulate the attack from its compromise.
- CA.corp.lab – Certifying entity within the “corp.lab” domain.
- Windows10 – Computer with Windows operating system previously compromised by the attacker, within the “corp.lab” domain.
Installing specific version of impacket
In order to develop this attack, it is necessary to have a specific version of impacket installed, which is developed to be able to reuse the NTLM authentication obtained against the ADCS. To do this we will follow the following steps:
- Install the Python virtual environments package:
sudo apt install python3-venv
- Download and check the specific version of impacket needed.
git clone https://github.com/ExAndroidDev/impacket.git
cd impacket
git checkout ntlmrelayx-adcs-attack
- Create a new virtual environment and install impacket dependencies