ADCFFS is a PowerShell script that can be used to exploit the AD CS container misconfiguration allowing privilege escalation and persistence from any child domain to full forest compromise. The tool can also be used to first scan the forest to determine if it is vulnerable to the attack and can remedy the permission misconfiguration as well. More information on the exploit can be found in this whitepaper.
The script relies on the AD-RSAT PowerShell module from Microsoft. This can be installed using the following command:
Add-WindowsCapability -Name Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0 -Online
To determine if the forest is vulnerable, low-privileged AD access is required. However, in order to exploit the misconfiguration, your AD user must be a member of the Administrators group in a child domain in the forest.
In order to embed a rogue CA, you will have to generate the CA first. This can be done using OpenSSL and the following commands:
openssl genrsa -out fakeca.key 2048
openssl req -x509 -new -nodes -key fakeca.key -sha256 -days 1024 -out fakeca.crt
openssl x509 -outform der -in fakeca.crt -out fakeca.der
cat fakeca.key > fakeca.pem
cat fakeca.crt >> fakeca.pem
openssl pkcs12 -in fakeca.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out fakeca.pfx
The fakeca.der file should be copied to the Windows host from where ADCFFS will be executed. The fakeca.pfx file can be used with tooling such as Certipy to generate rogue certificates for the domain.
The functions of ADCFFS can be imported to Powershell using the Import-Module command. In total, there are three functions:
The ScanContainerPermissions function will connect to ADSI and recover the ACL permissions of the containers configured during AD CS installation. If the misconfiguration of the BUILTIN\Administrator permission is found, it will be indicated that the forest is vulnerable to the attack.
The RemedyContainerPermissions function will connect to ADSI and remove the BUILTIN\Administrator permission from all AD CS containers, thus removing the installation misconfiguration.
The AddCertificateTrusts function will exploit the misconfiguration by embedding the certificate of a rogue CA into both the NTAuthCertificates container and the first writeable container of a CertificateAuthority. Once domain controllers perform a Group Policy update, the CA will be embedded as a trusted CA that is allowed to perform authentication.
After using the AddCertificateTrusts function, Certipy can be used for exploitation. Note that the embedded CA is not trusted for PKINIT, thus Kerberos authentication with rogue certificates would not be possible without additional tampering. Instead, LDAP authentication using Schannel should be performed as following:
# Generate a rogue certificate signed by our embedded CA
certipy forge -ca-pfx myfakeca.pfx -upn administrator@<domain>
# Authenticate to a DC in the parent domain
certipy auth -pfx administrator_forged.pfx -dc-ip <IP of parent domain DC> -ldap-shell
LDAP commands can then be used to further compromise the domain. Note that this can also be used to target other child domains directly, removing the need to compromise the parent domain first.
- Oliver Lyak for Certipy
- SpecterOps for their research on AD CS
- Alh4zr3d for finding the initial cross-child-domain lateral movement during his stream
- TryHackMe for allowing me to build massive networks to play around with
- Chris Panayi for assistance with discovery of the root cause and weaponisation