In a past internal pentest I ran a textbook ADCS attack and it failed for the silliest reason…
Ethical Threat Insight: Secure by Accident
While on an internal pentest I discovered the environment was vulnerable to ESC6, ESC8 and ESC11. (Read this if you’re not familiar with what that is)
ESC8 is a relaying attack.
How it works is, you trick a Domain Controller to authenticate to your attacker controlled host, then send (e.g. relay) that authentication to the CA server, request a certificate, and then authenticate.
This allows for immediate privilege escalation and impersonation of any user or computer in the domain, including Domain Controllers.
But when I ran the ESC8 relaying attack, it failed.
Reason: certificate expired
The root CA certificate had expired. 🙃
Unfortunately for me (great for the client), this killed the ESC8 attack.
It also mitigated the ESC6 and ESC11 attacks.
All because the IT admins decided to move most of their infrastructure to the cloud, so they no longer needed the CA server.
It just hadn’t been decommissioned yet.
Moral of the story
In the end, my attack was disrupted. But does that mean their environment was secure?
Once could argue…
An expired CA cert can work. But at what cost? What is broken because of it?
My advice is, don’t rely on “broken” for security.
If you’d like to learn more about ADCS misconfigurations, attacks and tools to find these issues, listen to the podcast below. 🎤👇
All the best
Spencer Alessi
PS - If you have not heard about Locksmith, you’re living under a rock my friend. Use Locksmith to find and fix ADCS issues. It’s free and an amazing tool.