Skip to content

Commit

Permalink
Consolidate the report details
Browse files Browse the repository at this point in the history
  • Loading branch information
@zeroSteiner
zeroSteiner committed Jan 16, 2025
1 parent 3fe66ba commit 90cdcb0
Showing 1 changed file with 23 additions and 22 deletions.
45 changes: 23 additions & 22 deletions modules/auxiliary/gather/ldap_esc_vulnerable_cert_finder.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -169,13 +169,13 @@ def query_ldap_server(raw_filter, attributes, base_prefix: nil)
returned_entries
end

def query_ldap_server_certificates(esc_raw_filter, esc_name, notes: [])
def query_ldap_server_certificates(esc_raw_filter, esc_id, notes: [])
attributes = ['cn', 'name', 'description', 'ntSecurityDescriptor', 'msPKI-Enrollment-Flag', 'msPKI-RA-Signature', 'PkiExtendedKeyUsage']
base_prefix = 'CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration'
esc_entries = query_ldap_server(esc_raw_filter, attributes, base_prefix: base_prefix)

if esc_entries.empty?
print_warning("Couldn't find any vulnerable #{esc_name} templates!")
print_warning("Couldn't find any vulnerable #{esc_id} templates!")
return
end

Expand All @@ -190,23 +190,18 @@ def query_ldap_server_certificates(esc_raw_filter, esc_name, notes: [])

allowed_sids = parse_acl(security_descriptor.dacl) if security_descriptor.dacl
next if allowed_sids.empty?
next if allowed_sids.empty?

certificate_symbol = entry[:cn][0].to_sym
if @certificate_details.key?(certificate_symbol)
@certificate_details[certificate_symbol][:techniques] << esc_name
@certificate_details[certificate_symbol][:techniques] << esc_id
@certificate_details[certificate_symbol][:notes] += notes
else
@certificate_details[certificate_symbol] = {
name: entry[:name][0].to_s,
techniques: [esc_name],
dn: entry[:dn][0].to_s,
enrollment_sids: convert_sids_to_human_readable_name(allowed_sids),
ca_servers: {},
manager_approval: ([entry[%s(mspki-enrollment-flag)].first.to_i].pack('l').unpack1('L') & Rex::Proto::MsCrtd::CT_FLAG_PEND_ALL_REQUESTS) != 0,
required_signatures: [entry[%s(mspki-ra-signature)].first.to_i].pack('l').unpack1('L'),
@certificate_details[certificate_symbol] = build_certificate_details(
entry,
allowed_sids,
techniques: [esc_id],
notes: notes
}
)
end
end
end
Expand Down Expand Up @@ -324,7 +319,7 @@ def find_esc13_vuln_cert_templates
(mspki-certificate-policy=*)
)
FILTER
attributes = ['cn', 'description', 'ntSecurityDescriptor', 'msPKI-Certificate-Policy']
attributes = ['cn', 'description', 'ntSecurityDescriptor', 'msPKI-Certificate-Policy', 'msPKI-Enrollment-Flag', 'msPKI-RA-Signature']
base_prefix = 'CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration'
esc_entries = query_ldap_server(esc_raw_filter, attributes, base_prefix: base_prefix)

Expand Down Expand Up @@ -369,18 +364,24 @@ def find_esc13_vuln_cert_templates
@certificate_details[certificate_symbol][:techniques] << 'ESC13'
@certificate_details[certificate_symbol][:notes] << note
else
@certificate_details[certificate_symbol] = {
name: certificate_symbol.to_s,
techniques: ['ESC13'],
dn: entry[:dn][0].to_s,
enrollment_sids: convert_sids_to_human_readable_name(allowed_sids),
ca_servers: {},
notes: [note]
}
@certificate_details[certificate_symbol] = build_certificate_details(entry, allowed_sids, techniques: %w[ESC13], notes: [note])
end
end
end

def build_certificate_details(ldap_object, allowed_sids, techniques: [], notes: [])
{
name: ldap_object[:cn][0].to_s,
techniques: techniques,
dn: ldap_object[:dn][0].to_s,
enrollment_sids: convert_sids_to_human_readable_name(allowed_sids),
ca_servers: {},
manager_approval: ([ldap_object[%s(mspki-enrollment-flag)].first.to_i].pack('l').unpack1('L') & Rex::Proto::MsCrtd::CT_FLAG_PEND_ALL_REQUESTS) != 0,
required_signatures: [ldap_object[%s(mspki-ra-signature)].first.to_i].pack('l').unpack1('L'),
notes: notes
}
end

def find_esc15_vuln_cert_templates
esc_raw_filter = '(&'\
'(objectclass=pkicertificatetemplate)'\
Expand Down

0 comments on commit 90cdcb0

Please sign in to comment.