Subscribe to the CyberThreatPOV Podcast

Episode 57: Find and Fix AD CS Vulnerabilities Using Locksmith with Jake and Sam

by: SpencerPosted on:

In this episode, we talk all about Active Directory Certificate Services and a free tool designed to help find and fix AD CS misconfigurations called Locksmith. Jake Hildreth (Mastodon: @horse@infosec.exchange) the creator of Locksmith together with Sam Erde (Twitter: @SamErde) and myself (who are contributors to the project) chat about the inception of Locksmith and some of the awesome features, such as remediation snippets.

Invoke-Locksmith today!

https://github.com/TrimarcJake/Locksmith

Introductions 

  • Jake and Sam are members of the infosec and cybersecurity community. 
  • They are contributors and creators of Locksmith. 
  • The purpose of this episode is to talk about active directory, certificate services, Locksmith, and other related topics. 

00:25 Background Information 

Section Overview: In this section, Jake and Sam provide some background information about themselves and their roles in the cybersecurity field. 

Jake’s Background 

  • Jake is the Active Directory Security Assessment (ADSA) service lead for Trimarc Security. 
  • He oversees assessments, tooling, client interactions, and maintains the open-source tool Locksmith tool. 
  • He transitioned from sysadmin work to security two years ago. 

Sam’s Background 

  • Sam has been in IT for over 20 years with a focus on Microsoft technologies. 
  • He has always had a strong interest in active directory and PowerShell. 
  • Recently, he has become more proactive in hardening AD and understanding ADCS. 

04:26 Journey into IT 

Section Overview: In this section, Jake and Sam share their journey into IT and how they got started in the field. 

Sam’s Journey 

  • Sam’s interest in computers started when he was young with a home computer running DOS. 
  • He read the DOS manual cover to cover to learn more about it. 
  • He gained experience by helping friends and neighbors with computer-related tasks. 

05:35 Early Learning Experiences 

Section Overview: In this section, Sam talks about his early learning experiences with computers. 

Learning DOS 

  • Sam learned about DOS commands and even accidentally used the Fisk command. 
  • He quickly learned the importance of backups. 

06:06 Growing Interest in IT 

Section Overview: In this section, Sam discusses how his interest in IT grew over time. 

Encouragement from a Mentor 

  • A friend’s father who worked in IT encouraged Sam’s interest. 
  • He provided opportunities for Sam to gain experience and learn more about computers. 

These are the main points covered in the transcript. The notes are organized chronologically and provide a concise summary of each section. 

06:53 The Impact of Mentors 

Section Overview: This section discusses the significant impact mentors can have on one’s career and personal growth. Mentors can help shape interests in technology and business, provide guidance, and humble individuals by highlighting their limitations. 

  • Having a mentor can spark interest in technology and understanding business. 
  • Mentors play a crucial role in nurturing and fostering personal growth. 
  • They help balance ego and confidence with humility. 
  • Context provided by mentors is invaluable for personal development. 

07:15 Humility through Mentorship 

Section Overview: This section highlights how mentors can help individuals develop humility by challenging their beliefs and knowledge. 

  • Mentors can humble individuals who may think they know everything. 
  • Having someone to nurture and guide helps balance ego with humility. 
  • Recognizing that there is always more to learn fosters personal growth. 

07:57 Jake’s Origin Story 

Section Overview: Jake shares his journey into the field of technology, starting from his first IT job as a help desk technician. 

  • Jake’s first official IT job was as a help desk technician for an at-home cable internet service. 
  • He worked for multiple companies due to acquisitions in the industry. 
  • His interest in technology began at a young age, copying basic programs onto a Commodore 64 computer. 
  • Internet access in 1995 opened up new opportunities for exploration, including discovering IRC (Internet Relay Chat). 

09:01 Exploring Programming Magazines 

Section Overview: Jake recalls his early experiences with programming magazines and experimenting with code changes. 

  • Jake remembers using programming magazines that encouraged changing lines of code to see different outcomes. 
  • These experiences continued during school projects involving Logo programming language. 

09:24 The Internet and IRC 

Section Overview: Jake discusses the impact of the internet and IRC on his technological journey. 

  • In 1995, Jake’s uncle introduced him to a PC with Windows 95 and internet access. 
  • He discovered IRC through MTV’s IRC network. 
  • Jake used IRC for setting up scrims and matches in Counter-Strike. 

10:17 Professional Journey 

Section Overview: Jake shares his professional journey, including working in help desk support, consulting, and government security work. 

  • Jake worked in help desk support before transitioning to consulting focused on security. 
  • He then spent 16 years doing system administration work for a small government organization. 
  • Realizing limited room for advancement, he decided to pursue his passion for security. 

11:02 Introduction to Locksmith 

Section Overview: The conversation shifts towards discussing the origins of Locksmith as a tool. 

  • The origins of Locksmith can be traced back to Trimarc, where Sean recognized the need for building out certificate services tooling. 
  • Jake took on the challenge of implementing certificate services tooling. 

12:33 Early Version of Locksmith 

Section Overview: This section highlights the early development stages of Locksmith and its potential benefits based on Jake’s previous experiences. 

  • An early version of Locksmith was put together around October 2021. 
  • The tool aimed to not only identify issues but also provide remediation steps, which would have been helpful in Jake’s previous role. 

13:05 Sharing Insights with Locksmith 

Section Overview: Jake explains how he used Locksmith to share insights gained from real-world environments. 

  • Jake created a talk about Locksmith to showcase common issues observed in real environments. 
  • The tool helped identify recurring problems and provided actionable insights for remediation. 

Note: The summary has been organized into meaningful sections based on the content of the transcript. Each section includes bullet points summarizing key points discussed in that part of the conversation. Timestamps have been included to facilitate easy reference to specific parts of the video. 

14:01 Understanding the Unique Features of Locksmith 

Section Overview: The speaker discusses the unique features of Locksmith, a defensive tool that not only identifies issues but also provides fixes and automates the remediation process. 

Locksmith’s Defensive Approach 

  • Locksmith is a tool that goes beyond just finding issues; it offers oneliner or multiple line fixes for identified problems. 
  • Unlike other tools, Locksmith not only presents the issues but also provides remediation snippets to quickly resolve them. 
  • Many existing tools focus on identifying and presenting issues, while Locksmith stands out by offering automatic fixes as well. 

14:58 How Sam Discovered Locksmith 

Section Overview: Sam shares how he came across Locksmith and recognized its value in addressing complex encryption and PKI-related challenges. 

Discovering Locksmith’s Value 

  • Sam discovered Locksmith through his Twitter feed and decided to try it out. 
  • He found value in using Locksmith when he realized it could help him fix templates related to ADCS (Active Directory Certificate Services). 
  • Many people struggle with understanding and implementing ADCS due to its complexity, making tools like Locksmith valuable for providing guidance on fixing these templates. 

16:12 Contributing to the Community with Powershell Expertise 

Section Overview: The speaker explains his motivation for contributing to the development of Locksmith and highlights the benefits of working on an open-source project used by both offensive and defensive security professionals. 

Contributing to an Open-source Project 

  • The speaker wanted to give back to the community after benefiting from various forums and platforms. 
  • Upon discovering opportunities for contribution in the issue or to-do list, he connected with Jake, who invited him to join the project. 
  • Working on an open-source project like Locksmith allows the team to use it in their day-to-day work, whether as offensive or defensive security professionals. 
  • The speaker appreciates the collaborative aspect of Locksmith’s development and the ability to continuously add new features. 

18:04 The Versatility of Locksmith 

Section Overview: The speakers discuss how Locksmith can be used for both offensive and defensive purposes, providing a comprehensive understanding of issues and their fixes. 

A Tool for Offensive and Defensive Use 

  • Locksmith is versatile, catering to both offensive (pentesting) and defensive (blue teaming) scenarios. 
  • It helps understand vulnerabilities, their implications, and provides remediation snippets for quick fixes. 
  • The speakers appreciate how Locksmith covers all bases by explaining why an issue is problematic and what the fix accomplishes. 
  • They highlight the value of tools like Locksmith in pentest reports, where clients often ask for guidance on fixing identified vulnerabilities. 

19:14 Real-world Adoption of Locksmith 

Section Overview: The speakers share their excitement about large organizations adopting Locksmith due to its simplicity and effectiveness in guiding Active Directory administrators. 

Adoption by Large Organizations 

  • A large organization managing other major entities started using Locksmith as they could easily hand it off to their AD admins with clear instructions. 
  • This real-world adoption impressed the speakers, as it demonstrated how Locksmith simplifies vulnerability resolution for organizations. 
  • During pentests, clients often inquire about fixing identified issues. Tools like Locksmith provide remediation snippets that facilitate this process. 

Note: Timestamps are provided at the beginning of each section. 

20:34 The Value of Including Remediation Steps in Reports 

Section Overview: In this section, the speaker discusses the importance of including remediation steps in reports to empower defenders and enable them to take immediate action without relying on the consultant. 

Benefits of Including Remediation Steps 

  • Including remediation steps allows clients to independently test and validate the effectiveness of the suggested solutions. 
  • Clients can run PowerShell scripts or perform other actions in their own environment to remediate issues without needing constant assistance from the consultant. 
  • This approach saves time as clients don’t have to wait for retesting or validation from the consultant. 

21:14 Common ADCS Misconfigurations 

Section Overview: The speaker highlights some common misconfigurations related to Active Directory Certificate Services (ADCS). 

Common Issues with ADCS 

  • ESC1 (Enrollment Service Certificate 1) is a prevalent issue observed in approximately 75% of engagements involving ADCS. It allows attackers to request certificates in the name of any security principle within the environment, such as domain admin or domain controller. 
  • While critical ESC1 vulnerabilities have decreased over time, smaller groups or IT departments may still exhibit this issue. 
  • Another common misconfiguration is ESC2 named vSphere 6.x. This configuration is found in around two-thirds to three-quarters of environments assessed. Despite its prevalence, finding official documentation on how to address this issue has been challenging. 

23:38 Unusual Findings in ADCS Assessments 

Section Overview: The speaker shares some unusual findings encountered during ADCS assessments. 

Unusual Findings 

  • A certificate template called “Big Hand” was consistently observed across different engagements. It appears to be a default ESC2 template similar to vSphere. 
  • Another interesting finding is ESC6, which involves a dangerous flag set on the Certificate Authority (CA). This flag converts all certificates into ESC1 templates. While this issue has been mitigated since May 2021, some configurations may still cause problems. Some organizations have cited their MDM vendor’s requirement as the reason for maintaining this configuration. 

26:36 Unusual ADCS Authentication Scenario 

Section Overview: The speaker describes an unusual authentication scenario encountered during an ADCS assessment. 

Unusual Authentication Scenario 

  • An ESC1 certificate template was published from a CA that was no longer online and had a broken trust. Despite this, LDAP authentication using the certificate still worked as expected. 
  • This scenario was discussed in a blog post that explored using certificates for authentication when PKI (Public Key Infrastructure) is not available. 

Note: The transcript ends abruptly after this section without further information or conclusion. 

27:45 Using Certificates without PKI 

Section Overview: The speaker discusses a scenario where they found an issue with using certificates without PKI during a pentest for a client. They initially thought the issue had been remediated but discovered it was still exploitable in a subsequent pentest. 

  • The speaker had previously done a pentest for the client and did not see the avenue of using certificates without PKI as an attack vector. 
  • In the next year’s pentest, the speaker found that the issue was still present and explained how to exploit it. 
  • The frequency of finding new vulnerabilities in retesting depends on whether clients actually perform retesting. 
  • If clients do retesting and fully remediate issues, it is rare to find incomplete or missed vulnerabilities. 
  • However, if clients do not retest, vulnerabilities may be discovered in subsequent tests. 

30:20 Best Practices for Managing ADCS 

Section Overview: The speakers discuss best practices for managing ADCS (Active Directory Certificate Services) to enhance security and reduce vulnerabilities. 

  • Regularly assess your configuration using tools like pass-the-hash (PTH) to identify potential vulnerabilities. 
  • Minimize domain admins and follow basic security practices such as least privilege. 
  • Take responsibility for scanning and understanding your own environment rather than relying solely on external testing. 
  • Remove unused or outdated components from your environment to reduce potential attack vectors. 

33:30 Pass-the-Er Tool and Contributions 

Section Overview: The speaker mentions their use of the pass-the-hash tool called “pass-theer” from Almond Consulting. They also express appreciation for being able to contribute to projects like Lockmith. 

  • Pass-theer is used in scenarios where certificates are used without PKI support on all DCs. 
  • The speaker had a unique experience using pass-theer in this particular scenario. 
  • They express gratitude for being able to contribute to projects like Lockmith and appreciate the opportunity to work with the team. 

34:04 Appreciation for Lockmith Project 

Section Overview: The speaker expresses their appreciation for the Lockmith project and their involvement in it. They mention their background as a pentester and recovering blue teamer. 

  • The speaker appreciates working on the Lockmith project and contributing despite being primarily a pentester. 
  • They have a background in systems administration and security, which allows them to approach tools from different perspectives. 
  • The speaker emphasizes the importance of breaking things, learning from vulnerabilities, and thinking like an attacker to enhance job security. 

Note: This transcript is only a small portion of the video, so these summaries may not cover all topics discussed. 

34:39 Passion for Helping Defenders 

Section Overview: In this section, the speaker expresses their passion for helping defenders and avoiding getting caught. They discuss their mission and how they contribute to projects like this. 

  • The speaker is passionate about helping defenders defend. 
  • They find it fulfilling to contribute code and help out in projects like this. 

35:03 Enjoyable Work Environment 

Section Overview: This section highlights the enjoyable work environment and camaraderie among the team members. 

  • The speaker loves working with the team, especially during Friday code reviews. 
  • They enjoy casual conversations on weekends, discussing topics like whiskey. 

35:26 Connecting with Jake Sam 

Section Overview: Here, the speaker shares where people can connect with them and find their work. 

  • Jake can be found on GitHub at trimarcjake 
  • Locksmith has gained popularity with over 450 stars on GitHub. 
  • People are using Locksmith in unique ways, which is exciting to see. 

35:50 Connecting with Jake Sam (continued) 

Section Overview: The speaker continues sharing ways to connect with them and find their work. 

  • Jake can be found on Mastodon at “infosec exchange” with the username “horse.” 
  • He can also be found on LinkedIn as “Jake Hildr” and is most active on Nox.com. 
  • Sam Erie can be found on Twitter as “@SamErie” where links to other platforms are available. 

36:29 Sharing Tools and Experience 

Section Overview: This section emphasizes that Jake and Sam frequently share tools and experiences through social media platforms like Twitter. 

  • Both Jake and Sam actively share tools, insights, and experiences on Twitter. 
  • They are valuable people to follow if you want to improve in your field. 

37:14 Appreciation and Call to Action 

Section Overview: The speaker expresses gratitude for Jake and Sam’s participation in the podcast and encourages listeners to share the episode. 

  • The speaker appreciates Jake and Sam for discussing Locksmith and ADCs. 
  • Listeners who found value or entertainment in the episode are encouraged to share it with their network. 
  • The podcast can be found at offsec.blog or at securit360.com 

38:22 Conclusion 

Section Overview: The video concludes with a light-hearted conversation about whiskey, electric mowers, and future episodes. 

  • Whiskey and electric mowers are mentioned as topics covered in the video. 
  • Thanks are given to Jake and Sam for their participation. 
  • The next episode is anticipated. 

Blog: https://offsec.blog/
Youtube: https://www.youtube.com/@cyberthreatpov
Twitter: https://twitter.com/cyberthreatpov
Work with Us: https://securit360.com