Skip to content

ESC9 and ESC10 detection for ldap_esc_vulnerable_cert_finder #20149

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 4 commits into
base: master
Choose a base branch
from
Open

ESC9 and ESC10 detection for ldap_esc_vulnerable_cert_finder #20149

wants to merge 4 commits into from

Conversation

jheysel-r7
Copy link
Contributor

@jheysel-r7 jheysel-r7 commented May 8, 2025
edited by bwatters-r7
Loading

This PR adds detections for ESC9 and ESC10 to the ldap_esc_vulnerable_cert_finder module.
TODO: Write documentation on how to create certificate templates vulnerable to both of these misconfiguration.

Verification

List the steps needed to make sure this thing works

  1. Do: Start msfconsole
  2. Do: use auxiliary/gather/ldap_esc_vulnerable_cert_finder
  3. Do: set LDAPUsername <username>
  4. Do: set LDAPPassword <password>
  5. Do: set LDAPDomain <password>
  6. Do: set RHOSTS <target IP(s)>
  7. Optional: set RPORT <target port> if target port is non-default.
  8. Optional: set SSL true if the target port is SSL enabled.
  9. Do: run

Testing

ESC9

[+] Template: ESC9-Template
[*]   Distinguished Name: CN=ESC9-Template,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=kerberos,DC=issue
[*]   Manager Approval: Disabled
[*]   Required Signatures: 0
[+]   Vulnerable to: ESC2, ESC4
[!]   Potentially vulnerable to: ESC9 (the template is in a vulnerable configuration but in order to exploit registry key StrongCertificateBindingEnforcement must not be set to 2)
[*]   Notes:
[*]     * ESC2: Template defines the Any Purpose OID or no EKUs (PkiExtendedKeyUsage)
[*]     * ESC4: The account: user1 has edit permissions over the template ESC9-Template making it vulnerable to ESC4
[*]     * ESC4: The account: user1 is a part of the following groups: (Authenticated Users) which have edit permissions over the template object
[*]     * ESC9: Template has msPKI-Enrollment-Flag set to 0x80000 (CT_FLAG_NO_SECURITY_EXTENSION) and specifies a client authentication EKU and user1 has write privileges over user2
[*]  Certificate Template Write-Enabled SIDs:
[*]     * S-1-5-21-2324486357-3075865580-3606784161-1602 (user1)
[*]     * S-1-5-21-2324486357-3075865580-3606784161-1603 (user2)
[*]     * S-1-5-11 (Authenticated Users)
[*]   Certificate Template Enrollment SIDs:
[*]     * S-1-5-21-2324486357-3075865580-3606784161-1602 (user1)
[*]     * S-1-5-21-2324486357-3075865580-3606784161-1603 (user2)
[*]     * S-1-5-11 (Authenticated Users)
[+]   Issuing CA: kerberos-DC2-CA (dc2.kerberos.issue)
[*]     Enrollment SIDs:
[*]       * S-1-5-11 (Authenticated Users)
[*]       * S-1-5-21-2324486357-3075865580-3606784161-519 (Enterprise Admins)
[*]       * S-1-5-21-2324486357-3075865580-3606784161-512 (Domain Admins)
[*] Auxiliary module execution completed

ESC10

[+] Template: ESC10-Template
[*]   Distinguished Name: CN=ESC10-Template,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=kerberos,DC=issue
[*]   Manager Approval: Disabled
[*]   Required Signatures: 0
[+]   Vulnerable to: ESC2, ESC4
[!]   Potentially vulnerable to: ESC10 (the template is in a vulnerable configuration but in order to exploit registry key StrongCertificateBindingEnforcement must be set to 0 or CertificateMappingMethods must be set to 0x4)
[*]   Notes:
[*]     * ESC2: Template defines the Any Purpose OID or no EKUs (PkiExtendedKeyUsage)
[*]     * ESC4: The account: user1 has edit permissions over the template ESC10-Template making it vulnerable to ESC4
[*]     * ESC4: The account: user1 is a part of the following groups: (Authenticated Users) which have edit permissions over the template object
[*]     * ESC10: Template specifies a client authentication EKU and user1 has write privileges over user2
[*]  Certificate Template Write-Enabled SIDs:
[*]     * S-1-5-21-2324486357-3075865580-3606784161-500 (Administrator)
[*]     * S-1-5-21-2324486357-3075865580-3606784161-1602 (user1)
[*]     * S-1-5-21-2324486357-3075865580-3606784161-1603 (user2)
[*]     * S-1-5-11 (Authenticated Users)
[*]   Certificate Template Enrollment SIDs:
[*]     * S-1-5-21-2324486357-3075865580-3606784161-1602 (user1)
[*]     * S-1-5-21-2324486357-3075865580-3606784161-1603 (user2)
[*]     * S-1-5-11 (Authenticated Users)
[+]   Issuing CA: kerberos-DC2-CA (dc2.kerberos.issue)
[*]     Enrollment SIDs:
[*]       * S-1-5-11 (Authenticated Users)
[*]       * S-1-5-21-2324486357-3075865580-3606784161-519 (Enterprise Admins)
[*]       * S-1-5-21-2324486357-3075865580-3606784161-512 (Domain Admins)

@github-actions GitHub Actions
Copy link

github-actions bot commented May 8, 2025

Thanks for your pull request! Before this can be merged, we need the following documentation for your module:

@jheysel-r7 jheysel-r7 added rn-modules release notes for new or majorly enhanced modules and removed needs-docs labels May 8, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
rn-modules release notes for new or majorly enhanced modules
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@jheysel-r7