Skip to content

Commit b72290d

Browse files
zeroSteinerzeroSteiner
committed
Consolidate the report details
1 parent 2790a4b commit b72290d

File tree

1 file changed

+25
-22
lines changed

1 file changed

+25
-22
lines changed

modules/auxiliary/gather/ldap_esc_vulnerable_cert_finder.rb

Lines changed: 25 additions & 22 deletions
Original file line numberDiff line numberDiff line change
@@ -208,13 +208,13 @@ def query_ldap_server(raw_filter, attributes, base_prefix: nil)
208208
returned_entries
209209
end
210210

211-
def query_ldap_server_certificates(esc_raw_filter, esc_name, notes: [])
211+
def query_ldap_server_certificates(esc_raw_filter, esc_id, notes: [])
212212
attributes = ['cn', 'name', 'description', 'ntSecurityDescriptor', 'msPKI-Enrollment-Flag', 'msPKI-RA-Signature', 'PkiExtendedKeyUsage']
213213
base_prefix = 'CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration'
214214
esc_entries = query_ldap_server(esc_raw_filter, attributes, base_prefix: base_prefix)
215215

216216
if esc_entries.empty?
217-
print_warning("Couldn't find any vulnerable #{esc_name} templates!")
217+
print_warning("Couldn't find any vulnerable #{esc_id} templates!")
218218
return
219219
end
220220

@@ -232,19 +232,15 @@ def query_ldap_server_certificates(esc_raw_filter, esc_name, notes: [])
232232

233233
certificate_symbol = entry[:cn][0].to_sym
234234
if @certificate_details.key?(certificate_symbol)
235-
@certificate_details[certificate_symbol][:techniques] << esc_name
235+
@certificate_details[certificate_symbol][:techniques] << esc_id
236236
@certificate_details[certificate_symbol][:notes] += notes
237237
else
238-
@certificate_details[certificate_symbol] = {
239-
name: entry[:name][0].to_s,
240-
techniques: [esc_name],
241-
dn: entry[:dn][0].to_s,
242-
enrollment_sids: convert_sids_to_human_readable_name(allowed_sids),
243-
ca_servers: {},
244-
manager_approval: ([entry[%s(mspki-enrollment-flag)].first.to_i].pack('l').unpack1('L') & Rex::Proto::MsCrtd::CT_FLAG_PEND_ALL_REQUESTS) != 0,
245-
required_signatures: [entry[%s(mspki-ra-signature)].first.to_i].pack('l').unpack1('L'),
238+
@certificate_details[certificate_symbol] = build_certificate_details(
239+
entry,
240+
allowed_sids,
241+
techniques: [esc_id],
246242
notes: notes.dup
247-
}
243+
)
248244
end
249245
end
250246
end
@@ -480,7 +476,7 @@ def find_esc13_vuln_cert_templates
480476
(mspki-certificate-policy=*)
481477
)
482478
FILTER
483-
attributes = ['cn', 'description', 'ntSecurityDescriptor', 'msPKI-Certificate-Policy']
479+
attributes = ['cn', 'description', 'ntSecurityDescriptor', 'msPKI-Certificate-Policy', 'msPKI-Enrollment-Flag', 'msPKI-RA-Signature']
484480
base_prefix = 'CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration'
485481
esc_entries = query_ldap_server(esc_raw_filter, attributes, base_prefix: base_prefix)
486482

@@ -525,18 +521,24 @@ def find_esc13_vuln_cert_templates
525521
@certificate_details[certificate_symbol][:techniques] << 'ESC13'
526522
@certificate_details[certificate_symbol][:notes] << note
527523
else
528-
@certificate_details[certificate_symbol] = {
529-
name: certificate_symbol.to_s,
530-
techniques: ['ESC13'],
531-
dn: entry[:dn][0].to_s,
532-
enrollment_sids: convert_sids_to_human_readable_name(allowed_sids),
533-
ca_servers: {},
534-
notes: [note]
535-
}
524+
@certificate_details[certificate_symbol] = build_certificate_details(entry, allowed_sids, techniques: %w[ESC13], notes: [note])
536525
end
537526
end
538527
end
539528

529+
def build_certificate_details(ldap_object, allowed_sids, techniques: [], notes: [])
530+
{
531+
name: ldap_object[:cn][0].to_s,
532+
techniques: techniques,
533+
dn: ldap_object[:dn][0].to_s,
534+
enrollment_sids: convert_sids_to_human_readable_name(allowed_sids),
535+
ca_servers: {},
536+
manager_approval: ([ldap_object[%s(mspki-enrollment-flag)].first.to_i].pack('l').unpack1('L') & Rex::Proto::MsCrtd::CT_FLAG_PEND_ALL_REQUESTS) != 0,
537+
required_signatures: [ldap_object[%s(mspki-ra-signature)].first.to_i].pack('l').unpack1('L'),
538+
notes: notes
539+
}
540+
end
541+
540542
def find_esc15_vuln_cert_templates
541543
esc_raw_filter = '(&'\
542544
'(objectclass=pkicertificatetemplate)'\
@@ -697,7 +699,7 @@ def print_vulnerable_cert_info
697699
end
698700

699701
if hash[:certificate_write_priv_sids]
700-
print_status(' Users or Groups SIDs with Certificate Template write access:')
702+
print_status(' Certificate Template Write-Enabled SIDs:')
701703
hash[:certificate_write_priv_sids].each do |sid|
702704
print_status(" * #{highlight_sid(sid)}")
703705
end
@@ -744,6 +746,7 @@ def get_pki_object_by_oid(oid)
744746
)&.first
745747
@ldap_objects << pki_object if pki_object
746748
end
749+
747750
pki_object
748751
end
749752

0 commit comments

Comments
 (0)