Add proper SubjectAltName parsing

[zeroSteiner]

This fixes #18079 by adding a proper ASN.1 parser using RASN1 for the x509 SubjectAltName field. Previously, the icpr_cert module would crash when extracting information from this structure if certain fields were set. This addresses the problem by adding a definition for the SubjectAltName field using RASN1. This is then used for the parsing allowing the module to correctly process the data and even extract additional information like DNS hostnames and email addresses.

The x400Address field in the SubjectAltName is pretty complicated. All of the fields are modeled out according to the RFC and were tested using data generated using Python's cryptoasn1 library and the following script. Currently, this will fail due to what I believe is an issue that needs to be resolved in the upstream project. A PR has been submitted already and once it's landed, the definitions should begin to just work. Until then, this issue shouldn't come up in the icpr_cert module because that particular field isn't populated by AD CS.

test_cert.py

import asn1crypto
import asn1crypto.x509 as x509
import binascii

terminal_identifier = x509.PrintableString(value='vt100')
built_in_standard_attributes = x509.BuiltInStandardAttributes(value={
	'administration_domain_name': x509.AdministrationDomainName(name='printable', value='Metasploit'),
	'country_name': x509.CountryName(name='iso_3166_alpha2_code', value='US'),
	'terminal_identifier': terminal_identifier,
	'numeric_user_identifier': '123-45-6789',
})
or_address = asn1crypto.x509.ORAddress()
or_address['built_in_standard_attributes'] = built_in_standard_attributes
or_address['built_in_domain_defined_attributes'] = [
	{'type': 'testKey', 'value': 'testValue'}
]

general_names = asn1crypto.x509.GeneralNames([
	asn1crypto.x509.GeneralName(name='x400_address', value=or_address)
])

print('PrintableString: ' + binascii.b2a_hex(terminal_identifier.dump()).decode())
print('BuiltInStandardAttributes: ' + binascii.b2a_hex(built_in_standard_attributes.dump()).decode())
print('ORAddress: ' + binascii.b2a_hex(or_address.dump()).decode())

open('/tmp/terminal_identifier.bin', 'wb').write(terminal_identifier.dump())
open('/tmp/built_in_standard_attributes.bin', 'wb').write(built_in_standard_attributes.dump())
open('/tmp/or_address.bin', 'wb').write(or_address.dump())
open('/tmp/general_names.bin', 'wb').write(general_names.dump())

Verification

• Install AD CS
• Use certtmpl.msc to make a copy of the User certificate.
• In the copy's "Subject Name" field, set it to "Build from this Active Directory information" and select "User principal name" and "E-mail name"
• Use the icpr_cert module to issue that certificate
• See the UPN and Email in the output of the module and not a stack trace

If you get this error:

[-] 192.168.159.10:445 - There was an error while requesting the certificate.
[-] 192.168.159.10:445 - Denied by Policy Module
[-] 192.168.159.10:445 - Error details:
[-] 192.168.159.10:445 -   Source:  (0x0009) FACILITY_SECURITY: The source of the error code is the Security API layer.
[-] 192.168.159.10:445 -   HRESULT: (0x8009480f) CERTSRV_E_SUBJECT_DNS_REQUIRED: The Domain Name System (DNS) name is unavailable and cannot be added to the Subject Alternate name.

It's because the Active Directory user does not have an email address specified. Open Active Directory Users and Computers, select the account and populate the "E-mail Address" field.

DNS

The DNS field is specified for computer accounts. If you want to test that one as well:

• Use the samr_computer module to create a new computer account and note the password
• In "Active Directory Users and Computers", select the computer account.
• From the main window, enable View > Advanced Features.
• Edit the properties of the computer account and go to the "Attribute Editor".
• Populate the dNSHostName field.

I'm pretty sure that computer accounts can't have an email set, or at least I don't know how to set it. This means that in certtmpl.msc you'll need to unselect E-mail and UPN and select just DNS instead. I was unable to find a way to populate the SPN field.

Demo

[*] Running module against 192.168.159.10

[+] 192.168.159.10:445 - The requested certificate was issued.
[*] 192.168.159.10:445 - Certificate Email: spencer@msflab.local
[*] 192.168.159.10:445 - Certificate SID: S-1-5-21-3402587289-1488798532-3618296993-1000
[*] 192.168.159.10:445 - Certificate UPN: smcintyre@msflab.local
[*] 192.168.159.10:445 - Certificate stored at: /home/smcintyre/.msf4/loot/20230616120401_default_192.168.159.10_windows.ad.cs_236901.pfx
[*] Auxiliary module execution completed
msf6 auxiliary(admin/dcerpc/icpr_cert) >

[dwelch-r7]

Nice this works for me

[dwelch-r7]

Release Notes

Adds a proper ASN.1 parser using RASN1 for the x509 SubjectAltName field