Pentesting Tools

Stifle : A Post-Exploitation Tool For Explicit Certificate Mapping In Active Directory

Stifle is a specialized .NET utility designed for post-exploitation scenarios, enabling attackers or penetration testers to exploit explicit certificate mapping in Active Directory (AD).

This tool leverages the altSecurityIdentities attribute of AD objects, allowing authentication as a target object using a pre-obtained certificate.

Explicit certificate mappings are a key aspect of Active Directory Certificate Services (ADCS), which facilitates secure communication and authentication through public key infrastructure (PKI).

Functionality And Use

Stifle simplifies the process of adding or clearing explicit certificate mappings on AD objects. Its primary features include:

  • Adding Explicit Certificate Mapping: This involves writing the altSecurityIdentities attribute with a certificate and its password. For example:
  Stifle.exe add /object:target /certificate:MIIMrQI... /password:P@ssw0rd
  • Clearing Explicit Certificate Mapping: Removes the mapping by clearing the altSecurityIdentities attribute:
  Stifle.exe clear /object:target

Workflow Overview

  1. Requesting a Certificate: Use tools like Certify.exe to request a machine account certificate from ADCS. The certificate must be mapped to the target object.
   Certify.exe request /ca:lab.lan\lab-dc01-ca /template:Machine /machine
  1. Certificate Conversion: Convert the obtained certificate to base64 .pfx format using OpenSSL:
   openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export | base64 -w 0
  1. Mapping with Stifle: Add the explicit mapping by providing the converted certificate and password to Stifle.
  2. Authentication with Rubeus: After mapping, request a Kerberos Ticket Granting Ticket (TGT) using PKINIT authentication via Rubeus:
   Rubeus.exe asktgt /user:target /certificate:MIIMrQI... /password:P@ssw0rd

Explicit certificate mapping in AD allows associating certificates with user or computer accounts for authentication purposes. While this capability enhances security, it also introduces risks when misused.

Attackers can exploit write access to the altSecurityIdentities attribute to impersonate accounts, as demonstrated by techniques like ESC14.

Stifle addresses gaps in existing tooling by providing a streamlined .NET-based solution for exploiting this attack vector.

However, its misuse underscores the importance of securing ADCS configurations and monitoring access to sensitive attributes like altSecurityIdentities.

Varshini

Varshini is a Cyber Security expert in Threat Analysis, Vulnerability Assessment, and Research. Passionate about staying ahead of emerging Threats and Technologies.

Leave a Comment
Share
Published by
Varshini
Tags: cybersecurityinformationsecuritykalilinuxkalilinuxtoolsStifle
2 days ago

Recent Posts

PatchWerk : A Tool For Cleaning NTDLL Syscall Stubs

PatchWerk is a proof-of-concept (PoC) tool designed to clean NTDLL syscall stubs by patching syscall…

1 hour ago

Modern Network Fingerprinting : HASSH And JA4+SSH Tools

Network fingerprinting is a critical technique for identifying and analyzing network traffic patterns, particularly in…

1 hour ago

HowToHunt : Unleashing The Power Of Advanced Hunting Tools

"HowToHunt" is a platform designed to assist hunters in improving their skills, planning their expeditions,…

1 hour ago

SkyFall-Pack : Infrastructure Automation For C2 Operations

SkyFall-Pack is an advanced infrastructure automation toolkit designed for Command and Control (C2) operations. It…

1 hour ago

LummaC2 Stealer : Unpacking The Threats Of A Marketed ‘Premium’ Malware

LummaC2 is a commodity malware designed as an information stealer, targeting browsers, cryptocurrency wallets, and…

1 hour ago

RustOwl : A Visualization Tool For Ownership And Lifetime

RustOwl is an innovative tool designed to enhance the Rust programming experience by visualizing ownership…

1 hour ago