Certify, a tool released by SpecterOps as part of their research mentioned above:
Certify, that provides information about a vulnerable certificate:
msPKI-Certificates-Name-Flag: ENROLLEE_SUPPLIES_SUBJECTfield field, which indicates that the user, who is requesting a new certificate based on this certificate template, can request the certificate for another user, meaning any user, including domain administrator user. Below shows the same certificate template setting via GUI when inspecting certificate templates via
PkiExtendedKeyUsage: Client Authentication, which indicates that the certificate that will be generated based on this certificate template can be used to authenticate to computers in Active Directory. Below shows the same setting via GUI when inspecting certificate templates via
Enrollment Rights: NT Authority\Authenticated Users, which indicates that any authenticated user in the Active Directory is allowed to request new certificates to be generated based on this certificate template. Below shows the same setting via GUI when inspecting certificate templates via
Certifyby specifying the following parameters:
/ca- speciffies the Certificate Authority server we're sending the request to;
/template- specifies the certificate template that should be used for generating the new certificate;
/altname- specifies the AD user for which the new certificate should be generated.
PEMformat has been issued successfully:
Rubeusto request a Kerberos Ticket Granting Ticket (TGT) for the user for which we minted the certificate, we need to convert the certificate to
Rubeusand paste it to a file called
cert.pfxwith Open SSL (in Linux) like so:
cert.pfx, we can request a Kerberos TGT for the user for which we minted the new certificate:
c$share on a server that we don't normally have local administrator privileges on:
cert.cnfwith the following contents (modify fields as deemed appropriate):
subjectAltNamefield, which is a
samaccountnameof the user in Active Directory, which we want to ultimately impersonate (i.e. domain administrator) for which we will be requesting the certificate.
Samaccountnamevalue in this file is defined in the variable
$adUserToImpersonate- you'd need to change it to the administrator's
samaacountnameyou want to impersonate.
cert.cnffile is ready, generate the actual Certificate Signing Request with
cert-request.csras we will need it in the last step of this process as described below.
$adcsis the Active Directory Certificate Services host and click
Request a certificate:
advanced certificate request:
cert-request.csrinto the request field and hit
Submitto retrieve the new certificate for your target user: