Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This adds support for ESC15 to various AD CS related modules. A template is added so the
ad_cs_cert_template
module can create and update templates to be vulnerable to ESC15 (downgrading the schema may not work and should be tested, but creating a net-new one does work). Fingerprinting is added to theldap_esc_vulnerable_cert_finder
module to identify templates that are vulnerable to ESC15. Finally, OIDs can be specified in theicpr_cert
module so a vulnerable template can be exploited by a user.Todo
icpr_cert
docs for the new optionDemo
Not sure why the session is showing up as from 127.0.0.1 to 127.0.0.1, but with the new ldap whoami changes, it shows that the certificate authenticated as the
MSFLAB\smcintyre
DA user and not theMSFLAB\mhatter
normal user who issued it.Testing Steps
ad_cs_cert_template
to create a vulnerable certificate using the new templateldap_esc_vulnerable_cert_finder
module to identify the new templateicpr_cert
module to issue a certificate1.3.6.1.5.5.7.3.2
(Client Authentication)ALT_UPN
option to specify a privileged userldap_login
module to authenticate using schannel to the server with the certificategetuid
command on the session and see that it is authenticated as the user specified in theALT_UPN
datastore argument when the cert was issued