Update the ldap_esc_vulnerable_cert_finder module #19415
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This makes a few changes to the output of the
auxiliary/gather/ldap_esc_vulnerable_cert_finder
module to make things easier for reporting These are the main changes:ESC3_Template_2
are ignored unless there is at least 1 template identified as being vulnerable toESC3_Template_1
or the template is also vulnerable to another misconfiguration.REPORT_PRIVENROLLABLE
to true. If there is at least one group other than what is filtered out, then the template and all of its groups will be displayed.Manager Approval
andRequired Signatures
which will almost always be disabled and 0 respectively because they're filtered out at the LDAP query level before additional processing takes place. Noting these values though is helpful for reporting purposes to remind why the template is usable. Additional notes are populated for ESC specific flaws as well, e.g. "ESC1: Request can specify a subjectAltName (msPKI-Certificate-Name-Flag)"[+]
using Metasploit's#print_good
which allows for easier grepping from logs to get the very high level info to identify attack paths.Verification
msfconsole
use auxiliary/gather/ldap_esc_vulnerable_cert_finder