Misconfigured Certificate Template Finder - Metasploit
This page contains detailed information about how to use the auxiliary/gather/ldap_esc_vulnerable_cert_finder metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
- Module Overview
- Knowledge Base
- Vulnerable Application
- Installing ADCS
- Setting up a ESC1 Vulnerable Certificate Template
- Setting up a ESC2 Vulnerable Certificate Template
- Setting up a ESC3 Template 1 Vulnerable Certificate Template
- Setting up a ESC3 Template 2 Vulnerable Certificate Template
- Verification Steps
- Options
- Scenarios
- Msfconsole Usage
- Error Messages
- Related Pull Requests
- See Also
- Authors
- Version
Module Overview
Name: Misconfigured Certificate Template Finder
Module: auxiliary/gather/ldap_esc_vulnerable_cert_finder
Source code: modules/auxiliary/gather/ldap_esc_vulnerable_cert_finder.rb
Disclosure date: 2021-06-17
Last modification time: 2022-11-14 12:27:38 +0000
Supported architecture(s): -
Supported platform(s): -
Target service / protocol: -
Target network port(s): 389
List of CVEs: -
This module allows users to query a LDAP server for vulnerable certificate templates and will print these certificates out in a table along with which attack they are vulnerable to and the SIDs that can be used to enroll in that certificate template. Additionally the module will also print out a list of known certificate servers along with info about which vulnerable certificate templates the certificate server allows enrollment in and which SIDs are authorized to use that certificate server to perform this enrollment operation. Currently the module is capable of checking for ESC1, ESC2, and ESC3 vulnerable certificates.
Module Ranking and Traits
Module Ranking:
- normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.
Stability:
- crash-safe: Module should not crash the service.
Side Effects:
- ioc-in-logs: Module leaves signs of a compromise in a log file (Example: SQL injection data found in HTTP log).
Basic Usage
msf > use auxiliary/gather/ldap_esc_vulnerable_cert_finder
msf auxiliary(ldap_esc_vulnerable_cert_finder) > show targets
... a list of targets ...
msf auxiliary(ldap_esc_vulnerable_cert_finder) > set TARGET target-id
msf auxiliary(ldap_esc_vulnerable_cert_finder) > show options
... show and set options ...
msf auxiliary(ldap_esc_vulnerable_cert_finder) > exploit
Required Options
- RHOSTS: The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
Knowledge Base
Vulnerable Application
This module allows users to query a LDAP server for vulnerable certificate templates and will print these certificates out in a table along with which attack they are vulnerable to and the SIDs that can be used to enroll in that certificate template.
Additionally the module will also print out a list of known certificate servers along with info about which vulnerable certificate templates the certificate server allows enrollment in and which SIDs are authorized to use that certificate server to perform this enrollment operation.
Currently the module is capable of checking for ESC1, ESC2, and ESC3 vulnerable certificates.
Installing ADCS
- Install ADCS on either a new or existing domain controller
- Open the Server Manager
- Select Add roles and features
- Select "Active Directory Certificate Services" under the "Server Roles" section
- When prompted add all of the features and management tools
- On the AD CS "Role Services" tab, leave the default selection of only "Certificate Authority"
- Completion the installation and reboot the server
- Reopen the Server Manager
- Go to the AD CS tab and where it says "Configuration Required", hit "More" then "Configure Active Directory Certificate..."
- Select "Certificate Authority" in the Role Services tab
- Keep all of the default settings, noting the "Common name for this CA" value on the "CA Name" tab.
- Accept the rest of the default settings and complete the configuration
Setting up a ESC1 Vulnerable Certificate Template
- Open up the run prompt and type in
certsrv
. - In the window that appears you should see your list of certification authorities under
Certification Authority (Local)
. - Right click on the folder in the drop down marked
Certificate Templates
and then clickManage
. - Scroll down to the
User
certificate. Right click on it and selectDuplicate Template
. - From here you can refer to https://github.com/RayRRT/Active-Directory-Certificate-Services-abuse/blob/3da1d59f1b66dd0e381b2371b8fb42d87e2c9f82/ADCS.md for screenshots.
- Select the
General
tab and rename this to something meaningful likeESC1-Template
, then click theApply
button. - In the
Subject Name
tab, selectSupply in the request
and clickOk
on the security warning that appears. - Click the
Apply
button. - Scroll to the
Extensions
tab. - Under
Application Policies
ensure thatClient Authentication
,Server Authentication
,KDC Authentication
, orSmart Card Logon
is listed. - Click the
Apply
button. - Under the
Security
tab make sure thatDomain Users
group listed and theEnroll
permissions is marked as allowed for this group. - Under
Issuance Requirements
tab, ensure that underRequire the following for enrollment
that theCA certificate manager approval
box is unticked, as is theThis number of authorized signatures
box. - Click
Apply
and thenOk
- Go back to the
certsrv
screen and right click on theCertificate Templates
folder. Then clickNew
followed byCertificate Template to Issue
. - Scroll down and select the
ESC1-Template
certificate, or whatever you named the ESC1 template you created, and selectOK
. The certificate should now be available to be issued by the CA server.
Setting up a ESC2 Vulnerable Certificate Template
- Open up
certsrv
- Scroll down to
Certificate Templates
folder, right click on it and selectManage
. - Find the
ESC1
certificate template you created earlier and right click on that, then selectDuplicate Template
. - Select the
General
tab, and then name the templateESC2-Template
. Then clickApply
. - Go to the
Subject Name
tab and selectBuild from this Active Directory Information
and selectFully distinguished name
under theSubject Name Format
. The main idea of setting this option is to prevent being able to supply the subject name in the request as this is more what makes the certificate vulnerable to ESC1. The specific options here I don't think will matter so much so long as theSupply in the request
option isn't ticked. Then clickApply
. - Go the to
Extensions
tab and click onApplication Policies
. Then click onEdit
. - Delete all the existing application policies by clicking on them one by one and clicking the
Remove
button. - Click the
Add
button and selectAny Purpose
from the list that appears. Then click theOK
button. - Click the
Apply
button, and thenOK
. The certificate should now be created. - Go back to the
certsrv
screen and right click on theCertificate Templates
folder. Then clickNew
followed byCertificate Template to Issue
. - Scroll down and select the
ESC2-Template
certificate, or whatever you named the ESC2 template you created, and selectOK
. The certificate should now be available to be issued by the CA server.
Setting up a ESC3 Template 1 Vulnerable Certificate Template
- Follow the instructions above to duplicate the ESC2 template and name it
ESC3-Template1
, then clickApply
. - Go to the
Extensions
tab, click the Application Policies entry, click theEdit
button, and remove theAny Purpose
policy and replace it withCertificate Request Agent
, then clickOK
. - Click
Apply
. - Go to
Issuance Requirements
tab and double check that bothCA certificate manager approval
andThis number of authorized signatures
are unchecked. - Click
Apply
if any changes were made or the button is not grey'd out, then clickOK
to create the certificate. - Go back to the
certsrv
screen and right click on theCertificate Templates
folder. Then clickNew
followed byCertificate Template to Issue
. - Scroll down and select the
ESC3-Template1
certificate, or whatever you named the ESC3 template number 1 template you just created, and selectOK
. The certificate should now be available to be issued by the CA server.
Setting up a ESC3 Template 2 Vulnerable Certificate Template
- Follow the instructions above to duplicate the ESC2 template and name it
ESC3-Template2
, then clickApply
. - Go to the
Extensions
tab, click the Application Policies entry, click theEdit
button, and remove theAny Purpose
policy and replace it withClient Authentication
, then clickOK
. - Click
Apply
. - Go to
Issuance Requirements
tab and double check that bothCA certificate manager approval
is unchecked. - Check the
This number of authorized signatures
checkbox and ensure the value specified is 1, and that thePolicy type required in signature
is set toApplication Policy
, and that theApplication policy
value isCertificate Request Agent
. - Click
Apply
and then clickOK
to issue the certificate. - Go back to the
certsrv
screen and right click on theCertificate Templates
folder. - Click
New
followed byCertificate Template to Issue
. - Scroll down and select the
ESC3-Template2
certificate, and selectOK
. - The certificate should now be available to be issued by the CA server.
Verification Steps
- Do: Start msfconsole
- Do:
use auxiliary/gather/ldap_esc_vulnerable_cert_finder
- Do:
set BIND_DN <DOMAIN>\\<USERNAME to log in as>
- Do:
set BIND_PW <PASSWORD FOR USER>
- Do:
set RHOSTS <target IP(s)>
- Optional:
set RPORT <target port>
if target port is non-default. - Optional:
set SSL true
if the target port is SSL enabled. - Do:
run
Options
REPORT_NONENROLLABLE
If set to True
then report any certificate templates that are vulnerable but which are not known to be enrollable.
If set to False
then skip over these certificate templates and only report on certificate templates
that are both vulnerable and enrollable.
Scenarios
Windows Server 2022 with ADCS
msf6 > use auxiliary/gather/ldap_esc_vulnerable_cert_finder
msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) > set RHOST 172.26.104.157
RHOST => 172.26.104.157
msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) > set BIND_DN DAFOREST\\Administrator
BIND_DN => DAFOREST\Administrator
msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) > set BIND_PW theAdmin123
BIND_PW => theAdmin123
msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) > show options
Module options (auxiliary/gather/ldap_esc_vulnerable_cert_finder):
Name Current Setting Required Description
---- --------------- -------- -----------
BASE_DN no LDAP base DN if you already have it
BIND_DN DAFOREST\Administrator no The username to authenticate to LDAP server
BIND_PW theAdmin123 no Password for the BIND_DN
REPORT_NONENROLLABLE false yes Report nonenrollable certificate templates
RHOSTS 172.26.104.157 yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-
Metasploit
RPORT 389 yes The target port
SSL false no Enable SSL on the LDAP connection
msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) > run
[*] Running module against 172.26.104.157
[*] Discovering base DN automatically
[+] 172.26.104.157:389 Discovered base DN: DC=daforest,DC=com
[*] Template: SubCA
[*] Distinguished Name: CN=SubCA,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
[*] Vulnerable to: ESC1, ESC2, ESC3_TEMPLATE_2
[*] Certificate Template Enrollment SIDs:
[*] * S-1-5-21-3290009963-1772292745-3260174523-512 (Domain Admins)
[*] * S-1-5-21-3290009963-1772292745-3260174523-519 (Enterprise Admins)
[*] Issuing CAs:
[*] * daforest-WIN-BR0CCBA815B-CA
[*] Server: WIN-BR0CCBA815B.daforest.com
[*] Enrollment SIDs:
[*] * S-1-5-11 (Authenticated Users)
[*] Template: ESC1-Template
[*] Distinguished Name: CN=ESC1-Template,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
[*] Vulnerable to: ESC1
[*] Certificate Template Enrollment SIDs:
[*] * S-1-5-21-3290009963-1772292745-3260174523-512 (Domain Admins)
[*] * S-1-5-21-3290009963-1772292745-3260174523-513 (Domain Users)
[*] * S-1-5-21-3290009963-1772292745-3260174523-519 (Enterprise Admins)
[*] Issuing CAs:
[*] * daforest-WIN-BR0CCBA815B-CA
[*] Server: WIN-BR0CCBA815B.daforest.com
[*] Enrollment SIDs:
[*] * S-1-5-11 (Authenticated Users)
[*] Template: ESC2-Template
[*] Distinguished Name: CN=ESC2-Template,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
[*] Vulnerable to: ESC2
[*] Certificate Template Enrollment SIDs:
[*] * S-1-5-21-3290009963-1772292745-3260174523-512 (Domain Admins)
[*] * S-1-5-21-3290009963-1772292745-3260174523-513 (Domain Users)
[*] * S-1-5-21-3290009963-1772292745-3260174523-519 (Enterprise Admins)
[*] Issuing CAs:
[*] * daforest-WIN-BR0CCBA815B-CA
[*] Server: WIN-BR0CCBA815B.daforest.com
[*] Enrollment SIDs:
[*] * S-1-5-11 (Authenticated Users)
[*] Template: ESC3-Template1
[*] Distinguished Name: CN=ESC3-Template1,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
[*] Vulnerable to: ESC3_TEMPLATE_1
[*] Certificate Template Enrollment SIDs:
[*] * S-1-5-21-3290009963-1772292745-3260174523-512 (Domain Admins)
[*] * S-1-5-21-3290009963-1772292745-3260174523-513 (Domain Users)
[*] * S-1-5-21-3290009963-1772292745-3260174523-519 (Enterprise Admins)
[*] Issuing CAs:
[*] * daforest-WIN-BR0CCBA815B-CA
[*] Server: WIN-BR0CCBA815B.daforest.com
[*] Enrollment SIDs:
[*] * S-1-5-11 (Authenticated Users)
[*] Template: User
[*] Distinguished Name: CN=User,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
[*] Vulnerable to: ESC3_TEMPLATE_2
[*] Certificate Template Enrollment SIDs:
[*] * S-1-5-21-3290009963-1772292745-3260174523-512 (Domain Admins)
[*] * S-1-5-21-3290009963-1772292745-3260174523-513 (Domain Users)
[*] * S-1-5-21-3290009963-1772292745-3260174523-519 (Enterprise Admins)
[*] Issuing CAs:
[*] * daforest-WIN-BR0CCBA815B-CA
[*] Server: WIN-BR0CCBA815B.daforest.com
[*] Enrollment SIDs:
[*] * S-1-5-11 (Authenticated Users)
[*] Template: Administrator
[*] Distinguished Name: CN=Administrator,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
[*] Vulnerable to: ESC3_TEMPLATE_2
[*] Certificate Template Enrollment SIDs:
[*] * S-1-5-21-3290009963-1772292745-3260174523-512 (Domain Admins)
[*] * S-1-5-21-3290009963-1772292745-3260174523-519 (Enterprise Admins)
[*] Issuing CAs:
[*] * daforest-WIN-BR0CCBA815B-CA
[*] Server: WIN-BR0CCBA815B.daforest.com
[*] Enrollment SIDs:
[*] * S-1-5-11 (Authenticated Users)
[*] Template: Machine
[*] Distinguished Name: CN=Machine,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
[*] Vulnerable to: ESC3_TEMPLATE_2
[*] Certificate Template Enrollment SIDs:
[*] * S-1-5-21-3290009963-1772292745-3260174523-512 (Domain Admins)
[*] * S-1-5-21-3290009963-1772292745-3260174523-515 (Domain Computers)
[*] * S-1-5-21-3290009963-1772292745-3260174523-519 (Enterprise Admins)
[*] Issuing CAs:
[*] * daforest-WIN-BR0CCBA815B-CA
[*] Server: WIN-BR0CCBA815B.daforest.com
[*] Enrollment SIDs:
[*] * S-1-5-11 (Authenticated Users)
[*] Template: DomainController
[*] Distinguished Name: CN=DomainController,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
[*] Vulnerable to: ESC3_TEMPLATE_2
[*] Certificate Template Enrollment SIDs:
[*] * S-1-5-21-3290009963-1772292745-3260174523-498 (Enterprise Read-only Domain Controllers)
[*] * S-1-5-21-3290009963-1772292745-3260174523-512 (Domain Admins)
[*] * S-1-5-21-3290009963-1772292745-3260174523-516 (Domain Controllers)
[*] * S-1-5-21-3290009963-1772292745-3260174523-519 (Enterprise Admins)
[*] * S-1-5-9 (Enterprise Domain Controllers)
[*] Issuing CAs:
[*] * daforest-WIN-BR0CCBA815B-CA
[*] Server: WIN-BR0CCBA815B.daforest.com
[*] Enrollment SIDs:
[*] * S-1-5-11 (Authenticated Users)
[*] Template: ESC3-Template2
[*] Distinguished Name: CN=ESC3-Template2,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
[*] Vulnerable to: ESC3_TEMPLATE_2
[*] Certificate Template Enrollment SIDs:
[*] * S-1-5-21-3290009963-1772292745-3260174523-512 (Domain Admins)
[*] * S-1-5-21-3290009963-1772292745-3260174523-513 (Domain Users)
[*] * S-1-5-21-3290009963-1772292745-3260174523-519 (Enterprise Admins)
[*] Issuing CAs:
[*] * daforest-WIN-BR0CCBA815B-CA
[*] Server: WIN-BR0CCBA815B.daforest.com
[*] Enrollment SIDs:
[*] * S-1-5-11 (Authenticated Users)
[*] Auxiliary module execution completed
msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) >
Windows Server 2022 with ADCS and REPORT_NONENROLLABLE Set To TRUE
msf6 > use auxiliary/gather/ldap_esc_vulnerable_cert_finder
msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) > set RHOST 172.26.104.157
RHOST => 172.26.104.157
msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) > set BIND_DN DAFOREST\\Administrator
BIND_DN => DAFOREST\Administrator
msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) > set BIND_PW theAdmin123
BIND_PW => theAdmin123
msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) > set REPORT_NONENROLLABLE true
REPORT_NONENROLLABLE => true
msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) > show options
Module options (auxiliary/gather/ldap_esc_vulnerable_cert_finder):
Name Current Setting Required Description
---- --------------- -------- -----------
BASE_DN no LDAP base DN if you already have it
BIND_DN DAFOREST\Administrator no The username to authenticate to LDAP server
BIND_PW theAdmin123 no Password for the BIND_DN
REPORT_NONENROLLABLE true yes Report nonenrollable certificate templates
RHOSTS 172.26.104.157 yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-
Metasploit
RPORT 389 yes The target port
SSL false no Enable SSL on the LDAP connection
msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) > run
[*] Running module against 172.26.104.157
[*] Discovering base DN automatically
[+] 172.26.104.157:389 Discovered base DN: DC=daforest,DC=com
[*] Template: CA
[*] Distinguished Name: CN=CA,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
[*] Vulnerable to: ESC1, ESC2, ESC3_TEMPLATE_2
[*] Certificate Template Enrollment SIDs:
[*] * S-1-5-21-3290009963-1772292745-3260174523-512 (Domain Admins)
[*] * S-1-5-21-3290009963-1772292745-3260174523-519 (Enterprise Admins)
[!] CA not published as an enrollable certificate!
[*] Template: SubCA
[*] Distinguished Name: CN=SubCA,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
[*] Vulnerable to: ESC1, ESC2, ESC3_TEMPLATE_2
[*] Certificate Template Enrollment SIDs:
[*] * S-1-5-21-3290009963-1772292745-3260174523-512 (Domain Admins)
[*] * S-1-5-21-3290009963-1772292745-3260174523-519 (Enterprise Admins)
[*] Issuing CAs:
[*] * daforest-WIN-BR0CCBA815B-CA
[*] Server: WIN-BR0CCBA815B.daforest.com
[*] Enrollment SIDs:
[*] * S-1-5-11 (Authenticated Users)
[*] Template: OfflineRouter
[*] Distinguished Name: CN=OfflineRouter,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
[*] Vulnerable to: ESC1, ESC3_TEMPLATE_2
[*] Certificate Template Enrollment SIDs:
[*] * S-1-5-21-3290009963-1772292745-3260174523-512 (Domain Admins)
[*] * S-1-5-21-3290009963-1772292745-3260174523-519 (Enterprise Admins)
[!] OfflineRouter not published as an enrollable certificate!
[*] Template: ESC1-Template
[*] Distinguished Name: CN=ESC1-Template,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
[*] Vulnerable to: ESC1
[*] Certificate Template Enrollment SIDs:
[*] * S-1-5-21-3290009963-1772292745-3260174523-512 (Domain Admins)
[*] * S-1-5-21-3290009963-1772292745-3260174523-513 (Domain Users)
[*] * S-1-5-21-3290009963-1772292745-3260174523-519 (Enterprise Admins)
[*] Issuing CAs:
[*] * daforest-WIN-BR0CCBA815B-CA
[*] Server: WIN-BR0CCBA815B.daforest.com
[*] Enrollment SIDs:
[*] * S-1-5-11 (Authenticated Users)
[*] Template: ESC2-Template
[*] Distinguished Name: CN=ESC2-Template,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
[*] Vulnerable to: ESC2
[*] Certificate Template Enrollment SIDs:
[*] * S-1-5-21-3290009963-1772292745-3260174523-512 (Domain Admins)
[*] * S-1-5-21-3290009963-1772292745-3260174523-513 (Domain Users)
[*] * S-1-5-21-3290009963-1772292745-3260174523-519 (Enterprise Admins)
[*] Issuing CAs:
[*] * daforest-WIN-BR0CCBA815B-CA
[*] Server: WIN-BR0CCBA815B.daforest.com
[*] Enrollment SIDs:
[*] * S-1-5-11 (Authenticated Users)
[*] Template: EnrollmentAgent
[*] Distinguished Name: CN=EnrollmentAgent,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
[*] Vulnerable to: ESC3_TEMPLATE_1
[*] Certificate Template Enrollment SIDs:
[*] * S-1-5-21-3290009963-1772292745-3260174523-512 (Domain Admins)
[*] * S-1-5-21-3290009963-1772292745-3260174523-519 (Enterprise Admins)
[!] EnrollmentAgent not published as an enrollable certificate!
[*] Template: EnrollmentAgentOffline
[*] Distinguished Name: CN=EnrollmentAgentOffline,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
[*] Vulnerable to: ESC3_TEMPLATE_1
[*] Certificate Template Enrollment SIDs:
[*] * S-1-5-21-3290009963-1772292745-3260174523-512 (Domain Admins)
[*] * S-1-5-21-3290009963-1772292745-3260174523-519 (Enterprise Admins)
[!] EnrollmentAgentOffline not published as an enrollable certificate!
[*] Template: MachineEnrollmentAgent
[*] Distinguished Name: CN=MachineEnrollmentAgent,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
[*] Vulnerable to: ESC3_TEMPLATE_1
[*] Certificate Template Enrollment SIDs:
[*] * S-1-5-21-3290009963-1772292745-3260174523-512 (Domain Admins)
[*] * S-1-5-21-3290009963-1772292745-3260174523-519 (Enterprise Admins)
[!] MachineEnrollmentAgent not published as an enrollable certificate!
[*] Template: CEPEncryption
[*] Distinguished Name: CN=CEPEncryption,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
[*] Vulnerable to: ESC3_TEMPLATE_1
[*] Certificate Template Enrollment SIDs:
[*] * S-1-5-21-3290009963-1772292745-3260174523-512 (Domain Admins)
[*] * S-1-5-21-3290009963-1772292745-3260174523-519 (Enterprise Admins)
[!] CEPEncryption not published as an enrollable certificate!
[*] Template: ESC3-Template1
[*] Distinguished Name: CN=ESC3-Template1,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
[*] Vulnerable to: ESC3_TEMPLATE_1
[*] Certificate Template Enrollment SIDs:
[*] * S-1-5-21-3290009963-1772292745-3260174523-512 (Domain Admins)
[*] * S-1-5-21-3290009963-1772292745-3260174523-513 (Domain Users)
[*] * S-1-5-21-3290009963-1772292745-3260174523-519 (Enterprise Admins)
[*] Issuing CAs:
[*] * daforest-WIN-BR0CCBA815B-CA
[*] Server: WIN-BR0CCBA815B.daforest.com
[*] Enrollment SIDs:
[*] * S-1-5-11 (Authenticated Users)
[*] Template: User
[*] Distinguished Name: CN=User,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
[*] Vulnerable to: ESC3_TEMPLATE_2
[*] Certificate Template Enrollment SIDs:
[*] * S-1-5-21-3290009963-1772292745-3260174523-512 (Domain Admins)
[*] * S-1-5-21-3290009963-1772292745-3260174523-513 (Domain Users)
[*] * S-1-5-21-3290009963-1772292745-3260174523-519 (Enterprise Admins)
[*] Issuing CAs:
[*] * daforest-WIN-BR0CCBA815B-CA
[*] Server: WIN-BR0CCBA815B.daforest.com
[*] Enrollment SIDs:
[*] * S-1-5-11 (Authenticated Users)
[*] Template: UserSignature
[*] Distinguished Name: CN=UserSignature,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
[*] Vulnerable to: ESC3_TEMPLATE_2
[*] Certificate Template Enrollment SIDs:
[*] * S-1-5-21-3290009963-1772292745-3260174523-512 (Domain Admins)
[*] * S-1-5-21-3290009963-1772292745-3260174523-513 (Domain Users)
[*] * S-1-5-21-3290009963-1772292745-3260174523-519 (Enterprise Admins)
[!] UserSignature not published as an enrollable certificate!
[*] Template: SmartcardUser
[*] Distinguished Name: CN=SmartcardUser,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
[*] Vulnerable to: ESC3_TEMPLATE_2
[*] Certificate Template Enrollment SIDs:
[*] * S-1-5-21-3290009963-1772292745-3260174523-512 (Domain Admins)
[*] * S-1-5-21-3290009963-1772292745-3260174523-519 (Enterprise Admins)
[!] SmartcardUser not published as an enrollable certificate!
[*] Template: ClientAuth
[*] Distinguished Name: CN=ClientAuth,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
[*] Vulnerable to: ESC3_TEMPLATE_2
[*] Certificate Template Enrollment SIDs:
[*] * S-1-5-21-3290009963-1772292745-3260174523-512 (Domain Admins)
[*] * S-1-5-21-3290009963-1772292745-3260174523-513 (Domain Users)
[*] * S-1-5-21-3290009963-1772292745-3260174523-519 (Enterprise Admins)
[!] ClientAuth not published as an enrollable certificate!
[*] Template: SmartcardLogon
[*] Distinguished Name: CN=SmartcardLogon,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
[*] Vulnerable to: ESC3_TEMPLATE_2
[*] Certificate Template Enrollment SIDs:
[*] * S-1-5-21-3290009963-1772292745-3260174523-512 (Domain Admins)
[*] * S-1-5-21-3290009963-1772292745-3260174523-519 (Enterprise Admins)
[!] SmartcardLogon not published as an enrollable certificate!
[*] Template: Administrator
[*] Distinguished Name: CN=Administrator,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
[*] Vulnerable to: ESC3_TEMPLATE_2
[*] Certificate Template Enrollment SIDs:
[*] * S-1-5-21-3290009963-1772292745-3260174523-512 (Domain Admins)
[*] * S-1-5-21-3290009963-1772292745-3260174523-519 (Enterprise Admins)
[*] Issuing CAs:
[*] * daforest-WIN-BR0CCBA815B-CA
[*] Server: WIN-BR0CCBA815B.daforest.com
[*] Enrollment SIDs:
[*] * S-1-5-11 (Authenticated Users)
[*] Template: Machine
[*] Distinguished Name: CN=Machine,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
[*] Vulnerable to: ESC3_TEMPLATE_2
[*] Certificate Template Enrollment SIDs:
[*] * S-1-5-21-3290009963-1772292745-3260174523-512 (Domain Admins)
[*] * S-1-5-21-3290009963-1772292745-3260174523-515 (Domain Computers)
[*] * S-1-5-21-3290009963-1772292745-3260174523-519 (Enterprise Admins)
[*] Issuing CAs:
[*] * daforest-WIN-BR0CCBA815B-CA
[*] Server: WIN-BR0CCBA815B.daforest.com
[*] Enrollment SIDs:
[*] * S-1-5-11 (Authenticated Users)
[*] Template: DomainController
[*] Distinguished Name: CN=DomainController,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
[*] Vulnerable to: ESC3_TEMPLATE_2
[*] Certificate Template Enrollment SIDs:
[*] * S-1-5-21-3290009963-1772292745-3260174523-498 (Enterprise Read-only Domain Controllers)
[*] * S-1-5-21-3290009963-1772292745-3260174523-512 (Domain Admins)
[*] * S-1-5-21-3290009963-1772292745-3260174523-516 (Domain Controllers)
[*] * S-1-5-21-3290009963-1772292745-3260174523-519 (Enterprise Admins)
[*] * S-1-5-9 (Enterprise Domain Controllers)
[*] Issuing CAs:
[*] * daforest-WIN-BR0CCBA815B-CA
[*] Server: WIN-BR0CCBA815B.daforest.com
[*] Enrollment SIDs:
[*] * S-1-5-11 (Authenticated Users)
[*] Template: ESC3-Template2
[*] Distinguished Name: CN=ESC3-Template2,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
[*] Vulnerable to: ESC3_TEMPLATE_2
[*] Certificate Template Enrollment SIDs:
[*] * S-1-5-21-3290009963-1772292745-3260174523-512 (Domain Admins)
[*] * S-1-5-21-3290009963-1772292745-3260174523-513 (Domain Users)
[*] * S-1-5-21-3290009963-1772292745-3260174523-519 (Enterprise Admins)
[*] Issuing CAs:
[*] * daforest-WIN-BR0CCBA815B-CA
[*] Server: WIN-BR0CCBA815B.daforest.com
[*] Enrollment SIDs:
[*] * S-1-5-11 (Authenticated Users)
[*] Auxiliary module execution completed
msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) >
Go back to menu.
Msfconsole Usage
Here is how the gather/ldap_esc_vulnerable_cert_finder auxiliary module looks in the msfconsole:
msf6 > use auxiliary/gather/ldap_esc_vulnerable_cert_finder
msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) > show info
Name: Misconfigured Certificate Template Finder
Module: auxiliary/gather/ldap_esc_vulnerable_cert_finder
License: Metasploit Framework License (BSD)
Rank: Normal
Disclosed: 2021-06-17
Provided by:
Grant Willcox
Module side effects:
ioc-in-logs
Module stability:
crash-safe
Check supported:
No
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
BASE_DN no LDAP base DN if you already have it
BIND_DN no The username to authenticate to LDAP server
BIND_PW no Password for the BIND_DN
REPORT_NONENROLLABLE false yes Report nonenrollable certificate templates
RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
RPORT 389 yes The target port
SSL false no Enable SSL on the LDAP connection
Description:
This module allows users to query a LDAP server for vulnerable
certificate templates and will print these certificates out in a
table along with which attack they are vulnerable to and the SIDs
that can be used to enroll in that certificate template.
Additionally the module will also print out a list of known
certificate servers along with info about which vulnerable
certificate templates the certificate server allows enrollment in
and which SIDs are authorized to use that certificate server to
perform this enrollment operation. Currently the module is capable
of checking for ESC1, ESC2, and ESC3 vulnerable certificates.
View the full module info with the info -d command.
Module Options
This is a complete list of options available in the gather/ldap_esc_vulnerable_cert_finder auxiliary module:
msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) > show options
Module options (auxiliary/gather/ldap_esc_vulnerable_cert_finder):
Name Current Setting Required Description
---- --------------- -------- -----------
BASE_DN no LDAP base DN if you already have it
BIND_DN no The username to authenticate to LDAP server
BIND_PW no Password for the BIND_DN
REPORT_NONENROLLABLE false yes Report nonenrollable certificate templates
RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
RPORT 389 yes The target port
SSL false no Enable SSL on the LDAP connection
View the full module info with the info, or info -d command.
Advanced Options
Here is a complete list of advanced options supported by the gather/ldap_esc_vulnerable_cert_finder auxiliary module:
msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) > show advanced
Module advanced options (auxiliary/gather/ldap_esc_vulnerable_cert_finder):
Name Current Setting Required Description
---- --------------- -------- -----------
LDAP::ConnectTimeout 10.0 yes Timeout for LDAP connect
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
View the full module info with the info, or info -d command.
Auxiliary Actions
This is a list of all auxiliary actions that the gather/ldap_esc_vulnerable_cert_finder module can do:
msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) > show actions
Auxiliary actions:
Name Description
---- -----------
Evasion Options
Here is the full list of possible evasion options supported by the gather/ldap_esc_vulnerable_cert_finder auxiliary module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
Go back to menu.
Error Messages
This module may fail with the following error messages:
- Encountered a DACL/SACL object without an access mask! Either data is an unrecognized type or we are reading it wrong!
- Skipping unexpected ACE of type <ACE_HEADER:ACE_TYPE>. Either the data was read incorrectly or we currently don't support this type.
- ACE only affects those that inherit from it, not those that it is attached to. Ignoring this ACE, as its not relevant.
- Couldn't discover base DN!
- No base DN was found or specified, cannot continue!
- Could not compile the filter! Error was <E>
- No results found for <FILTER>.
- Couldn't reach <RHOST>!
- Could not query <RHOST>! Error was: <E.MESSAGE>
- Couldn't find any vulnerable <ESC_NAME> templates!
- Unable to read security descriptor! Error was: <E.MESSAGE>
- Could not find any details on the LDAP server for SID <SID>!
- Unable to read security descriptor! Error was: <E.MESSAGE>
- <KEY> not published as an enrollable certificate!
Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.
Encountered a DACL/SACL object without an access mask! Either data is an unrecognized type or we are reading it wrong!
Here is a relevant code snippet related to the "Encountered a DACL/SACL object without an access mask! Either data is an unrecognized type or we are reading it wrong!" error message:
55: allowed_sids = []
56: acl.aces.each do |ace|
57: ace_header = ace[:header]
58: ace_body = ace[:body]
59: if ace_body[:access_mask].blank?
60: fail_with(Failure::UnexpectedReply, 'Encountered a DACL/SACL object without an access mask! Either data is an unrecognized type or we are reading it wrong!')
61: end
62: ace_string = Rex::Proto::MsDtyp::MsDtypAceType.name(ace_header[:ace_type])
63: if ace_string.blank?
64: print_error("Skipping unexpected ACE of type #{ace_header[:ace_type]}. Either the data was read incorrectly or we currently don't support this type.")
65: next
Skipping unexpected ACE of type <ACE_HEADER:ACE_TYPE>. Either the data was read incorrectly or we currently don't support this type.
Here is a relevant code snippet related to the "Skipping unexpected ACE of type <ACE_HEADER:ACE_TYPE>. Either the data was read incorrectly or we currently don't support this type." error message:
59: if ace_body[:access_mask].blank?
60: fail_with(Failure::UnexpectedReply, 'Encountered a DACL/SACL object without an access mask! Either data is an unrecognized type or we are reading it wrong!')
61: end
62: ace_string = Rex::Proto::MsDtyp::MsDtypAceType.name(ace_header[:ace_type])
63: if ace_string.blank?
64: print_error("Skipping unexpected ACE of type #{ace_header[:ace_type]}. Either the data was read incorrectly or we currently don't support this type.")
65: next
66: end
67: if ace_header[:ace_flags][:inherit_only_ace] == 1
68: vprint_warning(' ACE only affects those that inherit from it, not those that it is attached to. Ignoring this ACE, as its not relevant.')
69: next
ACE only affects those that inherit from it, not those that it is attached to. Ignoring this ACE, as its not relevant.
Here is a relevant code snippet related to the "ACE only affects those that inherit from it, not those that it is attached to. Ignoring this ACE, as its not relevant." error message:
63: if ace_string.blank?
64: print_error("Skipping unexpected ACE of type #{ace_header[:ace_type]}. Either the data was read incorrectly or we currently don't support this type.")
65: next
66: end
67: if ace_header[:ace_flags][:inherit_only_ace] == 1
68: vprint_warning(' ACE only affects those that inherit from it, not those that it is attached to. Ignoring this ACE, as its not relevant.')
69: next
70: end
71:
72: # To decode the ObjectType we need to do another query to CN=Configuration,DC=daforest,DC=com
73: # and look at either schemaIDGUID or rightsGUID fields to see if they match this value.
Couldn't discover base DN!
Here is a relevant code snippet related to the "Couldn't discover base DN!" error message:
98: print_status("User-specified base DN: #{@base_dn}")
99: else
100: print_status('Discovering base DN automatically')
101:
102: unless (@base_dn = discover_base_dn(ldap))
103: print_warning("Couldn't discover base DN!")
104: end
105: end
106:
107: if @base_dn.blank?
108: fail_with(Failure::BadConfig, 'No base DN was found or specified, cannot continue!')
No base DN was found or specified, cannot continue!
Here is a relevant code snippet related to the "No base DN was found or specified, cannot continue!" error message:
103: print_warning("Couldn't discover base DN!")
104: end
105: end
106:
107: if @base_dn.blank?
108: fail_with(Failure::BadConfig, 'No base DN was found or specified, cannot continue!')
109: end
110:
111: if base_prefix.blank?
112: full_base_dn = @base_dn.to_s
113: else
Could not compile the filter! Error was <E>
Here is a relevant code snippet related to the "Could not compile the filter! Error was <E>" error message:
114: full_base_dn = "#{base_prefix},#{@base_dn}"
115: end
116: begin
117: filter = Net::LDAP::Filter.construct(raw_filter)
118: rescue StandardError => e
119: fail_with(Failure::BadConfig, "Could not compile the filter! Error was #{e}")
120: end
121:
122: returned_entries = ldap.search(base: full_base_dn, filter: filter, attributes: attributes)
123: query_result = ldap.as_json['result']['ldap_result']
124:
No results found for <FILTER>.
Here is a relevant code snippet related to the "No results found for <FILTER>." error message:
123: query_result = ldap.as_json['result']['ldap_result']
124:
125: validate_query_result!(query_result, filter)
126:
127: if returned_entries.blank?
128: vprint_error("No results found for #{filter}.")
129:
130: nil
131: else
132:
133: returned_entries
Couldn't reach <RHOST>!
Here is a relevant code snippet related to the "Couldn't reach <RHOST>!" error message:
132:
133: returned_entries
134: end
135: end
136: rescue Rex::ConnectionTimeout
137: fail_with(Failure::Unreachable, "Couldn't reach #{datastore['RHOST']}!")
138: rescue Net::LDAP::Error => e
139: fail_with(Failure::UnexpectedReply, "Could not query #{datastore['RHOST']}! Error was: #{e.message}")
140: end
141:
142: def query_ldap_server_certificates(esc_raw_filter, esc_name)
Could not query <RHOST>! Error was: <E.MESSAGE>
Here is a relevant code snippet related to the "Could not query <RHOST>! Error was: <E.MESSAGE>" error message:
134: end
135: end
136: rescue Rex::ConnectionTimeout
137: fail_with(Failure::Unreachable, "Couldn't reach #{datastore['RHOST']}!")
138: rescue Net::LDAP::Error => e
139: fail_with(Failure::UnexpectedReply, "Could not query #{datastore['RHOST']}! Error was: #{e.message}")
140: end
141:
142: def query_ldap_server_certificates(esc_raw_filter, esc_name)
143: attributes = ['cn', 'description', 'ntSecurityDescriptor']
144: base_prefix = 'CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration'
Couldn't find any vulnerable <ESC_NAME> templates!
Here is a relevant code snippet related to the "Couldn't find any vulnerable <ESC_NAME> templates!" error message:
143: attributes = ['cn', 'description', 'ntSecurityDescriptor']
144: base_prefix = 'CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration'
145: esc_entries = query_ldap_server(esc_raw_filter, attributes, base_prefix: base_prefix)
146:
147: if esc_entries.blank?
148: print_warning("Couldn't find any vulnerable #{esc_name} templates!")
149: else
150: # Grab a list of certificates that contain vulnerable settings.
151: # Also print out the list of SIDs that can enroll in that server.
152:
153: esc_entries.each do |entry|
Unable to read security descriptor! Error was: <E.MESSAGE>
Here is a relevant code snippet related to the "Unable to read security descriptor! Error was: <E.MESSAGE>" error message:
154: flag_allowed_to_enroll = false # Reset the flag on each entry we parse.
155:
156: begin
157: security_descriptor = Rex::Proto::MsDtyp::MsDtypSecurityDescriptor.read(entry[:ntsecuritydescriptor][0])
158: rescue IOError => e
159: fail_with(Failure::UnexpectedReply, "Unable to read security descriptor! Error was: #{e.message}")
160: end
161:
162: flag_allowed_to_enroll, allowed_sids = parse_dacl_or_sacl(security_descriptor.dacl) if security_descriptor.dacl
163: next unless flag_allowed_to_enroll
164:
Could not find any details on the LDAP server for SID <SID>!
Here is a relevant code snippet related to the "Could not find any details on the LDAP server for SID <SID>!" error message:
179: attributes = ['sAMAccountName', 'name']
180: base_prefix = 'CN=Configuration'
181: sid_entry = query_ldap_server(raw_filter, attributes, base_prefix: base_prefix) # First try with prefix to find entries that may be group specific.
182: sid_entry = query_ldap_server(raw_filter, attributes) if sid_entry.blank? # Retry without prefix if blank.
183: if sid_entry.blank?
184: print_warning("Could not find any details on the LDAP server for SID #{sid}!")
185: output << [sid, nil, nil] # Still want to print out the SID even if we couldn't get additional information.
186: elsif sid_entry[0][:samaccountname][0]
187: output << [sid, sid_entry[0][:name][0], sid_entry[0][:samaccountname][0]]
188: else
189: output << [sid, sid_entry[0][:name][0], nil]
Unable to read security descriptor! Error was: <E.MESSAGE>
Here is a relevant code snippet related to the "Unable to read security descriptor! Error was: <E.MESSAGE>" error message:
291: enrollment_ca_data.each do |ca_server|
292: flag_allowed_to_enroll = false
293: begin
294: security_descriptor = Rex::Proto::MsDtyp::MsDtypSecurityDescriptor.read(ca_server[:ntsecuritydescriptor][0])
295: rescue IOError => e
296: fail_with(Failure::UnexpectedReply, "Unable to read security descriptor! Error was: #{e.message}")
297: end
298:
299: flag_allowed_to_enroll, allowed_sids = parse_dacl_or_sacl(security_descriptor.dacl) if security_descriptor.dacl
300: next unless flag_allowed_to_enroll
301:
<KEY> not published as an enrollable certificate!
Here is a relevant code snippet related to the "<KEY> not published as an enrollable certificate!" error message:
316: enrollable = false
317: end
318:
319: print_status("Template: #{key}")
320: unless enrollable
321: print_warning(" #{key} not published as an enrollable certificate!")
322: end
323:
324: print_status(" Distinguished Name: #{hash[:dn]}")
325: print_status(" Vulnerable to: #{hash[:vulns].join(', ')}")
326:
Go back to menu.
Related Pull Requests
- #17260 Merged Pull Request: Use the access mask data type
- #17122 Merged Pull Request: Add in ESC Finder Module (ESC1-ESC3)
Go back to menu.
See Also
Check also the following modules related to this module:
- auxiliary/gather/ldap_hashdump
- auxiliary/gather/ldap_query
- auxiliary/admin/ldap/rbcd
- auxiliary/admin/ldap/vmware_vcenter_vmdir_auth_bypass
- exploit/windows/ldap/imail_thc
- exploit/windows/ldap/pgp_keyserver7
- auxiliary/dos/wireshark/cldap
- auxiliary/dos/wireshark/ldap
- auxiliary/gather/vmware_vcenter_vmdir_ldap
- auxiliary/gather/xerox_workcentre_5xxx_ldap
- auxiliary/scanner/http/symantec_brightmail_ldapcreds
- auxiliary/server/ldap
- exploit/linux/http/elfinder_archive_cmd_injection
- exploit/unix/webapp/elfinder_php_connector_exiftran_cmd_injection
- exploit/linux/http/pineapp_ldapsyncnow_exec
- exploit/linux/misc/jenkins_ldap_deserialize
- exploit/multi/http/phpldapadmin_query_engine
- exploit/windows/http/apache_mod_rewrite_ldap
- auxiliary/admin/dcerpc/icpr_cert
- auxiliary/scanner/http/cert
- auxiliary/scanner/http/smt_ipmi_static_cert_scanner
- auxiliary/scanner/ike/cisco_ike_benigncertain
- exploit/linux/local/vmware_workspace_one_access_certproxy_lpe
- exploit/windows/http/hp_pcm_snac_update_certificates
Authors
- Grant Willcox
Version
This page has been produced using Metasploit Framework version 6.2.29-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.