Add ESC4 detection to ldap_esc_vulnerable_cert_finder module #19816
+215
−3
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
jheysel-r7
commented
Jan 20, 2025
smcintyre-r7
added
the
rn-modules
jheysel-r7
commented
Jan 22, 2025
smcintyre-r7
requested changes
Jan 22, 2025
| user_groups << group_sid | ||
| end | ||
|
|
||
| user_groups << Rex::Proto::Secauthz::WellKnownSids::SECURITY_AUTHENTICATED_USER_SID |
There was a problem hiding this comment.
In addition to this, I think we'll want to figure out if the account we're using is a User or a Computer. Once we know, we'll want to add the SID for Domain Users or Domain Computers as applicable. That means you'll also have to get the Domain SID though too.
Once you have the Users or Computers group, we'll want to look up it's DN and add it to the filter_with_users using the logical OR operator. With this in place, we should be able to identify cases where one of these groups has inherited permissions.
There was a problem hiding this comment.
The module now differentiates between users and computer accounts and adds the necessary SIDs to the user_groups where applicable.
New relevant testing output:
[+] Template: Copy 2 of Web Server
[*] Distinguished Name: CN=Copy 2 of Web Server,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=kerberos,DC=issue
[*] Manager Approval: Disabled
[*] Required Signatures:
[+] Vulnerable to: ESC4
[*] Notes: ESC4: The computer DC2$ is a part of the following groups: (Domain Computers) which have edit permissions over the template Copy 2 of Web Server making it vulnerable to ESC4
[*] Users or Groups SIDs with Certificate Template write access:
[*] * S-1-5-21-2324486357-3075865580-3606784161-515 (Domain Computers)
[*] Certificate Template Enrollment SIDs:
[*] * S-1-5-21-2324486357-3075865580-3606784161-512 (Domain Admins)
[*] * S-1-5-21-2324486357-3075865580-3606784161-519 (Enterprise Admins)
[*] * S-1-5-21-2324486357-3075865580-3606784161-515 (Domain Computers)
[*] * S-1-5-21-2324486357-3075865580-3606784161-1000 (msfuser)
[*] * S-1-5-11 (Authenticated Users)
[+] Issuing CA: kerberos-DC2-CA (dc2.kerberos.issue)
[*] Enrollment SIDs:
[*] * S-1-5-11 (Authenticated Users)
[*] * S-1-5-21-2324486357-3075865580-3606784161-519 (Enterprise Admins)
[*] * S-1-5-21-2324486357-3075865580-3606784161-512 (Domain Admins)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This adds support for ESC4 to the
ldap_esc_vulnerable_cert_findermodule. Certificates vulnerable to ESC4 are certs where the user enumerating can edit them. The idea being that if the user has edit permissions they can modify the cert to be vulnerable to ESC1 then exploit it to get domain admin on the DC.This addition works by first running an LDAP query to determine what user we are authenticating with and what security groups they are a part of. The module then gets a list of all certificate templates and determines whether the user has the ability to edit any of them.
Verification Steps
First deploy a vulnerable template with
ad_cs_cert_templateuse admin/ldap/ad_cs_cert_templateset TEMPLATE_FILE data/auxiliary/admin/ldap/ad_cs_cert_template/esc4_template.yamlset CERT_TEMPLATE VulnToEsc4set action CREATEDOMAINPASSWORDRHOSTSUSERNAMEcertsrvon the domain controller, right clickCertificate Templates->New->Certificate Template to Issueand selectVulnToEsc4Ensure
ldap_esc_vulnerable_cert_finderfinds the vulnerable certificateuse gather/ldap_esc_vulnerable_cert_finderrun domain=kerberos.issue password=N0tpassword! rhost=172.16.199.200 username=msfuserVulnToEsc4appears vulnerable to ESC4.Note if you run the vulnerable cert finder with a domain admin as you might expect, almost all templates should be reported as vulnerable to ESC4.
Testing