June 12, 2023 • 29 mins
A discussion with ITAL members Eric Brown and Scott Rysdahl with Micah Kryzer. Micah is a pentester by day but also works alongside the ITAL team. In this episode the crew overviews certificates, a big topic that transcends any one vendor or environment. Certificates are like an electronic passport meant to uniquely identify a person, computer or application on a network. This specific family of vulnerabilities discussed affects the Microsoft Active Directory certificate services, which is Microsoft’s own built-in PKI or public key infrastructure included with Window’s servers and domains. Micah walks us through a pentest demo illustrating the ways this system can be exploited as well as providing tips on how to protect business networks from this attack.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Eric Brown (00:05):
You're listening to the Audit presented by IT Audit
Labs.
Welcome to the Audit.
My name is Eric Brown and todaywe have Scott Risdall and Micah
Kreiser and we are talkingabout certificates and
(00:27):
vulnerabilities in certificates.
We're gonna go through a bit ofa demo here and we'll see one
of the exploits that Micah hasfound and identified.
And, micah, maybe a little bitabout yourself.
You're a pen tester by day.
Micah Kryzer (00:43):
Yeah, yep.
So I work for a company basedout of Iowa called ProCircular.
I'm a red team consultant, so Iperform pen tests kind of as my
day job.
Eric Brown (00:54):
Awesome, of course, the famous Scott Risdahl.
He and I hang out at IT AuditLabs and try to help companies
get better.
So, micah, before we jump intothis, a little of an aside
question for you, as we workwith different clients all
across the board.
(01:15):
One of the questions that'sasked sometimes on the
vulnerability management side orI guess we could call them
next-gen AV or whatever thebuzzword is that's popular today
.
What is one of the, or maybeone or two of the things that
(01:39):
you may run into as a pen testerthat you're like oh no, that
company's running x, it might bea little bit tougher to get
through this pen test yeah, sodefender like atp.
Micah Kryzer (01:53):
So the full paid version of defender is very nice
.
Um, that's probably one of theharder ones to bypass.
And then all your big players,you know, like crowdst strike.
Carbon black is good too.
Uh, with carbon black you dotheir default policies aren't
the best, so you do need tospend more time actually like
fine-tuning it.
I haven't touched palo alto'sversion too much, um, in pen
(02:17):
testing, but I would assume it'sprobably pretty good.
But yeah, I definitely am a bigfan of, like CrowdStrike or
Defender for Endpoint, the paidversion.
Eric Brown (02:27):
Thanks, well, scott, I'll hand it over to you.
Scotty Rysdahl (02:31):
Yeah.
So we have a few slides toshare, Hopefully nothing too
arduous, about how certificateswork in general and then the
exploitation paths that Micahhas found.
So let's jump in real quickwith some overview.
So certificates are a big topicand they transcend any one
vendor or environment.
But this specific kind offamily of vulnerabilities
(02:54):
affects the Microsoft ActiveDirectory Certificate Services,
which is Microsoft's ownbuilt-in PKI or public key
infrastructure.
It comes included with WindowsServer and Windows Domains.
You don't have to buy itseparately from Microsoft and
it's available to deploy in aWindows domain environment as a
role, as a server role.
(03:15):
So you know you would just spinup a new server and go through
the normal wizard to installroles and features and go ahead
and deploy your own PKI in a box.
Basically, One thing we'll runinto in the rest of this
conversation is that you know,when you deploy something like
this, there's a lot of defaultsettings and sort of default
assumptions about how it's goingto be used and those aren't
always, you know, secure bydefault, and I might say even
(03:40):
especially with Microsoft,because they, you know, try to
make things pretty turnkey andpretty easy for admins to do
through GUI tools and whatnot.
So a great powerful, you know,essentially free tool from
Microsoft.
But you know, buyer beware andmake sure to read the manual.
So a couple things we notedabout certificates and
certificate authorities likethis one are that there's
(04:04):
usually kind of a request orenrollment process for
certificates.
So before somebody gets oneissued for whatever the use case
might be, they have to either,you know, put in a ticket, maybe
, and have an admin manually gothrough and generate a
certificate, or, if you want toautomate it, there's usually
automated enrollment methodsthat you can use so a computer
can just go out and say, hey,this is me and the certificate
(04:27):
authority will say oh great, Isee who you are, I'm going to
issue the certificate that youwant based on what you sent me.
That automated certificateissuance process is again
something we're going to talkabout today and kind of where
these vulnerabilities come in.
The worst of thesevulnerabilities that Micah is
going to talk about a littlemore can be used to essentially
take over an entire Windowsdomain.
If the permissions are just soand you have some low-level
(04:52):
access, even just like a memberof that default domain users
type group in Active Directory,you can use this to get a
certificate that will let youauthenticate to the domain as
full domain admin, so you ownthe estate at that point, right?
So a digital certificate isbasically an electronic passport
that's baked into, you know, adigital file that includes other
(05:15):
information like who issued it,how long is it valid?
What are some of the uses forit, you know.
Can you use it to authenticateto a system, or is it used to
sign code, or whatever the casemay be.
They are issued typically, soyou wouldn't build a certificate
from scratch.
Hopefully, in most cases youwould request a certain type of
certificate a server certificate, a client certificate, a code
(05:38):
signing certificate and then,based on a template, you know,
the certificate authority, ADCSin this case, would give you
something back that kind of hasall those predefined,
pre-configured values in it,based on how it's intended to be
used.
So templates are, you know, themaster image of these
certificates that get issued andused in the domain Micah.
(06:00):
Anything to add about certs ingeneral?
Micah Kryzer (06:03):
Nope, I think that pretty much summarizes it Okay.
Eric Brown (06:07):
Question for you on if you didn't want to use
Microsoft's PKI, is thereanother tool you could use?
Or if you're running ActiveDirectory, do you pretty much
have to use it?
Scotty Rysdahl (06:20):
It makes it a lot easier because it's all
ready to be plugged into anexisting domain environment and
have the right permissions andgroup and computer object access
that you would need to managecertificates.
But you can certainly use adifferent one.
A company that I work with usesSectigo, formerly Komodo.
(06:41):
They have an enterprise kind ofcertificate authority as a
service offering and so theyeven let you deploy little
agents in your environment thatyour systems can call out to
instead of the native ADCSendpoints to handle certificate
requests and issuance andrenewals.
But like a lot of things inMicrosoft land, you know if it
(07:04):
comes included and it comesincluded for free and it does
80% of the things that you needit just usually makes sense to
go with that option for a lot ofcompanies.
So a little bit about how ActiveDirectory Certificate Services
works.
It is a full-featured PKI tool.
This is all you need to set upyour own sort of trusted root
certificate and thenintermediates and leaf certs.
(07:25):
It can handle certificaterevocation.
So if you need to say that acertificate is no longer valid,
it can publish that list andclients can query it.
It's the whole CA in a box,like we said.
And again, certificates can beissued manually by
administrators or in anautomated fashion based on just
(07:46):
templates and automatedcertificate issuance endpoints.
Usually because there's a lotof these things that need to be
maintained in a typical network,you try to automate as much as
you can, which brings us to thevulnerabilities that affect this
particular platform, and I'llpass it over to Micah to explain
a little bit about the kind ofthe history of how these were
(08:06):
discovered and specifically, howthey work.
Micah Kryzer (08:09):
Yeah, so the thing to note is this isn't that old
of an attack.
It was first founded kind of in2021 by a company called
SpecOps.
They published a white paperabout it and it was really good,
really well documented, laidout.
They initially found eightvulnerabilities, I believe, and
they labeled them esc1 through 8.
(08:31):
And all of them are kind ofrelated to those certificate
templates that scott brought up,except for esc8.
Esc8 is actually related to theadcf itself.
That has to do with HTTP webenrollment being enabled on the
server.
A lot of these attacks arepretty much from a normal user
(08:52):
to a domain admin ESC8, the webenrollment one that I mentioned.
That one is actually from anunauthenticated user to,
depending on which password hash.
It's a relay attack.
So you need to have somehowcaptured someone's password hash
and instead of cracking it, youcan actually relay it to the
(09:13):
ADCS server itself.
So whatever password hash youcaptured, that's the password
that you're going to, or that'sthe user that you're ultimately
going to compromise.
But if you have any likeservice account password hashes
that are going across yournetwork or anything like that,
those are the accounts that canbe compromised.
In our demo today, the attackthat we're going to be
performing is actually ESC1.
(09:35):
So that is assuming aauthenticated user has enrolled
rights and they're actuallygoing to enroll a certificate of
authentication for a differentuser.
In this case it's going to bethe administrator account, so
the domain admin of the wholedomain.
Eric Brown (09:52):
And Mike, are these more theoretical attacks or have
you done these in practiceduring your pen test assessments
?
Micah Kryzer (10:01):
Yeah.
So this is kind of like the new, I would say, curb roasting.
So, like a lot of companies,you kind of come into a pen test
you might run like a curb roastand that used to be like the
easy win, but a lot of companieshave curb roasting kind of
locked down.
So I would say this is kind ofthe new easy win that the pen
testers are doing, especiallybecause you can go from in most
(10:26):
cases when you find these fromany authenticated user straight
to domain admin.
The two main ones that I findare ESC1 and ESC8, which is why
I chose the demo ESC1 today.
Eric Brown (10:38):
That's cool.
Scotty Rysdahl (10:40):
All right, do we want to dive right into the
demo?
Micah, do you have that ready?
Micah Kryzer (10:44):
Yeah, I can share that here.
Let me know when you can see Igot it.
Yeah, so in this example thisis just a Linux box that's just
plugged into the domain.
So you can just think of anytype of box that just gets
plugged in.
It's not domain joined, whichis kind of another reason why
this exploit is so critical.
First, here I'm just going torun a command.
(11:05):
It's using a tool called crackmap.
That's just going to show thatI'm currently not a domain admin
.
I don't have domain on thedomain controller.
Next we are going to run, we'regoing to be using a tool called
certify.
We're going to be running thefind vulnerable command.
That's in that tool that'sgoing to scrape the ADCS server,
(11:28):
looking for these vulnerabletemplates for us.
So kind of right at the tophere that's actually the, the CA
information.
So like I said, with that ESC-8, if you are vulnerable to it,
that's where you're going tofind the information about it.
It'll be displayed in thatsection.
And then kind of the secondsection here are going to be the
(11:48):
certificate templates, and thisone is a template called
Voluntemp1.
I'll kind of highlight thesections here.
So each of the ESCvulnerabilities they each have
like a certain requirements, orlike checkboxes, that they have
to meet to be vulnerable.
So with ESC 1, it obviouslyneeds to be enabled.
(12:12):
So any of these certificatesneed to be enabled for an
attacker to use them.
So that's one way to.
If you do have a vulnerabletemplate going in there and
disabling it is a solution.
It needs to be for clientauthentication, because that's
what we're trying to do.
We're trying to authenticate asa different user and then the
(12:32):
enrollee supply subject.
That's where the vulnerabilitykind of is that and the fact
that manager or manager approvalis disabled.
So that basically means anywell and enrollment rates down.
There is domain users.
So what that's saying is thatany domain user can enroll a
(12:55):
certificate of authenticationfor any other user on the domain
.
So in this case I'll beenrolling a certificate for the
administrator account and thenusing that to extract the NTLM
hash of the administrator, whichthe NTLM hash can then be used
in the pass, the hash attack.
(13:15):
It's just as good as a password, so you can really use it for
anything on the network.
Scotty Rysdahl (13:20):
Could you go back just a little bit and
explain what subject supplies orenrollee supplies subject means
, because that's really key, Ithink, to why this particular
one works.
Micah Kryzer (13:30):
That's the ability .
So that's giving the abilityfor those users to supply that
name, so saying like I want toauthenticate or I want to
request a certificate for theadministrator account even
though I'm not the administrator.
So that's that line that kindof tells that to happen.
Scotty Rysdahl (13:47):
Yeah.
So going back to our passportexample, this is sort of like if
I could send order a passportfrom who is it the Department of
State, or something?
And I just said you know myname is Joe Biden, right?
And they would just just saidyou know my name is Joe Biden,
right?
And they would just say, ohcool, your name is Joe Biden.
Huh, here's your passport forJoe Biden.
(14:08):
And all of a sudden, I can, youknow, walk into the Oval Office
or whatever, without anotherquestion being asked.
Is that?
Micah Kryzer (14:13):
And one thing to note.
So on the issued certificateitself, you will see that the
user did supply a name.
So that is one way that whenyou're kind of auditing for
these, if you think maybe thereare certificates out there that
maybe have abused this attack,that's one way to kind of audit
for it.
It's kind of a manual processbecause you have to look at the
certificates but in there itshould say which user requested
(14:38):
it and then what they suppliedfor a name.
Eric Brown (14:42):
And why would you have that set to true in any
environment?
Micah Kryzer (14:48):
What's the purpose of that?
It's a good question.
I don't know if you've seenthat on the blue side, Scott.
Scotty Rysdahl (14:54):
Yeah, so it's just kind of common.
It's a common way to docertificate issuing when you
want to automate the wholeprocess.
So let's say that you wantedevery client device, every
laptop in your organization toget a client cert.
Right, you could have atemplate set up that allows the
clients individually to toreport their, their san, their
(15:17):
or their subject name, whichwould just be based on their
host name, and and then youcould issue 10 000 certificates
in an hour without any moreconfiguration being needed.
Right, it's the easy button forthis kind of thing, and I micah
correct me if I'm wrong, but Ithink microsoft is soon making
an effort to fix this by turningon something called soon making
(15:42):
an effort to fix this byturning on something called
strong binding.
Is that the right term?
Where there's more logic thatchecks whether a given client or
enrollee is sort of authorizedto use a given subject name?
I probably butchered that alittle bit, but rather than just
be like a fill in the blankfield on the certificate request
form, digital form, it ties itback to an actual like Active
(16:07):
Directory object.
I don't know if you're ready,if you're comfortable talking
about that, but that's my sensefor why it would be allowed and
maybe how Microsoft is trying toaddress it.
Micah Kryzer (16:18):
Yeah, I do know one thing too, to address it.
I mentioned that managerapproval setting.
So that is a setting that youcan set to.
So these certificates actuallyhave to be approved before they
get issued.
So that's kind of how you couldaudit it as well.
But okay yeah, I haven't heardabout Microsoft's new stance on
(16:38):
that, so I'll have to look intothat.
Cool yeah maybe I'll throw tolook into that?
Scotty Rysdahl (16:41):
Cool yeah, maybe I'll throw a link in the show
notes.
It's a pretty new change, but Ithink they're doing it this
summer sometime and it's maybenot optional for domains at ECS.
Anyway, back to our regularlyscheduled program.
Micah Kryzer (16:58):
Yeah, so we have a vulnerable template that we
found.
So on the blue team, you canrun that tool, you can run the
find vulnerable command and youcan get a list of templates that
are vulnerable pretty muchright off the bat from this tool
.
It's just a Python tool.
The GitHub page explains how toinstall it.
It's pretty simple to install.
Like I said, you just need aLinux box, plug into the network
(17:21):
and then an authenticated user.
Scotty Rysdahl (17:24):
There's a PowerShell version too, right.
Micah Kryzer (17:27):
There is Yep.
So there's a PowerShell versionand a C-sharp version.
The PowerShell version and theC-sharp version will both set
off whatever AV provider youhave.
So depending on yourenvironment and depending on
what resources you have accessto, sometimes spinning up like a
Linux VM on your host and doinga quick scan of your network,
it's a bit easier.
(17:47):
But yeah, there's definitelytools out there for Windows as
well.
So next is we're just going torequest a certificate.
So if you look at this commandhere, the UPN, so that's the
administrator account that we'reactually going to try to
compromise.
We're specifying the template,so it was called Voluntemp1.
And then we have our basic userhere.
(18:09):
So now we have the PFX, whichis just the certificate of
authentication.
So from this point we couldactually request.
You know, if we wanted torequest like a ticket granting
ticket, we could do that.
But CertiPy has built-incommand where you can actually
(18:29):
it'll take care of multiplesteps that you normally have to
take to capture this user's NTLMhash.
Scotty Rysdahl (18:37):
Just to be clear , on the last command line you
ran the password that youprovided IHITPASSWRDS1 there.
That's for the low level userright.
That's Bobby in the mailroom.
That's not the domain adminpassword.
Micah Kryzer (18:50):
Yep, that's correct.
So right here, this is the NTLMhash now of that administrator
account.
So that's the actual passwordhashed, of course.
But NTLM hashes, like I said,you can use in a pass to hash
attack, so they're just as goodas a password to an attacker.
(19:13):
So then, just to demo it, I'llrun that crack map again and
crack map tool again from thebeginning and you'll see here
it'll say admin next to thedomain controller, showing that
we have domain admin.
It does save the c cache of theadministrator too, so you can
use that for um curbauthentication.
(19:35):
So you pretty much own the userat that point.
That's pretty much the demo.
So, as you can tell, this isanother reason why, like I say,
it's kind of like Kerberosync,like it's a really simple attack
to pull off and I know a lot oftimes people don't like to
think about like the insiderthreat.
But this is definitely one ofthose where it could be a direct
(19:56):
path from like an insiderthreat perspective too.
So any authenticated user.
Scotty Rysdahl (20:02):
Yeah.
Or a vendor who has access tosay, a Citrix environment, right
yeah.
Or any way that anybody getsthe lowest level of access to
your domain.
Eric Brown (20:14):
Yeah, absolutely Thanks, micah.
That's great.
How would maybe some defensesagainst this?
I think we touched on a couplealready.
But what about something likenetwork segmentation?
Would that come into play hereat all?
Or if the admins are checkingin and checking out passwords
(20:35):
out of a PAM tool, would thathelp at all, just by limiting,
maybe, the duration of thepassword?
Micah Kryzer (20:41):
Yeah, the PAM tool .
I haven't experimented with totest out, but I would assume,
depending on how, when yourequest that NTLM hash that's
coming from the domaincontroller, so whatever hash is
currently being used toauthenticate is obviously you're
going to be able toauthenticate with it, so like if
an attacker catches runs thisattack when the administrator
(21:05):
has their password checked out.
I would assume that you coulduse it.
I'm not 100% sure on that, butyeah, as soon as they check it
back in and that passwordrotates, the attacker wouldn't
be able to do it.
You know this isn't just adomain admin though, because I
mean, if maybe I just want toget access to like information
(21:25):
on a SQL server, or I want toget access to some file share
that I don't currently haveaccess to, an attacker might not
just target a domain admin,especially if he knows maybe
it's a mature client and theyare using like a PAM solution To
answer the network segmentation.
It would work if, whatever host,you know it's the ADCS server.
So if you can't talk to theADCS server and you can't
(21:47):
request a certificate, thenyou're good, but then eventually
, if you have an ADCS server setup somewhere on your network,
if you're using it.
Something's going to have totalk to it, so to add one thing.
Scotty Rysdahl (21:59):
I think that once you have a certificate
issued for, say, domain admin, Ithink they can change their
password as much as they want,but as long as that certificate
is still valid, I think they canstill use it to authenticate.
Is that right?
Micah Kryzer (22:12):
Yeah, and that's where I would have to do some
testing.
But I'm not 100% sure Becauseif that password is currently
checked in, I don't know how thedomain controller You'll be
pulling that NTLM hash from thatdomain controller.
But if that password's checkedin, I don't know how the PAM
solution works on the back endlike that.
I would assume that it wouldsomehow expire that password in
(22:33):
the domain controller.
You could still request theNTLM hash or the ticket for the
administrator, but I don't knowif you'd be able to use that
anywhere.
Eric Brown (22:42):
I think that gets to the question around the value
of, or in the cost justification, the expense of, a privileged
access management tool or PAMtool, versus more or less a
password manager where you couldstore your passwords and they
(23:04):
could be long and complex, butyou're just pasting them into
whatever tool you're using thepassword for and there's none of
the auto rotation, check in,check out features.
I mean, it's certainly good forthe home user where you're
maintaining a one-to-onerelationship between the
(23:26):
application you're logging intoand the password, but in an
enterprise environment it seemsthat that PAM tool that does
that auto rotation adds thatadditional layer of security.
Micah Kryzer (23:39):
Yep, yeah, it definitely does.
The nice part about the PAMsolution, too, is you can put
MFA in front of that as well.
Scotty Rysdahl (23:45):
Seeing the demo and knowing that this can take
you from lowest possible user inthe environment all the way to
domain admin.
In how long was the video,micah?
Three minutes About?
Yeah, yeah, so we wanted toshare some ways that you could
detect and or protect yourActive Directory environment and
ADCS installation against thistype of attack.
(24:06):
Micah, do you mind walkingthrough these?
Yeah, no.
Micah Kryzer (24:10):
So we kind of already touched base on the tool
to find the vulnerabilities.
We'll have some links to thetool that I used today.
And then the other tools arecalled Certify.
So that's a C-sharp versionthat's actually released, I
think, by the spec ops people.
So the people who published thewhite paper actually released
that tool.
Then they released a PowerShellversion of that tool as well,
(24:35):
if you're not too comfortablewith compiling C-sharp code.
So yeah, there's tools outthere to audit and that's
probably going to be.
Your first step is going to beauditing and seeing.
Even if you're vulnerable tothese templates.
The quickest way to fix is toeither unpublish or, like I said
, disable those templates.
So if you have a template thathasn't been used in a while and
(24:55):
is vulnerable, you go ahead andjust disable that.
If vulnerable templates arefound, obviously you're going to
want to focus on the ones thatwill get you domain admin.
So, like I mentioned that ESC8,that is the relay vulnerability
there's a few more steps totake for an attacker to actually
(25:17):
execute that vulnerability.
So fixing that one's a littlebit lower on the priority than
fixing this ESC1 that we demoed.
Unfortunately, adcs doesn't havethe verbose logging turned on
by default.
So if you're currently notlogging your ADCS I think it's
called debug logs or somethinglike that you're going to want
to go and flip those on andstart ingesting them into
(25:39):
whatever solution that you'recurrently ingesting logs into
and that's going to help detectthese being exploited.
And then, yeah, this is one ofthose attacks where it's
actually really hard to, I guess, kind of figure out if you've
been compromised or not.
Um, so I kind of recommend justreaching out to like an
incident response team toinvestigate if you do think that
(26:01):
you have been taken over fromthis type of attack.
You can look at, like I said,the issued certs and you can sit
there and dig through them andsee if maybe like an ESC1 took
place.
But some of the other ESCs arekind of harder to detect and
especially without logging beingturned off by default.
If you don't have that turnedon, you're going to be missing a
(26:27):
big chunk of the picture.
Eric Brown (26:27):
It's interesting that you bring up that insider
threat piece.
With these.
We always think about attackstrying to go for a privileged
account and then being able tooperate operate at that
privilege level.
But from an insider perspective.
If someone in one departmentmaybe wanted to gain access to
(26:47):
protected information, theywouldn't need to go through the
the steps of gaining admin.
They could just essentially getthe privileges of another user
in that department where theywanted to see data from.
So that's kind of scary fromthe perspective of one detecting
(27:07):
it but then two reporting on it, where there's that due care of
data and a reportingresponsibility if someone gained
access to that data that wasn'tauthorized to do so yeah, I
think yeah.
Scotty Rysdahl (27:25):
So the back story of how we all ended up
here today really quick is thatMicah did some work for a client
of ours.
Eric found a couple of thesevulnerable templates and, as his
proof of concepts, he took overthe CISO's account, just for
fun.
You know, she wasn't a domainadmin, or maybe she was, I
forget.
But you can pick and choose,once you find the right
(27:48):
vulnerable template, who youwant to be.
Micah Kryzer (27:52):
Yeah, they kind of play off the insider threat too
.
One kind of thinking exerciseas well is like what if I paid a
help desk employee 10k foraccess for, you know, 30 minutes
or whatever?
So, yeah, there's definitely.
I think the insider threat'sdefinitely a bigger threat than
most companies are probablyaware of.
Scotty Rysdahl (28:12):
Cool.
I think all we have left issome links to resources and we
can throw these up on the whenwe post the episode, eric.
But we've got the white paper,at least one of the tools that
Micah mentioned for auditing andor exploiting these
vulnerabilities, and then somegeneral guidance from Microsoft
on kind of what ADCS is and howto secure it, how to implement
(28:35):
it securely and maybe a lastquestion for you, micah any
projects that you're working onor anything that you wanted to
call our attention to.
Micah Kryzer (28:45):
Nothing from my end.
No, yeah, it's almostsummertime, so I guess I spend
more time outside now Nice.
Scotty Rysdahl (28:55):
All right, should we wrap it up?
Sounds good yeah, all right.
Well, micah, thanks for joiningus again today.
I'll note that this is thesecond time we've recorded this
episode and I think we did amuch better job this time of
being professional about it.
So thanks for coming back andwe look forward to having you
again sometime.
Micah Kryzer (29:13):
Yeah, thank you.
Eric Brown (29:17):
In the current technology landscape, managing
risk, among other operations,can be incredibly challenging.
Let IT Audit Labs expertsprovide a detailed, thorough
examination in preparation foryour upcoming audit.
Contact us to learn more.
You're listening to the Audit presented by IT Audit
Labs.
Welcome to the Audit.
My name is Eric Brown and todaywe have Scott Risdall and Micah
Kreiser and we are talkingabout certificates and
(00:27):
vulnerabilities in certificates.
We're gonna go through a bit ofa demo here and we'll see one
of the exploits that Micah hasfound and identified.
And, micah, maybe a little bitabout yourself.
You're a pen tester by day.
Micah Kryzer (00:43):
Yeah, yep.
So I work for a company basedout of Iowa called ProCircular.
I'm a red team consultant, so Iperform pen tests kind of as my
day job.
Eric Brown (00:54):
Awesome, of course, the famous Scott Risdahl.
He and I hang out at IT AuditLabs and try to help companies
get better.
So, micah, before we jump intothis, a little of an aside
question for you, as we workwith different clients all
across the board.
(01:15):
One of the questions that'sasked sometimes on the
vulnerability management side orI guess we could call them
next-gen AV or whatever thebuzzword is that's popular today
.
What is one of the, or maybeone or two of the things that
(01:39):
you may run into as a pen testerthat you're like oh no, that
company's running x, it might bea little bit tougher to get
through this pen test yeah, sodefender like atp.
Micah Kryzer (01:53):
So the full paid version of defender is very nice
.
Um, that's probably one of theharder ones to bypass.
And then all your big players,you know, like crowdst strike.
Carbon black is good too.
Uh, with carbon black you dotheir default policies aren't
the best, so you do need tospend more time actually like
fine-tuning it.
I haven't touched palo alto'sversion too much, um, in pen
(02:17):
testing, but I would assume it'sprobably pretty good.
But yeah, I definitely am a bigfan of, like CrowdStrike or
Defender for Endpoint, the paidversion.
Eric Brown (02:27):
Thanks, well, scott, I'll hand it over to you.
Scotty Rysdahl (02:31):
Yeah.
So we have a few slides toshare, Hopefully nothing too
arduous, about how certificateswork in general and then the
exploitation paths that Micahhas found.
So let's jump in real quickwith some overview.
So certificates are a big topicand they transcend any one
vendor or environment.
But this specific kind offamily of vulnerabilities
(02:54):
affects the Microsoft ActiveDirectory Certificate Services,
which is Microsoft's ownbuilt-in PKI or public key
infrastructure.
It comes included with WindowsServer and Windows Domains.
You don't have to buy itseparately from Microsoft and
it's available to deploy in aWindows domain environment as a
role, as a server role.
(03:15):
So you know you would just spinup a new server and go through
the normal wizard to installroles and features and go ahead
and deploy your own PKI in a box.
Basically, One thing we'll runinto in the rest of this
conversation is that you know,when you deploy something like
this, there's a lot of defaultsettings and sort of default
assumptions about how it's goingto be used and those aren't
always, you know, secure bydefault, and I might say even
(03:40):
especially with Microsoft,because they, you know, try to
make things pretty turnkey andpretty easy for admins to do
through GUI tools and whatnot.
So a great powerful, you know,essentially free tool from
Microsoft.
But you know, buyer beware andmake sure to read the manual.
So a couple things we notedabout certificates and
certificate authorities likethis one are that there's
(04:04):
usually kind of a request orenrollment process for
certificates.
So before somebody gets oneissued for whatever the use case
might be, they have to either,you know, put in a ticket, maybe
, and have an admin manually gothrough and generate a
certificate, or, if you want toautomate it, there's usually
automated enrollment methodsthat you can use so a computer
can just go out and say, hey,this is me and the certificate
(04:27):
authority will say oh great, Isee who you are, I'm going to
issue the certificate that youwant based on what you sent me.
That automated certificateissuance process is again
something we're going to talkabout today and kind of where
these vulnerabilities come in.
The worst of thesevulnerabilities that Micah is
going to talk about a littlemore can be used to essentially
take over an entire Windowsdomain.
If the permissions are just soand you have some low-level
(04:52):
access, even just like a memberof that default domain users
type group in Active Directory,you can use this to get a
certificate that will let youauthenticate to the domain as
full domain admin, so you ownthe estate at that point, right?
So a digital certificate isbasically an electronic passport
that's baked into, you know, adigital file that includes other
(05:15):
information like who issued it,how long is it valid?
What are some of the uses forit, you know.
Can you use it to authenticateto a system, or is it used to
sign code, or whatever the casemay be.
They are issued typically, soyou wouldn't build a certificate
from scratch.
Hopefully, in most cases youwould request a certain type of
certificate a server certificate, a client certificate, a code
(05:38):
signing certificate and then,based on a template, you know,
the certificate authority, ADCSin this case, would give you
something back that kind of hasall those predefined,
pre-configured values in it,based on how it's intended to be
used.
So templates are, you know, themaster image of these
certificates that get issued andused in the domain Micah.
(06:00):
Anything to add about certs ingeneral?
Micah Kryzer (06:03):
Nope, I think that pretty much summarizes it Okay.
Eric Brown (06:07):
Question for you on if you didn't want to use
Microsoft's PKI, is thereanother tool you could use?
Or if you're running ActiveDirectory, do you pretty much
have to use it?
Scotty Rysdahl (06:20):
It makes it a lot easier because it's all
ready to be plugged into anexisting domain environment and
have the right permissions andgroup and computer object access
that you would need to managecertificates.
But you can certainly use adifferent one.
A company that I work with usesSectigo, formerly Komodo.
(06:41):
They have an enterprise kind ofcertificate authority as a
service offering and so theyeven let you deploy little
agents in your environment thatyour systems can call out to
instead of the native ADCSendpoints to handle certificate
requests and issuance andrenewals.
But like a lot of things inMicrosoft land, you know if it
(07:04):
comes included and it comesincluded for free and it does
80% of the things that you needit just usually makes sense to
go with that option for a lot ofcompanies.
So a little bit about how ActiveDirectory Certificate Services
works.
It is a full-featured PKI tool.
This is all you need to set upyour own sort of trusted root
certificate and thenintermediates and leaf certs.
(07:25):
It can handle certificaterevocation.
So if you need to say that acertificate is no longer valid,
it can publish that list andclients can query it.
It's the whole CA in a box,like we said.
And again, certificates can beissued manually by
administrators or in anautomated fashion based on just
(07:46):
templates and automatedcertificate issuance endpoints.
Usually because there's a lotof these things that need to be
maintained in a typical network,you try to automate as much as
you can, which brings us to thevulnerabilities that affect this
particular platform, and I'llpass it over to Micah to explain
a little bit about the kind ofthe history of how these were
(08:06):
discovered and specifically, howthey work.
Micah Kryzer (08:09):
Yeah, so the thing to note is this isn't that old
of an attack.
It was first founded kind of in2021 by a company called
SpecOps.
They published a white paperabout it and it was really good,
really well documented, laidout.
They initially found eightvulnerabilities, I believe, and
they labeled them esc1 through 8.
(08:31):
And all of them are kind ofrelated to those certificate
templates that scott brought up,except for esc8.
Esc8 is actually related to theadcf itself.
That has to do with HTTP webenrollment being enabled on the
server.
A lot of these attacks arepretty much from a normal user
(08:52):
to a domain admin ESC8, the webenrollment one that I mentioned.
That one is actually from anunauthenticated user to,
depending on which password hash.
It's a relay attack.
So you need to have somehowcaptured someone's password hash
and instead of cracking it, youcan actually relay it to the
(09:13):
ADCS server itself.
So whatever password hash youcaptured, that's the password
that you're going to, or that'sthe user that you're ultimately
going to compromise.
But if you have any likeservice account password hashes
that are going across yournetwork or anything like that,
those are the accounts that canbe compromised.
In our demo today, the attackthat we're going to be
performing is actually ESC1.
(09:35):
So that is assuming aauthenticated user has enrolled
rights and they're actuallygoing to enroll a certificate of
authentication for a differentuser.
In this case it's going to bethe administrator account, so
the domain admin of the wholedomain.
Eric Brown (09:52):
And Mike, are these more theoretical attacks or have
you done these in practiceduring your pen test assessments
?
Micah Kryzer (10:01):
Yeah.
So this is kind of like the new, I would say, curb roasting.
So, like a lot of companies,you kind of come into a pen test
you might run like a curb roastand that used to be like the
easy win, but a lot of companieshave curb roasting kind of
locked down.
So I would say this is kind ofthe new easy win that the pen
testers are doing, especiallybecause you can go from in most
(10:26):
cases when you find these fromany authenticated user straight
to domain admin.
The two main ones that I findare ESC1 and ESC8, which is why
I chose the demo ESC1 today.
Eric Brown (10:38):
That's cool.
Scotty Rysdahl (10:40):
All right, do we want to dive right into the
demo?
Micah, do you have that ready?
Micah Kryzer (10:44):
Yeah, I can share that here.
Let me know when you can see Igot it.
Yeah, so in this example thisis just a Linux box that's just
plugged into the domain.
So you can just think of anytype of box that just gets
plugged in.
It's not domain joined, whichis kind of another reason why
this exploit is so critical.
First, here I'm just going torun a command.
(11:05):
It's using a tool called crackmap.
That's just going to show thatI'm currently not a domain admin
.
I don't have domain on thedomain controller.
Next we are going to run, we'regoing to be using a tool called
certify.
We're going to be running thefind vulnerable command.
That's in that tool that'sgoing to scrape the ADCS server,
(11:28):
looking for these vulnerabletemplates for us.
So kind of right at the tophere that's actually the, the CA
information.
So like I said, with that ESC-8, if you are vulnerable to it,
that's where you're going tofind the information about it.
It'll be displayed in thatsection.
And then kind of the secondsection here are going to be the
(11:48):
certificate templates, and thisone is a template called
Voluntemp1.
I'll kind of highlight thesections here.
So each of the ESCvulnerabilities they each have
like a certain requirements, orlike checkboxes, that they have
to meet to be vulnerable.
So with ESC 1, it obviouslyneeds to be enabled.
(12:12):
So any of these certificatesneed to be enabled for an
attacker to use them.
So that's one way to.
If you do have a vulnerabletemplate going in there and
disabling it is a solution.
It needs to be for clientauthentication, because that's
what we're trying to do.
We're trying to authenticate asa different user and then the
(12:32):
enrollee supply subject.
That's where the vulnerabilitykind of is that and the fact
that manager or manager approvalis disabled.
So that basically means anywell and enrollment rates down.
There is domain users.
So what that's saying is thatany domain user can enroll a
(12:55):
certificate of authenticationfor any other user on the domain
.
So in this case I'll beenrolling a certificate for the
administrator account and thenusing that to extract the NTLM
hash of the administrator, whichthe NTLM hash can then be used
in the pass, the hash attack.
(13:15):
It's just as good as a password, so you can really use it for
anything on the network.
Scotty Rysdahl (13:20):
Could you go back just a little bit and
explain what subject supplies orenrollee supplies subject means
, because that's really key, Ithink, to why this particular
one works.
Micah Kryzer (13:30):
That's the ability .
So that's giving the abilityfor those users to supply that
name, so saying like I want toauthenticate or I want to
request a certificate for theadministrator account even
though I'm not the administrator.
So that's that line that kindof tells that to happen.
Scotty Rysdahl (13:47):
Yeah.
So going back to our passportexample, this is sort of like if
I could send order a passportfrom who is it the Department of
State, or something?
And I just said you know myname is Joe Biden, right?
And they would just just saidyou know my name is Joe Biden,
right?
And they would just say, ohcool, your name is Joe Biden.
Huh, here's your passport forJoe Biden.
(14:08):
And all of a sudden, I can, youknow, walk into the Oval Office
or whatever, without anotherquestion being asked.
Is that?
Micah Kryzer (14:13):
And one thing to note.
So on the issued certificateitself, you will see that the
user did supply a name.
So that is one way that whenyou're kind of auditing for
these, if you think maybe thereare certificates out there that
maybe have abused this attack,that's one way to kind of audit
for it.
It's kind of a manual processbecause you have to look at the
certificates but in there itshould say which user requested
(14:38):
it and then what they suppliedfor a name.
Eric Brown (14:42):
And why would you have that set to true in any
environment?
Micah Kryzer (14:48):
What's the purpose of that?
It's a good question.
I don't know if you've seenthat on the blue side, Scott.
Scotty Rysdahl (14:54):
Yeah, so it's just kind of common.
It's a common way to docertificate issuing when you
want to automate the wholeprocess.
So let's say that you wantedevery client device, every
laptop in your organization toget a client cert.
Right, you could have atemplate set up that allows the
clients individually to toreport their, their san, their
(15:17):
or their subject name, whichwould just be based on their
host name, and and then youcould issue 10 000 certificates
in an hour without any moreconfiguration being needed.
Right, it's the easy button forthis kind of thing, and I micah
correct me if I'm wrong, but Ithink microsoft is soon making
an effort to fix this by turningon something called soon making
(15:42):
an effort to fix this byturning on something called
strong binding.
Is that the right term?
Where there's more logic thatchecks whether a given client or
enrollee is sort of authorizedto use a given subject name?
I probably butchered that alittle bit, but rather than just
be like a fill in the blankfield on the certificate request
form, digital form, it ties itback to an actual like Active
(16:07):
Directory object.
I don't know if you're ready,if you're comfortable talking
about that, but that's my sensefor why it would be allowed and
maybe how Microsoft is trying toaddress it.
Micah Kryzer (16:18):
Yeah, I do know one thing too, to address it.
I mentioned that managerapproval setting.
So that is a setting that youcan set to.
So these certificates actuallyhave to be approved before they
get issued.
So that's kind of how you couldaudit it as well.
But okay yeah, I haven't heardabout Microsoft's new stance on
(16:38):
that, so I'll have to look intothat.
Cool yeah maybe I'll throw tolook into that?
Scotty Rysdahl (16:41):
Cool yeah, maybe I'll throw a link in the show
notes.
It's a pretty new change, but Ithink they're doing it this
summer sometime and it's maybenot optional for domains at ECS.
Anyway, back to our regularlyscheduled program.
Micah Kryzer (16:58):
Yeah, so we have a vulnerable template that we
found.
So on the blue team, you canrun that tool, you can run the
find vulnerable command and youcan get a list of templates that
are vulnerable pretty muchright off the bat from this tool
.
It's just a Python tool.
The GitHub page explains how toinstall it.
It's pretty simple to install.
Like I said, you just need aLinux box, plug into the network
(17:21):
and then an authenticated user.
Scotty Rysdahl (17:24):
There's a PowerShell version too, right.
Micah Kryzer (17:27):
There is Yep.
So there's a PowerShell versionand a C-sharp version.
The PowerShell version and theC-sharp version will both set
off whatever AV provider youhave.
So depending on yourenvironment and depending on
what resources you have accessto, sometimes spinning up like a
Linux VM on your host and doinga quick scan of your network,
it's a bit easier.
(17:47):
But yeah, there's definitelytools out there for Windows as
well.
So next is we're just going torequest a certificate.
So if you look at this commandhere, the UPN, so that's the
administrator account that we'reactually going to try to
compromise.
We're specifying the template,so it was called Voluntemp1.
And then we have our basic userhere.
(18:09):
So now we have the PFX, whichis just the certificate of
authentication.
So from this point we couldactually request.
You know, if we wanted torequest like a ticket granting
ticket, we could do that.
But CertiPy has built-incommand where you can actually
(18:29):
it'll take care of multiplesteps that you normally have to
take to capture this user's NTLMhash.
Scotty Rysdahl (18:37):
Just to be clear , on the last command line you
ran the password that youprovided IHITPASSWRDS1 there.
That's for the low level userright.
That's Bobby in the mailroom.
That's not the domain adminpassword.
Micah Kryzer (18:50):
Yep, that's correct.
So right here, this is the NTLMhash now of that administrator
account.
So that's the actual passwordhashed, of course.
But NTLM hashes, like I said,you can use in a pass to hash
attack, so they're just as goodas a password to an attacker.
(19:13):
So then, just to demo it, I'llrun that crack map again and
crack map tool again from thebeginning and you'll see here
it'll say admin next to thedomain controller, showing that
we have domain admin.
It does save the c cache of theadministrator too, so you can
use that for um curbauthentication.
(19:35):
So you pretty much own the userat that point.
That's pretty much the demo.
So, as you can tell, this isanother reason why, like I say,
it's kind of like Kerberosync,like it's a really simple attack
to pull off and I know a lot oftimes people don't like to
think about like the insiderthreat.
But this is definitely one ofthose where it could be a direct
(19:56):
path from like an insiderthreat perspective too.
So any authenticated user.
Scotty Rysdahl (20:02):
Yeah.
Or a vendor who has access tosay, a Citrix environment, right
yeah.
Or any way that anybody getsthe lowest level of access to
your domain.
Eric Brown (20:14):
Yeah, absolutely Thanks, micah.
That's great.
How would maybe some defensesagainst this?
I think we touched on a couplealready.
But what about something likenetwork segmentation?
Would that come into play hereat all?
Or if the admins are checkingin and checking out passwords
(20:35):
out of a PAM tool, would thathelp at all, just by limiting,
maybe, the duration of thepassword?
Micah Kryzer (20:41):
Yeah, the PAM tool .
I haven't experimented with totest out, but I would assume,
depending on how, when yourequest that NTLM hash that's
coming from the domaincontroller, so whatever hash is
currently being used toauthenticate is obviously you're
going to be able toauthenticate with it, so like if
an attacker catches runs thisattack when the administrator
(21:05):
has their password checked out.
I would assume that you coulduse it.
I'm not 100% sure on that, butyeah, as soon as they check it
back in and that passwordrotates, the attacker wouldn't
be able to do it.
You know this isn't just adomain admin though, because I
mean, if maybe I just want toget access to like information
(21:25):
on a SQL server, or I want toget access to some file share
that I don't currently haveaccess to, an attacker might not
just target a domain admin,especially if he knows maybe
it's a mature client and theyare using like a PAM solution To
answer the network segmentation.
It would work if, whatever host,you know it's the ADCS server.
So if you can't talk to theADCS server and you can't
(21:47):
request a certificate, thenyou're good, but then eventually
, if you have an ADCS server setup somewhere on your network,
if you're using it.
Something's going to have totalk to it, so to add one thing.
Scotty Rysdahl (21:59):
I think that once you have a certificate
issued for, say, domain admin, Ithink they can change their
password as much as they want,but as long as that certificate
is still valid, I think they canstill use it to authenticate.
Is that right?
Micah Kryzer (22:12):
Yeah, and that's where I would have to do some
testing.
But I'm not 100% sure Becauseif that password is currently
checked in, I don't know how thedomain controller You'll be
pulling that NTLM hash from thatdomain controller.
But if that password's checkedin, I don't know how the PAM
solution works on the back endlike that.
I would assume that it wouldsomehow expire that password in
(22:33):
the domain controller.
You could still request theNTLM hash or the ticket for the
administrator, but I don't knowif you'd be able to use that
anywhere.
Eric Brown (22:42):
I think that gets to the question around the value
of, or in the cost justification, the expense of, a privileged
access management tool or PAMtool, versus more or less a
password manager where you couldstore your passwords and they
(23:04):
could be long and complex, butyou're just pasting them into
whatever tool you're using thepassword for and there's none of
the auto rotation, check in,check out features.
I mean, it's certainly good forthe home user where you're
maintaining a one-to-onerelationship between the
(23:26):
application you're logging intoand the password, but in an
enterprise environment it seemsthat that PAM tool that does
that auto rotation adds thatadditional layer of security.
Micah Kryzer (23:39):
Yep, yeah, it definitely does.
The nice part about the PAMsolution, too, is you can put
MFA in front of that as well.
Scotty Rysdahl (23:45):
Seeing the demo and knowing that this can take
you from lowest possible user inthe environment all the way to
domain admin.
In how long was the video,micah?
Three minutes About?
Yeah, yeah, so we wanted toshare some ways that you could
detect and or protect yourActive Directory environment and
ADCS installation against thistype of attack.
(24:06):
Micah, do you mind walkingthrough these?
Yeah, no.
Micah Kryzer (24:10):
So we kind of already touched base on the tool
to find the vulnerabilities.
We'll have some links to thetool that I used today.
And then the other tools arecalled Certify.
So that's a C-sharp versionthat's actually released, I
think, by the spec ops people.
So the people who published thewhite paper actually released
that tool.
Then they released a PowerShellversion of that tool as well,
(24:35):
if you're not too comfortablewith compiling C-sharp code.
So yeah, there's tools outthere to audit and that's
probably going to be.
Your first step is going to beauditing and seeing.
Even if you're vulnerable tothese templates.
The quickest way to fix is toeither unpublish or, like I said
, disable those templates.
So if you have a template thathasn't been used in a while and
(24:55):
is vulnerable, you go ahead andjust disable that.
If vulnerable templates arefound, obviously you're going to
want to focus on the ones thatwill get you domain admin.
So, like I mentioned that ESC8,that is the relay vulnerability
there's a few more steps totake for an attacker to actually
(25:17):
execute that vulnerability.
So fixing that one's a littlebit lower on the priority than
fixing this ESC1 that we demoed.
Unfortunately, adcs doesn't havethe verbose logging turned on
by default.
So if you're currently notlogging your ADCS I think it's
called debug logs or somethinglike that you're going to want
to go and flip those on andstart ingesting them into
(25:39):
whatever solution that you'recurrently ingesting logs into
and that's going to help detectthese being exploited.
And then, yeah, this is one ofthose attacks where it's
actually really hard to, I guess, kind of figure out if you've
been compromised or not.
Um, so I kind of recommend justreaching out to like an
incident response team toinvestigate if you do think that
(26:01):
you have been taken over fromthis type of attack.
You can look at, like I said,the issued certs and you can sit
there and dig through them andsee if maybe like an ESC1 took
place.
But some of the other ESCs arekind of harder to detect and
especially without logging beingturned off by default.
If you don't have that turnedon, you're going to be missing a
(26:27):
big chunk of the picture.
Eric Brown (26:27):
It's interesting that you bring up that insider
threat piece.
With these.
We always think about attackstrying to go for a privileged
account and then being able tooperate operate at that
privilege level.
But from an insider perspective.
If someone in one departmentmaybe wanted to gain access to
(26:47):
protected information, theywouldn't need to go through the
the steps of gaining admin.
They could just essentially getthe privileges of another user
in that department where theywanted to see data from.
So that's kind of scary fromthe perspective of one detecting
(27:07):
it but then two reporting on it, where there's that due care of
data and a reportingresponsibility if someone gained
access to that data that wasn'tauthorized to do so yeah, I
think yeah.
Scotty Rysdahl (27:25):
So the back story of how we all ended up
here today really quick is thatMicah did some work for a client
of ours.
Eric found a couple of thesevulnerable templates and, as his
proof of concepts, he took overthe CISO's account, just for
fun.
You know, she wasn't a domainadmin, or maybe she was, I
forget.
But you can pick and choose,once you find the right
(27:48):
vulnerable template, who youwant to be.
Micah Kryzer (27:52):
Yeah, they kind of play off the insider threat too
.
One kind of thinking exerciseas well is like what if I paid a
help desk employee 10k foraccess for, you know, 30 minutes
or whatever?
So, yeah, there's definitely.
I think the insider threat'sdefinitely a bigger threat than
most companies are probablyaware of.
Scotty Rysdahl (28:12):
Cool.
I think all we have left issome links to resources and we
can throw these up on the whenwe post the episode, eric.
But we've got the white paper,at least one of the tools that
Micah mentioned for auditing andor exploiting these
vulnerabilities, and then somegeneral guidance from Microsoft
on kind of what ADCS is and howto secure it, how to implement
(28:35):
it securely and maybe a lastquestion for you, micah any
projects that you're working onor anything that you wanted to
call our attention to.
Micah Kryzer (28:45):
Nothing from my end.
No, yeah, it's almostsummertime, so I guess I spend
more time outside now Nice.
Scotty Rysdahl (28:55):
All right, should we wrap it up?
Sounds good yeah, all right.
Well, micah, thanks for joiningus again today.
I'll note that this is thesecond time we've recorded this
episode and I think we did amuch better job this time of
being professional about it.
So thanks for coming back andwe look forward to having you
again sometime.
Micah Kryzer (29:13):
Yeah, thank you.
Eric Brown (29:17):
In the current technology landscape, managing
risk, among other operations,can be incredibly challenging.
Let IT Audit Labs expertsprovide a detailed, thorough
examination in preparation foryour upcoming audit.
Contact us to learn more.
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Special Summer Offer: Exclusively on Apple Podcasts, try our Dateline Premium subscription completely free for one month! With Dateline Premium, you get every episode ad-free plus exclusive bonus content.
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!