rapid7
Add in ESC1 Finder Module
This module takes advantage of BinData and Net::LDAP plus some additional definitions that I added in, to hunt for ESC1 vulnerable certificates on the target ADCS server using LDAP, and will then print out the vulnerable certificates along with information on their security descriptors.
This is still a bit of a work in progress, however most of the work should be done. Things that still need doing are:
- [ ] Would be nice to decode the SIDs back into readable strings. This should be possible but for some reason my LDAP clients are querying the server fine yet they are either manipulating the query or doing something else similar cause a similar query using Net::LDAP isn't returning any results.
- [x] Need to still retrieve the actual details of the certificate server itself. This is because the rules at the CA server level override any individual certificate template security configurations.
Verification
To come. Or you can just run it against your own test AD environment in the meantime if you want to take an early swing and see how it goes. Would appreciate any feedback if you have suggestions for improvement.
Last update at https://github.com/rapid7/metasploit-framework/pull/17122/commits/5453607891568fe21f25d429dc8f33cd7bb45070 now adds in ability to determine who can enroll in a certificate, both from the certificate template security's perspective as well as from the certificate CA (done on a per vulnerable certificate perspective for the CA to narrow search down).
Resulting module works quite well but SID translation is still an issue. That being said right now we have a literal metric ton of info and I'm not sure if we should also look at trying to reduce that or not. A lot of it is related to permission info which is handy still but may not be immediately related to what we are after.
So this should be ready for review. The only things we may need to do is SID translation however that isn't the end of the world, and possibly formatting the output better to remove extra info, though I would like some more input on what people would think would be good to keep/remove.
My main thing I think might still need doing is putting some of the output into a table to make it easier to read.
Thanks for your pull request! Before this can be merged, we need the following documentation for your module:
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
Latest updates should be a lot better for the output as I've now moved things into tables for output and removed the excess output so that we should focus down just to what matters for exploitation.
Here is a sample run with the new and improved output:
msf6 auxiliary(gather/ldap_esc1_cert_finder) > run
[*] Running module against 172.25.53.147
[*] Discovering base DN automatically
[+] 172.25.53.147:389 Discovered base DN: DC=daforest,DC=com
Vulnerable Certificate Template List With Enrollment SIDs
=========================================================
ESC_VULN Template DN Enrollment_SIDS
-------- -------- -- ---------------
ESC1 CA CN=CA,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC= S-1-5-21-3290009963-1772292745-3260174523-512, S-1-5-21-3290009963-1772292745-32601745
daforest,DC=com 23-519
ESC1 SubCA CN=SubCA,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration, S-1-5-21-3290009963-1772292745-3260174523-512, S-1-5-21-3290009963-1772292745-32601745
DC=daforest,DC=com 23-519
ESC1 OfflineRouter CN=OfflineRouter,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Config S-1-5-21-3290009963-1772292745-3260174523-512, S-1-5-21-3290009963-1772292745-32601745
uration,DC=daforest,DC=com 23-519
ESC1 ESC1-Test CN=ESC1-Test,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configurat S-1-5-21-3290009963-1772292745-3260174523-512, S-1-5-21-3290009963-1772292745-32601745
ion,DC=daforest,DC=com 23-513, S-1-5-21-3290009963-1772292745-3260174523-519
[-] No results found for (&(objectClass=pKIEnrollmentService)(certificateTemplates=CA)).
[-] No results found for (&(objectClass=pKIEnrollmentService)(certificateTemplates=OfflineRouter)).
Certificate Template Enrollment Allowed List By Server and SID
==============================================================
Server Template Enrollment_SIDS
------ -------- ---------------
WIN-BR0CCBA815B.daforest.com SubCA S-1-5-11
WIN-BR0CCBA815B.daforest.com ESC1-Test S-1-5-11
[*] Auxiliary module execution completed
msf6 auxiliary(gather/ldap_esc1_cert_finder) >
Most of this should be working now but think I may need to fix some RuboCop errors
@gwillcox-r7 It'd be cool to rebase and squash this PR down a bit - as there's 17 commits now 😄
@gwillcox-r7 It'd be cool to rebase and squash this PR down a bit - as there's 17 commits now 😄
@adfoster-r7 If you have any idea how to squash it down further I'd welcome ideas. It was at 39 commits before I rebased it down to 17, but couldn't find a way to reduce it further without missing out on info.
Putting this in draft state temporarily whilst I work on redoing the output formatting to comply with Spencer's recommendations.
Alright think I've got the underlying data structure set up to redo the output, will let you know how it goes with the actual output, but think we should now be able to adjust things a lot easier that its in a more properly formatted data structure. Still am tying the CA to the certificate template but here's what a sample data structure now looks like:
{:"ESC1-Template": {:vulns=>["ESC1"], :dn=>"CN=ESC1-Template,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com", :certificate_enrollment_sids=>"S-1-5-21-3290009963-1772292745-3260174523-512 (Domain Admins) aka Domain Admins (Designated administrators of the domain) | S-1-5-21-3290009963-1772292745-3260174523-513 (Domain Users) aka Domain Users (All domain users) | S-1-5-21-3290009963-1772292745-3260174523-519 (Enterprise Admins) aka Enterprise Admins (Designated administrators of the enterprise)", :ca_servers_n_enrollment_sids=>{:"WIN-BR0CCBA815B.daforest.com"=>["S-1-5-11"]}}
The updated output also reflects the ability to now look up unknown SIDs more appropriately. For the most part the sAMAccountName value and the Name value I'm using here will be the same but in some cases like Exchange they will be different. Using Name also allows us to retrieve information about group names when sAMAccountName field might not be present.
If you have any idea how to squash it down further I'd welcome ideas. It was at 39 commits before I rebased it down to 17, but couldn't find a way to reduce it further without missing out on info.
Sometimes a lot of the intermediate commits are ephemeral and don't add additional context to a future developer who's trying to investigate a bug, and the extra noise is just overhead. i.e. Changing abstractions/data models multiple times in a PR isn't always useful metadata for the next developer, and could be squashed down.
Again - not a blocker, but from reviewing the code in isolation, it looks like this could be a single commit for instance - as it looks like quite a small PR now that the dust has settled after PR review.
Release Notes
This adds a module that analyzes certificate templates to identify ones that are vulnerable to ESC1, ESC2 and ESC3. When a template is found to be vulnerable, the necessary information is printed for the user including the template name, the issuing CAs and the SIDs of the users that are able to issue them.
