Pentesting Tools

Stifle : A Post-Exploitation Tool For Explicit Certificate Mapping In Active Directory

Stifle is a specialized .NET utility designed for post-exploitation scenarios, enabling attackers or penetration testers to exploit explicit certificate mapping in Active Directory (AD).

This tool leverages the altSecurityIdentities attribute of AD objects, allowing authentication as a target object using a pre-obtained certificate.

Explicit certificate mappings are a key aspect of Active Directory Certificate Services (ADCS), which facilitates secure communication and authentication through public key infrastructure (PKI).

Functionality And Use

Stifle simplifies the process of adding or clearing explicit certificate mappings on AD objects. Its primary features include:

  • Adding Explicit Certificate Mapping: This involves writing the altSecurityIdentities attribute with a certificate and its password. For example:
  Stifle.exe add /object:target /certificate:MIIMrQI... /password:P@ssw0rd
  • Clearing Explicit Certificate Mapping: Removes the mapping by clearing the altSecurityIdentities attribute:
  Stifle.exe clear /object:target

Workflow Overview

  1. Requesting a Certificate: Use tools like Certify.exe to request a machine account certificate from ADCS. The certificate must be mapped to the target object.
   Certify.exe request /ca:lab.lan\lab-dc01-ca /template:Machine /machine
  1. Certificate Conversion: Convert the obtained certificate to base64 .pfx format using OpenSSL:
   openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export | base64 -w 0
  1. Mapping with Stifle: Add the explicit mapping by providing the converted certificate and password to Stifle.
  2. Authentication with Rubeus: After mapping, request a Kerberos Ticket Granting Ticket (TGT) using PKINIT authentication via Rubeus:
   Rubeus.exe asktgt /user:target /certificate:MIIMrQI... /password:P@ssw0rd

Explicit certificate mapping in AD allows associating certificates with user or computer accounts for authentication purposes. While this capability enhances security, it also introduces risks when misused.

Attackers can exploit write access to the altSecurityIdentities attribute to impersonate accounts, as demonstrated by techniques like ESC14.

Stifle addresses gaps in existing tooling by providing a streamlined .NET-based solution for exploiting this attack vector.

However, its misuse underscores the importance of securing ADCS configurations and monitoring access to sensitive attributes like altSecurityIdentities.

Varshini

Varshini is a Cyber Security expert in Threat Analysis, Vulnerability Assessment, and Research. Passionate about staying ahead of emerging Threats and Technologies.

Leave a Comment
Share
Published by
Varshini
Tags: cybersecurityinformationsecuritykalilinuxkalilinuxtoolsStifle
7 months ago

Recent Posts

How to Install Docker on Ubuntu (Step-by-Step Guide)

Docker is a powerful open-source containerization platform that allows developers to build, test, and deploy…

6 hours ago

Uninstall Docker on Ubuntu

Docker is one of the most widely used containerization platforms. But there may come a…

6 hours ago

Admin Panel Dorks : A Complete List of Google Dorks

Introduction Google Dorking is a technique where advanced search operators are used to uncover information…

1 day ago

Log Analysis Fundamentals

Introduction In cybersecurity and IT operations, logging fundamentals form the backbone of monitoring, forensics, and…

2 days ago

Networking Devices 101: Understanding Routers, Switches, Hubs, and More

What is Networking? Networking brings together devices like computers, servers, routers, and switches so they…

3 days ago

Sock Puppets in OSINT: How to Build and Use Research Accounts

Introduction In the world of Open Source Intelligence (OSINT), anonymity and operational security (OPSEC) are…

3 days ago