Add a method to get domain info

Author: zeroSteiner

lib/msf/core/exploit/remote/ldap/active_directory.rb

@@ -212,13 +212,63 @@ def adds_get_object_by_sid(ldap, object_sid)
         object
       end
 
+      # Get the LDAP object that describes the current user.
+      #
+      # @param [Net::LDAP::Connection] ldap The LDAP connection to use for querying.
+      # @rtype [Net::LDAP::Entry]
       def adds_get_current_user(ldap)
         our_domain, _, our_username = ldap.ldapwhoami.to_s.delete_prefix('u:').partition('\\')
         # todo: this is probably going to have issues if our user is from a domain that the target server is not the
         # authority of
         adds_get_object_by_samaccountname(ldap, our_username)
       end
 
+      # Get the AD DS domain info for the current server.
+      #
+      # @param [Net::LDAP::Connection] ldap The LDAP connection to use for querying.
+      # @rtype [Hash]
+      def adds_get_domain_info(ldap)
+        @ldap_objects ||= []
+        domain_object = ldap.search(base: ldap.base_dn, filter: '(objectClass=domain)', return_result: true)&.first
+        return nil unless domain_object
+
+        @ldap_objects << domain_object
+        domain_sid = Rex::Proto::MsDtyp::MsDtypSid.read(domain_object[:objectSid].first)
+
+        root_dse = ldap.search(
+          base: '',
+          scope: Net::LDAP::SearchScope_BaseObject,
+          attributes: %i[configurationNamingContext]
+        )&.first
+        return nil unless root_dse
+
+        xrefs = ldap.search(
+          base: root_dse[:configurationNamingContext].first,
+          filter: "(&(objectCategory=crossref)(nETBIOSName=*)(nCName=#{ldap.base_dn}))"
+        )
+        return nil unless xrefs&.length == 1
+
+        xref = xrefs.first
+        @ldap_objects << xref
+
+        {
+          netbios_name: xref[:nETBIOSName].first.to_s,
+          dns_name: xref[:dNSRoot].first.to_s,
+          sid: domain_sid
+        }
+      end
+
+      # Determine if a security descriptor will grant the permissions identified by *matcher* to the
+      # *test_sid*.
+      #
+      # @param [Net::LDAP::Connection] ldap The LDAP connection to use for querying.
+      # @param [Rex::Proto::MsDtyp::MsDtypSecurityDescriptor] security_descriptor The security descriptor object to
+      #   evaluate.
+      # @param [#call] matcher An object that will match ACEs that allow or deny the desired permissions.
+      # @param [Rex::Proto::MsDtyp::MsDtypSid] test_sid The SID to check for access.
+      # @param [Rex::Proto::MsDtyp::MsDtypSid] self_sid The SID of the object who owns the security_descriptor. This is
+      #   typically the objectSid LDAP attribute and is used when the security descriptor references the special 'SELF'
+      #   entity.
       def adds_sd_grants_permissions?(ldap, security_descriptor, matcher, test_sid: nil, self_sid: nil)
         unless test_sid
           current_user = adds_get_current_user(ldap)

modules/auxiliary/gather/ldap_esc_vulnerable_cert_finder.rb

@@ -659,7 +659,7 @@ def print_vulnerable_cert_info
       end
 
       if hash[:write_sids]
-        print_status(' Certificate Template Write-Enabled SIDs:')
+        print_status('  Certificate Template Write-Enabled SIDs:')
         hash[:write_sids].each do |sid|
           print_status("    * #{highlight_sid(sid)}")
         end