New Video from @_JohnHammond: Exploring Vulnerabilities in Active Directory Certificate Services

In this video, John Hammond teams up with Shakata, the internal network penetration director at IBM X-Force Red, to explore vulnerabilities and common configurations in Active Directory Certificate Services (ADCS), a Windows service that is often misconfigured. They discuss the basics of asymmetric cryptography, certificates, and certificate authorities before diving into practical demonstrations and live attacks. Shakata begins by explaining asymmetric cryptography, where a pair of public and private keys is used for encrypting and decrypting data. He emphasizes the importance of the "root of trust" for verifying the authenticity of certificates. A certificate is essentially a validation that a public key belongs to a specific entity, which is crucial for functions like authentication and encryption. Active Directory Certificate Services (ADCS) is Microsoft's implementation of Public Key Infrastructure (PKI) in Active Directory. Shakata explains how ADCS works by generating public and private key pairs, creating Certificate Signing Requests (CSRs), and using certificate templates to define the capabilities and permissions of certificates. The video then focuses on specific attacks against ADCS. Shakata demonstrates how to use tools like Responder and PetitPotam to coerce authentication and relay connections to the ADCS HTTP endpoint. This technique allows obtaining a certificate as a domain controller machine account, which can then be used to gain persistent access to the account via a method called "unPAC the hash." Shakata explains that this attack, known as "Escalation 8," was made possible by an unauthenticated authentication coercion vulnerability in Windows. Although this vulnerability has been patched, the authentication coercion technique remains possible in many environments if the attacker has authenticated privileges. The video concludes with a practical demonstration of the attack, showing how to obtain a certificate as a domain controller machine account, extract the NT hash of the account, and use this hash to gain full administrative access to the domain. Shakata highlights that this attack is particularly powerful because it allows going from zero access to full domain control in just a few commands. In summary, this video provides an in-depth overview of vulnerabilities and common configurations in ADCS, as well as practical techniques for exploiting them. It highlights the importance of certificate security and proper configurations in Active Directory environments.