-
Notifications
You must be signed in to change notification settings - Fork 13.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add module for issuing certificates #16939
Add module for issuing certificates #16939
Conversation
ext_asn = OpenSSL::ASN1.decode(OpenSSL::ASN1.decode(ext.to_der).value[1].value) | ||
ext_asn.value.each do |value| | ||
value = value.value | ||
next unless value.is_a?(Array) | ||
next unless value[0]&.value == OID_NTDS_OBJECTSID | ||
|
||
return value[1].value[0].value |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Many of these value
's are called without the safe navigation operator (&.
). Are we sure no NoMethodError
will be raised in some corner cases?
Thanks @zeroSteiner ! It looks good to me. I tested against a Windows Server 2019 and verified the certificates are correctly issued. I also checked I could authenticate to the DC.
|
Not a blocker for this PR to land - but could we test this from a machine running OpenSSL 3? i.e. Ubuntu 22.04, or Kali with Ruby 3.04:
Some of Ruby's OpenSSL library calls have broken with OpenSSL 3 - and it'd probably best to verify it works for newer versions of openssl whilst it's fresh in the PR queue 😄 |
Looks like it's working correctly. Ruby 3.1.2 with OpenSSL 3.0.5 installed via RVM on Fedora.
|
New features include the necessary MS-ICPR definition and more authentication support for DCERPC over named pipes.
1fdefaa
to
ba527f8
Compare
Thanks @zeroSteiner ! Everything looks good to me now. I'll go ahead and land it. |
Release NotesThis adds a module for issuing certificates via Active Directory Certificate Services, which is useful in a few contexts including persistence and for some specific exploits. The resulting PFX certificate file is stored to the loot and is encrypted using a blank password. |
This adds a module for issuing certificates via Active Directory Certificate Services. Issuing certificates is useful in a few contexts including persistence, ESC1 and as a primitive necessary for exploiting CVE-2022-26923 (coming soon). The resulting PFX certificate file is stored to loot and is encrypted using a blank password. It doesn't look like Ruby supports writing PFX files without encryption, and specifying a password would break compatibility with other tools.
Requires rapid7/ruby_smb#236 to be landed first for the necessary DCERPC definitions and functionality.
This is not blocked by #16938, but the documentation does refer to the queries that are added in there as part of the workflow, so it is related. Without that functionality, the user will just need to know the
CA
andCERT_TEMPLATE
names. Either you'd know them because you set them up in Active Directory, or you'd have obtained them through another tool like Certipy'sfind
command.Verification
CA
datastore option)certtmpl.msc
ESC1-Test
certsrv.msc
CA
,RHOSTS
,SMBUser
, andSMBPass
options correctlycertificate template (
set CERT_TEMPLATE User`)ALT_UPN
to a domain administrator, likesmcintyre@msflab.local
wheresmcintyre
is the domain admin andmsflab.local
is the DNS domain nameCERT_TEMPLATE
option toESC1-Test
and run the modulePFX Certificate Validation
Regardless of how the certificate is obtained, the easiest way to validate that it is correct is to use Certipy's
auth
sub command. The certificate stored in loot by Metasploit should be able to be used to authenticate to the domain controller.Example showing that a certificate is working, and the hash for user MSFLAB\smcintyre is recovered.
Metasploit can't perform this step natively yet because there's no support for the PKINIT extension when authenticating with Kerberos.