Using “certutil”
- author:: Nathan Acks
- date:: 2022-05-11
Calculating File Hashes
CertUtil -hashfile $FILE_PATH $ALGORITHM
The algorithm can be excluded (in which case SHA1 is used).
Enumerating AD CS Templates
AD CS is AD’s PKI, and is used on the back end for everything from provisioning disk encryption keys to user authentication. Certificate templates are a way to automate the certificate request process: Rather than an admin approving all CSRs manually, AD CS checks to see if a relevant “template” (which is really a template + associated settings + an access policy) exists that matches the supplied CSR and is configured to allow the requesting user to generate a certificate.
Enumerate all certificate templates from a domain-joined computer and domain-authenticated user:
certutil -v -template
- We need to be able to actually request a certificate. This is indicated by an
Allow Enroll
orAllow Full Control
permission that has been assigned to a group or user you have access to. - The certificate needs to be usable for Kerberos authentication. This is true when the “Enhanced Key Usage” extension allows for “Client Authentication”.
- We need to be able to set the certificate’s “Subject Alternative Name”. This is indicated by
TemplatePropSubjectNameFlags
(a.k.a.CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT
) being set to1
.
(There are actually some other requirements - like fully automated certificate provisioning - but by default these are all satisfied.)
If a certificate has the following properties, then we can use it to create a certificate in the name of another user and then forge Kerberos tickets for that user with a tool like Rubeus.