Skip to content

Commit

Permalink
Esc9a finding panel (#326)
Browse files Browse the repository at this point in the history 
* initial files

* windows abuse

* linux abuse

* references

* code and em

* format code in general and linux

* missing variant

* qa

* fix nested ul styling

* remove hard coded testing
  • Loading branch information
@benwaples
benwaples authored Jan 24, 2024
1 parent 544e4d7 commit 2fc9fd0
Show file tree
Hide file tree
Showing 7 changed files with 672 additions and 0 deletions.
31 changes: 31 additions & 0 deletions packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC9a/ADCSESC9a.tsx
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
// Copyright 2024 Specter Ops, Inc.
//
// Licensed under the Apache License, Version 2.0
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//
// SPDX-License-Identifier: Apache-2.0

import General from './General';
import WindowsAbuse from './WindowsAbuse';
import LinuxAbuse from './LinuxAbuse';
import Opsec from './Opsec';
import References from './References';

const ADCSESC9a = {
general: General,
windowsAbuse: WindowsAbuse,
linuxAbuse: LinuxAbuse,
opsec: Opsec,
references: References,
};

export default ADCSESC9a;
83 changes: 83 additions & 0 deletions packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC9a/General.tsx
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,83 @@
// Copyright 2024 Specter Ops, Inc.
//
// Licensed under the Apache License, Version 2.0
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//
// SPDX-License-Identifier: Apache-2.0

import { FC } from 'react';
import { groupSpecialFormat } from '../utils';
import { EdgeInfoProps } from '../index';
import { Typography } from '@mui/material';
import { makeStyles } from '@mui/styles';

const useStyles = makeStyles((theme) => ({
containsCodeEl: {
'& code': {
backgroundColor: 'darkgrey',
padding: '2px .5ch',
fontWeight: 'normal',
fontSize: '.875em',
borderRadius: '3px',
display: 'inline',

overflowWrap: 'break-word',
whiteSpace: 'pre-wrap',
},
},
}));

const General: FC<EdgeInfoProps> = ({ sourceName, sourceType, targetName }) => {
const classes = useStyles();
return (
<>
<Typography variant='body2'>
{groupSpecialFormat(sourceType, sourceName)} the privileges to perform the ADCS ESC9 Scenario A attack
against the target domain.
</Typography>
<Typography variant='body2' className={classes.containsCodeEl}>
The principal has control over a victim principal with permission to enroll on one or more certificate
templates, configured to: 1) enable certificate authentication, 2) require the{' '}
<code>userPrincipalName</code> (UPN) of the enrollee included in the Subject Alternative Name (SAN), and
3) do not have the security extension enabled. The victim also has enrollment permission for an
enterprise CA with the necessary templates published. This enterprise CA is trusted for NT
authentication in the forest, and chains up to a root CA for the forest. There is an affected Domain
Controller (DC) configured to allow weak certificate binding enforcement. This setup lets the principal
impersonate any AD forest principal (user or computer) without their credentials.
</Typography>
<Typography variant='body2' className={classes.containsCodeEl}>
The attacker principal can abuse their control over the victim principal to modify the victim’s UPN to
match the <code>sAMAccountName</code> of a targeted principal. Example: If the targeted principal is
[email protected] user, the victim's UPN will be populated with "Administrator" (without the
@corp.local ending). The attacker principal will then abuse their control over the victim principal to
obtain the credentials of the victim principal, or a session as the victim principal, and enroll a
certificate as the victim in one of the affected certificate templates. The UPN of the victim
("Administrator") will be included in the issued certificate under the SAN. As the certificate template
does not have the security extension, it will NOT include the SID of the victim user in the issued
certificate. Next, the attacker principal will again set the UPN of the victim, this time to an
arbitrary string (e.g. the original value). The issued certificate can now be used for authentication
against an affected DC. The weak certificate binding configuration on the DC will make the DC accept
that the SID of the victim user is not present in the issued certificate when performing Kerberos
authentication, and it will use the SAN value to map the certificate to a principal. The DC will attempt
to find a principal with a UPN matching the SAN value (“Administrator”) but as the victim’s UPN has been
changed after the enrollment, there will be no principals with this UPN. The DC will then attempt to
find a principal with a <code>sAMAccountName</code> matching the SAN value and find the targeted user.
At last, the DC issues a Kerberos TGT as the targeted user to the attacker, which means the attacker now
has a session as the targeted user. In case the target is a computer, the DC will find it as well as the
DC will attempt <code>sAMAccountName</code> matching with a $ at the end of the SAN value as last
resort.
</Typography>
</>
);
};

export default General;
224 changes: 224 additions & 0 deletions packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC9a/LinuxAbuse.tsx
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,224 @@
// Copyright 2024 Specter Ops, Inc.
//
// Licensed under the Apache License, Version 2.0
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//
// SPDX-License-Identifier: Apache-2.0

import { FC } from 'react';
import { Box, Link, List, ListItem, Typography } from '@mui/material';
import { makeStyles } from '@mui/styles';

const useStyles = makeStyles((theme) => ({
containsCodeEl: {
'& code': {
backgroundColor: 'darkgrey',
padding: '2px .5ch',
fontWeight: 'normal',
fontSize: '.875em',
borderRadius: '3px',
display: 'inline',

overflowWrap: 'break-word',
whiteSpace: 'pre-wrap',
},
},
}));

const LinuxAbuse: FC = () => {
const classes = useStyles();
const step1 = (
<>
<Typography variant='body2' className={classes.containsCodeEl}>
<b>Step 1: </b>Set UPN of victim to targeted principal's <code>sAMAccountName</code>.
<br />
<br />
Set the UPN of the victim principal using Certipy:
</Typography>
<Typography component={'pre'}>
{'certipy account update -username [email protected] -password PWD -user VICTIM -upn Target'}
</Typography>
</>
);

const step2 = (
<>
<Typography variant='body2' className={classes.containsCodeEl}>
<b>Step 2: </b>Check if <code>mail</code> attribute of victim must be set and set it if required.
<br />
<br />
If the certificate template is of schema version 2 or above and its attribute{' '}
<code>msPKI-CertificateNameFlag</code> contains the flag <code>SUBJECT_REQUIRE_EMAIL</code> and/or{' '}
<code>SUBJECT_ALT_REQUIRE_EMAIL</code> then the victim principal must have their <code>mail</code>{' '}
attribute set for the certificate enrollment. The CertTemplate BloodHound node will have
<em>"Subject Require Email"</em> or <em>"Subject Alternative Name Require Email"</em> set to true if any
of the flags are present.
<br />
<br />
If the certificate template is of schema version 1 or does not have any of the email flags, then
continue to Step 3.
<br />
<br />
If any of the two flags are present, you will need the victim’s mail attribute to be set. The value of
the attribute will be included in the issues certificate but it is not used to identify the target
principal why it can be set to any arbitrary string.
<br />
<br />
Check if the victim has the mail attribute set using ldapsearch:
</Typography>
<Typography
component={
'pre'
}>{`ldapsearch -x -D "ATTACKER-DN" -w 'PWD' -h DOMAIN-DNS-NAME -b "VICTIM-DN" mail`}</Typography>
<Typography variant='body2'>
If the victim has the mail attribute set, continue to Step 3.
<br />
<br />
If the victim does not has the mail attribute set, set it to a dummy mail using ldapmodify:
</Typography>
<Typography component={'pre'}>
{`echo -e "dn: VICTIM-DN\nchangetype: modify\nreplace: mail\nmail: [email protected]" | ldapmodify -x -D "ATTACKER-DN" -w 'PWD' -h DOMAIN-DNS-NAME`}
</Typography>
</>
);

const step3 = (
<Box
sx={{
borderRadius: '4px',
backgroundColor: '#eee',
}}>
<Typography variant='body2' sx={{ marginBottom: '-8px' }}>
<b>Step 3: </b>Obtain a session as victim.
<br />
<br />
There are several options for this step.
<br />
<br />
If the victim is a computer, you can obtain the credentials of the computer account using the Shadow
Credentials attack (see{' '}
<Link
target='blank'
rel='noopener'
href='https://support.bloodhoundenterprise.io/hc/en-us/articles/17358104809499-AddKeyCredentialLink'>
AddKeyCredentialLink edge documentation
</Link>
). Alternatively, you can obtain a session as SYSTEM on the host, which allows you to interact with AD
as the computer account, by abusing control over the computer AD object (see{' '}
<Link
target='blank'
rel='noopener'
href='https://support.bloodhoundenterprise.io/hc/en-us/articles/17312347318043-GenericAll'>
GenericAll edge documentation
</Link>
).
<br />
<br />
If the victim is a user, you have the following options for obtaining the credentials:
</Typography>
<List sx={{ fontSize: '12px' }}>
<ListItem>
Shadow Credentials attack (see{' '}
<Link
target='blank'
rel='noopener'
href='https://support.bloodhoundenterprise.io/hc/en-us/articles/17358104809499-AddKeyCredentialLink'>
AddKeyCredentialLink edge documentation
</Link>
)
</ListItem>
<ListItem>
Password reset (see{' '}
<Link
target='blank'
rel='noopener'
href='https://support.bloodhoundenterprise.io/hc/en-us/articles/17223286750747-ForceChangePassword'>
ForceChangePassword edge documentation
</Link>
)
</ListItem>
<ListItem>
Targeted Kerberoasting (see{' '}
<Link
target='blank'
rel='noopener'
href='https://support.bloodhoundenterprise.io/hc/en-us/articles/17222775975195-WriteSPN'>
WriteSPN edge documentation
</Link>
)
</ListItem>
</List>
</Box>
);

const step4 = (
<>
<Typography variant='body2'>
<b>Step 4: </b>Enroll certificate as victim.
<br />
<br />
Use Certipy as the victim principal to request enrollment in the affected template, specifying the
affected EnterpriseCA:
</Typography>
<Typography component={'pre'}>
{'certipy req -u [email protected] -p PWD -ca CA-NAME -target SERVER -template TEMPLATE'}
</Typography>
<Typography variant='body2'>
The issued certificate will be saved to disk with the name of the targeted user.
</Typography>
</>
);

const step5 = (
<>
<Typography variant='body2'>
<b>Step 5: </b>Set UPN of victim to arbitrary value.
<br />
<br />
Set the UPN of the victim principal using Certipy:
</Typography>
<Typography component={'pre'}>
{
'certipy account update -username [email protected] -password PWD -user VICTIM -upn [email protected]'
}
</Typography>
</>
);

const step6 = (
<>
<Typography variant='body2'>
<b>Step 6: </b>Perform Kerberos authentication as targeted principal against affected DC using
certificate.
<br />
<br />
Request a ticket granting ticket (TGT) from the domain, specifying the certificate created in Step 4 and
the IP of an affected DC:
</Typography>
<Typography component={'pre'}>{'certipy auth -pfx TARGET.pfx -dc-ip IP'}</Typography>
</>
);

return (
<>
<Typography variant='body2'>An attacker may perform this attack in the following steps:</Typography>
{step1}
{step2}
{step3}
{step4}
{step5}
{step6}
</>
);
};

export default LinuxAbuse;
31 changes: 31 additions & 0 deletions packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC9a/Opsec.tsx
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
// Copyright 2024 Specter Ops, Inc.
//
// Licensed under the Apache License, Version 2.0
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//
// SPDX-License-Identifier: Apache-2.0

import { FC } from 'react';
import { Typography } from '@mui/material';

const Opsec: FC = () => {
return (
<Typography variant='body2'>
When the affected certificate authority issues the certificate to the attacker, it will retain a local copy
of that certificate in its issued certificates store. Defenders may analyze those issued certificates to
identify illegitimately issued certificates and identify the principal that requested the certificate, as
well as the target identity the attacker is attempting to impersonate.
</Typography>
);
};

export default Opsec;
Loading

0 comments on commit 2fc9fd0

Please sign in to comment.