Knowledge Graph

account_tree fullscreen

ESC8 NTLM Relay to AD CS HTTP Endpoints

Leverages web enrolment interface of ADCS. This is an optional feature, which is often utilised. This is vulnerable to NTLM Relay attacks. Using NTLM Relay, an attacker can impersonate an inbound NTLM authenticating user. Whilst impersonating the victim, the attacker can access the web interfaces and request client authentication certificates, based on User or Machine Templates.

Requirements

• Victim account to authenticate to attacker controlled machine
  • Simple technique is to coerce a machine account to authenticate t attacker host using MS-RPRN RpcRemoteFindFirstPrinterChangeNotification(Ex) methods
  • Use tools like SpoolSample or Dementor
  • Can then impersonate machine account to request a client authentication certificate as the victim machine account.

If Victim can perform privileged actions such as domain replication, can use to compromise domain. Else, can logon as victim machine account and use S4U2Self to access victim machine host OS.

In summary, if an environment has AD CS installed, along with a vulnerable web enrollment endpoint and at least one certificate template published that allows for domain computer enrollment and client authentication (like the default **Machine/Computer** template), **_then an attacker can compromise ANY computer with the spooler service running!_**