Vonahi Security’s vPenTest recently introduced an attack vector to identify and mitigate these AD CS hidden threats. But first, let’s explore why AD CS vulnerabilities are so dangerous and how they operate.
Active Directory Certificate Services («AD CS»), as defined by Microsoft, are «a Windows Server role for issuing and managing public key infrastructure (PKI) certificates used in secure communication protocols and authentication.» Some common features and services that rely on AD CS include the Windows logon process, enterprise VPN and wireless networks, email encryption and digital signatures, as well as smart card authentication.
As businesses continue to expand the variety of technologies available within their organizations, AD CS is expected to become more common and necessary, especially as companies continue to host their services in the cloud. Many AWS, Azure, and GCP services require certificate-based authentication to function, making AD CS increasingly prominent and essential in modern multi-cloud networks.
Unfortunately, AD CS vulnerabilities pose great risks as they can be exploited to compromise the authentication and authorization infrastructure of Windows and modern Active Directory environments. Similar to what happened with Kerberos 6-7 years ago, any existing vulnerability in AD CS represents a significant risk to these environments.
AD CS attacks exploit the fact that the domain trusts the Certification Authority («CA») server as much as its Kerberos servers and other identity servers. There are four main classes of AD CS vulnerabilities: ESC, THEFT, PERSIST, and CVE, each posing distinct risks to network security and integrity.
Notably, Microsoft largely places the responsibility for repairing and securing AD CS vulnerabilities on the consumer, leading to their persistent presence. The most dangerous category of AD CS vulnerabilities is the ESC category, as they represent the greatest threat to user environments, often requiring little to no privilege, depending on the specific configuration. One such misconfiguration is the ESC2 vulnerability, enabling a standard user to request a certificate by impersonating others.
Unfortunately, Microsoft does not provide patches to facilitate the repair or identification of these vulnerabilities for its users, placing the responsibility on AD CS users to secure their own systems, which can be quite challenging. To address these vulnerabilities, GhostPack’s PSPKIAudit framework, designed by the discoverers of this vulnerability class, automates the heavy lifting of identifying offensive vulnerabilities in AD CS configurations.
On the other hand, vPenTest by Vonahi Security is an advanced automated penetration testing tool that conducts comprehensive security assessments automatically, with built-in detections for AD CS vulnerabilities. It can demonstrate the impact of exploiting vulnerabilities in the network, allowing relevant stakeholders to understand the importance of addressing these vulnerabilities.
In conclusion, organizations need to be proactive in identifying and addressing AD CS vulnerabilities within their environments, using tools like vPenTest to stay ahead of potential threats. Special credits are due to the SpecterOps team for their remarkable research on this topic and to ly4k for developing the outstanding Certipy tool to help identify these vulnerabilities.
Vía The Hacker News
