New Video from John Hammond: Exploring ADCS Exploitation Techniques

In this video, John Hammond and Shakata explore an exploitation technique for Active Directory Certificate Services (ADCS) known as ECS1 (Escalation One). This method allows any user in an ADCS environment to request a certificate with specific Subject Alternative Names (SANs), which can lead to privilege escalation. The video begins with a brief recap of previous exploits, including the use of PetitPotam and ECS8 to gain initial access in an ADCS environment. They then focus on ECS1, a vulnerability that allows a user to request a certificate with a specific SAN, which can be used to impersonate another user, including a domain administrator. A key point highlighted in the video is the ease with which administrators can misconfigure certificate templates, making the environment vulnerable to ECS1. For example, the default "Web Server" certificate template allows users to provide SANs in their certificate requests, which can be exploited to obtain elevated privileges. The video explains several important technical concepts. A certificate in ADCS consists of several parameters, including Extended Key Usage (EKU) and enrollment rights. The SAN is a field in a certificate that allows additional identities that the certificate can verify to be specified. If a certificate template allows users to provide SANs, an attacker can request a certificate with the SAN of a domain administrator, allowing them to impersonate that identity. The practical implications of this vulnerability are significant. In a misconfigured ADCS environment, an attacker can easily obtain elevated privileges by exploiting ECS1. This can be particularly dangerous in environments where administrators are not aware of the risks associated with certificate template configuration. The video is presented in an engaging and informative manner, with clear explanations and practical demonstrations. John Hammond and Shakata use tools like Responder, Certify, and Impacket to illustrate the exploitation steps, making the content accessible even for those not familiar with the technical details. In conclusion, this video provides an in-depth overview of ADCS exploitation, focusing on the ECS1 vulnerability and its practical implications. It is a valuable resource for anyone interested in cybersecurity and hacking techniques.