ADCFFS is a PowerShell script that can be used to exploit the AD CS container misconfiguration allowing privilege escalation and persistence from any child domain to full forest compromise.
The tool can also be used to first scan the forest to determine if it is vulnerable to the attack and can remedy the permission misconfiguration as well. More information on the exploit can be found in this whitepaper.
The script relies on the AD-RSAT PowerShell module from Microsoft. This can be installed using the following command:
Add-WindowsCapability -Name Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0 -OnlineTo determine if the forest is vulnerable, low-privileged AD access is required. However, in order to exploit the misconfiguration, your AD user must be a member of the Administrators group in a child domain in the forest.
In order to embed a rogue CA, you will have to generate the CA first. This can be done using OpenSSL and the following commands:
openssl genrsa -out fakeca.key 2048
openssl req -x509 -new -nodes -key fakeca.key -sha256 -days 1024 -out fakeca.crt
openssl x509 -outform der -in fakeca.crt -out fakeca.der
cat fakeca.key > fakeca.pem
cat fakeca.crt >> fakeca.pem
openssl pkcs12 -in fakeca.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out fakeca.pfxThe fakeca.der file should be copied to the Windows host from where ADCFFS will be executed. The fakeca.pfx file can be used with tooling such as Certipy to generate rogue certificates for the domain.
The functions of ADCFFS can be imported to Powershell using the Import-Module command. In total, there are three functions:
The ScanContainerPermissions function will connect to ADSI and recover the ACL permissions of the containers configured during AD CS installation. If the misconfiguration of the BUILTIN\Administrator permission is found, it will be indicated that the forest is vulnerable to the attack.
The RemedyContainerPermissions function will connect to ADSI and remove the BUILTIN\Administrator permission from all AD CS containers, thus removing the installation misconfiguration.
The AddCertificateTrusts function will exploit the misconfiguration by embedding the certificate of a rogue CA into both the NTAuthCertificates container and the first writeable container of a CertificateAuthority.
Once domain controllers perform a Group Policy update, the CA will be embedded as a trusted CA that is allowed to perform authentication.
Docker is a powerful open-source containerization platform that allows developers to build, test, and deploy…
Docker is one of the most widely used containerization platforms. But there may come a…
Introduction Google Dorking is a technique where advanced search operators are used to uncover information…
Introduction In cybersecurity and IT operations, logging fundamentals form the backbone of monitoring, forensics, and…
What is Networking? Networking brings together devices like computers, servers, routers, and switches so they…
Introduction In the world of Open Source Intelligence (OSINT), anonymity and operational security (OPSEC) are…