AD Certificates
Last updated
Last updated
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
The Subject of the certificate denotes its owner.
A Public Key is paired with a privately held key to link the certificate to its rightful owner.
The Validity Period, defined by NotBefore and NotAfter dates, marks the certificate's effective duration.
A unique Serial Number, provided by the Certificate Authority (CA), identifies each certificate.
The Issuer refers to the CA that has issued the certificate.
SubjectAlternativeName allows for additional names for the subject, enhancing identification flexibility.
Basic Constraints identify if the certificate is for a CA or an end entity and define usage restrictions.
Extended Key Usages (EKUs) delineate the certificate's specific purposes, like code signing or email encryption, through Object Identifiers (OIDs).
The Signature Algorithm specifies the method for signing the certificate.
The Signature, created with the issuer's private key, guarantees the certificate's authenticity.
Subject Alternative Names (SANs) expand a certificate's applicability to multiple identities, crucial for servers with multiple domains. Secure issuance processes are vital to avoid impersonation risks by attackers manipulating the SAN specification.
AD CS acknowledges CA certificates in an AD forest through designated containers, each serving unique roles:
Certification Authorities container holds trusted root CA certificates.
Enrolment Services container details Enterprise CAs and their certificate templates.
NTAuthCertificates object includes CA certificates authorized for AD authentication.
AIA (Authority Information Access) container facilitates certificate chain validation with intermediate and cross CA certificates.
The request process begins with clients finding an Enterprise CA.
A CSR is created, containing a public key and other details, after generating a public-private key pair.
The CA assesses the CSR against available certificate templates, issuing the certificate based on the template's permissions.
Upon approval, the CA signs the certificate with its private key and returns it to the client.
Defined within AD, these templates outline the settings and permissions for issuing certificates, including permitted EKUs and enrollment or modification rights, critical for managing access to certificate services.
The enrollment process for certificates is initiated by an administrator who creates a certificate template, which is then published by an Enterprise Certificate Authority (CA). This makes the template available for client enrollment, a step achieved by adding the template's name to the certificatetemplates
field of an Active Directory object.
For a client to request a certificate, enrollment rights must be granted. These rights are defined by security descriptors on the certificate template and the Enterprise CA itself. Permissions must be granted in both locations for a request to be successful.
These rights are specified through Access Control Entries (ACEs), detailing permissions like:
Certificate-Enrollment and Certificate-AutoEnrollment rights, each associated with specific GUIDs.
ExtendedRights, allowing all extended permissions.
FullControl/GenericAll, providing complete control over the template.
The CA's rights are outlined in its security descriptor, accessible via the Certificate Authority management console. Some settings even allow low-privileged users remote access, which could be a security concern.
Certain controls may apply, such as:
Manager Approval: Places requests in a pending state until approved by a certificate manager.
Enrolment Agents and Authorized Signatures: Specify the number of required signatures on a CSR and the necessary Application Policy OIDs.
Certificates can be requested through:
Windows Client Certificate Enrollment Protocol (MS-WCCE), using DCOM interfaces.
ICertPassage Remote Protocol (MS-ICPR), through named pipes or TCP/IP.
The certificate enrollment web interface, with the Certificate Authority Web Enrollment role installed.
The Certificate Enrollment Service (CES), in conjunction with the Certificate Enrollment Policy (CEP) service.
The Network Device Enrollment Service (NDES) for network devices, using the Simple Certificate Enrollment Protocol (SCEP).
Windows users can also request certificates via the GUI (certmgr.msc
or certlm.msc
) or command-line tools (certreq.exe
or PowerShell's Get-Certificate
command).
Active Directory (AD) प्रमाणपत्र प्रमाणीकरण का समर्थन करता है, मुख्य रूप से Kerberos और Secure Channel (Schannel) प्रोटोकॉल का उपयोग करते हुए।
Kerberos प्रमाणीकरण प्रक्रिया में, एक उपयोगकर्ता के Ticket Granting Ticket (TGT) के लिए अनुरोध को उपयोगकर्ता के प्रमाणपत्र की निजी कुंजी का उपयोग करके हस्ताक्षरित किया जाता है। यह अनुरोध डोमेन नियंत्रक द्वारा कई मान्यताओं से गुजरता है, जिसमें प्रमाणपत्र की वैधता, पथ, और रद्दीकरण स्थिति शामिल हैं। मान्यताओं में यह भी शामिल है कि प्रमाणपत्र एक विश्वसनीय स्रोत से आता है और NTAUTH प्रमाणपत्र स्टोर में जारीकर्ता की उपस्थिति की पुष्टि करना। सफल मान्यताओं के परिणामस्वरूप एक TGT जारी किया जाता है। AD में NTAuthCertificates
ऑब्जेक्ट, जो कि:
is प्रमाणपत्र प्रमाणीकरण के लिए विश्वास स्थापित करने में केंद्रीय है।
Schannel सुरक्षित TLS/SSL कनेक्शनों को सुविधाजनक बनाता है, जहाँ एक हैंडशेक के दौरान, क्लाइंट एक प्रमाणपत्र प्रस्तुत करता है जो, यदि सफलतापूर्वक मान्य किया जाता है, तो पहुँच अधिकृत करता है। एक प्रमाणपत्र को AD खाते से जोड़ने में Kerberos का S4U2Self फ़ंक्शन या प्रमाणपत्र का Subject Alternative Name (SAN) शामिल हो सकता है, अन्य तरीकों के बीच।
AD की प्रमाणपत्र सेवाओं को LDAP क्वेरी के माध्यम से गणना की जा सकती है, जो Enterprise Certificate Authorities (CAs) और उनकी कॉन्फ़िगरेशन के बारे में जानकारी प्रकट करती है। यह किसी भी डोमेन-प्रमाणित उपयोगकर्ता द्वारा विशेष विशेषाधिकार के बिना सुलभ है। Certify और Certipy जैसे उपकरण AD CS वातावरण में गणना और भेद्यता मूल्यांकन के लिए उपयोग किए जाते हैं।
इन उपकरणों का उपयोग करने के लिए कमांड में शामिल हैं:
AWS हैकिंग सीखें और अभ्यास करें:HackTricks Training AWS Red Team Expert (ARTE) GCP हैकिंग सीखें और अभ्यास करें: HackTricks Training GCP Red Team Expert (GRTE)