This article serves as a technical guide on how a combination of network sniffing, MITM attacks, and exploitation of ADCS can lead to significant security breaches, emphasizing the need for robust security measures in network configurations and certificate handling processes.
📌WSUS Configuration and Vulnerability: The article details how a Windows Server Update Services (WSUS) server, configured to work over HTTP, can be exploited. The WSUS server’s protocol configuration is accessible by querying a specific registry key. This setup allows for the potential sniffing of traffic using tools like Wireshark, which can capture the communication between clients and the WSUS server.
📌MITM Attack Execution: The core of the attack involves a Man-in-the-Middle (MITM) approach where an attacker intercepts and relays requests from a client machine to the WSUS server. During this process, the attacker can manipulate the communication to redirect requests to a rogue server or manipulate the responses.
📌ADCS ESC8 Exploit: The intercepted communication is then used to facilitate an Active Directory Certificate Services (ADCS) ESC8 attack. This involves relaying the intercepted requests to a Certificate Authority web enrollment page to request a certificate using a compromised computer’s credentials. Successfully executing this attack can allow the attacker to obtain unauthorized certificates that can be used for further attacks within the network.
📌Toolset: PKINITtools and scripts for manipulating Kerberos tickets and exporting them for use in the attack help in extracting and utilizing the credentials from the intercepted traffic to authenticate against the ADCS and request certificates.
📌Security Implications and Recommendations: The attack demonstrates a significant security risk in using unsecured protocols (HTTP) for critical infrastructure like WSUS and ADCS. The article suggests that securing these communications using HTTPS and implementing strict access controls and monitoring could mitigate such attacks.