Exploiting ESC15 with Relays: A Deep Dive into ADCS Vulnerabilities

Listen to this Post

2025-02-15

ESC15 can be exploited with relays, and it’s not uncommon to find machine accounts with Enroll permissions on schema version 1 templates like WebServer. This means any user could potentially become a domain admin by combining ESC8 and ESC15, especially if coercing a Domain Controller (DC) with ESC8 alone isn’t feasible. Recently, I added a few lines to the EKUwu fork of Certipy to include application policies when using the relay command, enhancing its functionality for such exploits.

NDES servers configured to use virtual accounts instead of domain users are also vulnerable. Since the computer’s credentials are used for network access, we can coerce and relay its authentication to enroll on schema version 1 templates like IPSECIntermediateOffline. Breaking Active Directory Certificate Services (ADCS) is both challenging and rewarding!

Practical Code and Commands

To exploit ESC15, you can use the following commands with Certipy:

certipy relay -t http://target-ndes-server -u user -p password --template WebServer --enroll

For NDES servers using virtual accounts:

certipy relay -t http://target-ndes-server --virtual-account --template IPSECIntermediateOffline --enroll

These commands allow you to relay authentication and exploit the vulnerabilities in ADCS.

What Undercode Say

Active Directory Certificate Services (ADCS) is a critical component in many enterprise environments, but it is also a prime target for attackers due to its inherent vulnerabilities. The combination of ESC8 and ESC15 exploits highlights the importance of securing machine accounts and schema version 1 templates. By understanding these vulnerabilities, security professionals can better defend their networks against potential attacks.

In Linux, you can use tools like `ldapsearch` to query Active Directory for vulnerable templates:

ldapsearch -x -H ldap://domain-controller -b "dc=example,dc=com" "(objectClass=pKICertificateTemplate)"

For Windows, PowerShell commands can be used to enumerate certificate templates:

Get-ADObject -Filter {objectClass -eq "pKICertificateTemplate"} -Properties *

Additionally, always ensure that your NDES servers are properly configured and that virtual accounts are used securely. Regularly audit your ADCS environment for misconfigurations and apply the latest security patches.

For further reading on ADCS vulnerabilities and mitigation strategies, refer to the following resources:

By staying informed and proactive, you can significantly reduce the risk of exploitation in your environment.

References:

Hackers Feeds, Undercode AIFeatured Image