Posts

Intro This article will cover basic AD CS enumeration and attacks, focusing on the attacks classified into the Domain Escalation category (ESC). Further methods that go through Certificate Theft (THEFT), Account Persistence (PERSIST) and Domain Persistence (DPERSIST) might be covered in future content. If you did not went through the previously posted content of the blog, I highly recommend reading at least these articles before continuing, as they explain the logic before the attacks that will be performed going forwards:...

Intro Active Directory Certificate Services (AD CS) is used for public key infrastructure in AD environment. Although it isn’t installed by default, it is widely deployed when using this type of environment, as it provides many additional features to it, such as digital signatures, user authentication and even encrypting file systems. As we can imagine, in order to manage all these certificates, this component integrates a Certificate Authority (CA), which is responsible for issuing, signing, managing and revoking certificates for systems, users, apps and more....

Coming soon…

Intro An Access Control List (ACL) consists of an ordered set of Access Control Entries (ACEs) that dictate the protections for an object and its properties. In essence, an ACL defines which actions by which security principals (users or groups) are permitted or denied on a given object. For the purpose of this article, we will focus only on Discretionary ACLs (DACLs), which are made of ACEs (Access Control Entries) that identify the users and groups that are allowed or denied access on an object....

Intro PKINIT stands for “[MS-PKCA]: Public Key Cryptography for Initial Authentication (PKINIT) in Kerberos Protocol”, and enables the use of public key cryptography in the initial authentication exchange. We know from the previous articles that the Kerberos authentication process starts with an AS-REQ, a request to get a TGT. Usually, this happens by sending some data, and an “authenticator” factor, a timestamp encrypted with the user’s NTLM hash. For more details on the normal Kerberos authentication flow, you can consult the Understanding Active Directory article....