Pentesting Tools

Stifle : A Post-Exploitation Tool For Explicit Certificate Mapping In Active Directory

Stifle is a specialized .NET utility designed for post-exploitation scenarios, enabling attackers or penetration testers to exploit explicit certificate mapping in Active Directory (AD).

This tool leverages the altSecurityIdentities attribute of AD objects, allowing authentication as a target object using a pre-obtained certificate.

Explicit certificate mappings are a key aspect of Active Directory Certificate Services (ADCS), which facilitates secure communication and authentication through public key infrastructure (PKI).

Functionality And Use

Stifle simplifies the process of adding or clearing explicit certificate mappings on AD objects. Its primary features include:

  • Adding Explicit Certificate Mapping: This involves writing the altSecurityIdentities attribute with a certificate and its password. For example:
  Stifle.exe add /object:target /certificate:MIIMrQI... /password:P@ssw0rd
  • Clearing Explicit Certificate Mapping: Removes the mapping by clearing the altSecurityIdentities attribute:
  Stifle.exe clear /object:target

Workflow Overview

  1. Requesting a Certificate: Use tools like Certify.exe to request a machine account certificate from ADCS. The certificate must be mapped to the target object.
   Certify.exe request /ca:lab.lan\lab-dc01-ca /template:Machine /machine
  1. Certificate Conversion: Convert the obtained certificate to base64 .pfx format using OpenSSL:
   openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export | base64 -w 0
  1. Mapping with Stifle: Add the explicit mapping by providing the converted certificate and password to Stifle.
  2. Authentication with Rubeus: After mapping, request a Kerberos Ticket Granting Ticket (TGT) using PKINIT authentication via Rubeus:
   Rubeus.exe asktgt /user:target /certificate:MIIMrQI... /password:P@ssw0rd

Explicit certificate mapping in AD allows associating certificates with user or computer accounts for authentication purposes. While this capability enhances security, it also introduces risks when misused.

Attackers can exploit write access to the altSecurityIdentities attribute to impersonate accounts, as demonstrated by techniques like ESC14.

Stifle addresses gaps in existing tooling by providing a streamlined .NET-based solution for exploiting this attack vector.

However, its misuse underscores the importance of securing ADCS configurations and monitoring access to sensitive attributes like altSecurityIdentities.

Varshini

Varshini is a Cyber Security expert in Threat Analysis, Vulnerability Assessment, and Research. Passionate about staying ahead of emerging Threats and Technologies.

Recent Posts

How Does a Firewall Work Step by Step

How Does a Firewall Work Step by Step? What Is a Firewall and How Does…

1 day ago

ROADTools: The Modern Azure AD Exploration Framework

ROADTools is a powerful framework designed for exploring and interacting with Microsoft Azure Active Directory…

5 days ago

How to Enumerate Microsoft 365 Groups Using PowerShell and Python

Microsoft 365 Groups (also known as M365 Groups or Unified Groups) are at the heart…

5 days ago

SeamlessPass: Using Kerberos Tickets to Access Microsoft 365

SeamlessPass is a specialized tool designed to leverage on-premises Active Directory Kerberos tickets to obtain…

6 days ago

PPLBlade: Advanced Memory Dumping and Obfuscation Tool

PPLBlade is a powerful Protected Process Dumper designed to capture memory from target processes, hide…

6 days ago

HikPwn : Simple Scanner For Hikvision Devices With Basic Vulnerability Scanning

HikPwn: Comprehensive Guide to Scanning Hikvision Devices for Vulnerabilities If you’re searching for an efficient…

6 days ago