You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: documentation/modules/auxiliary/gather/ldap_esc_vulnerable_cert_finder.md
+52Lines changed: 52 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -79,6 +79,58 @@ a normal user account by analyzing the objects in LDAP.
79
79
1. Scroll down and select the `ESC3-Template2` certificate, and select `OK`.
80
80
1. The certificate should now be available to be issued by the CA server.
81
81
82
+
### Setting up a ESC4 Vulnerable Certificate Template
83
+
1. Follow the instructions above to duplicate the ESC2 template and name it `ESC4-Template`, then click `Apply`.
84
+
1. Go to the `Security` tab.
85
+
1. Under `Groups or usernames` select `Authenticated Users`
86
+
1. Under `Permissions for Authenticated Users` select `Write` -> `Allow`.
87
+
1. Click `Apply` and then click `OK` to issue the certificate.
88
+
1. Go back to the `certsrv` screen and right click on the `Certificate Templates` folder.
89
+
1. Click `New` followed by `Certificate Template to Issue`.
90
+
1. Scroll down and select the `ESC3-Template2` certificate, and select `OK`.
91
+
1. The certificate should now be available to be issued by the CA server.
92
+
93
+
### Setting up a ESC13 Vulnerable Certificate Template
94
+
1. Follow the instructions above to duplicate the ESC2 template and name it `ESC13`, then click `Apply`.
95
+
1. Go to the `Extensions` tab, click the Issuance Policies entry, click the `Add` button, click the `New...` button.
96
+
1. Name the new issuance policy `ESC13-Issuance-Policy`.
97
+
4. Copy the Object Identifier as this will be needed later (ex: 11.3.6.1.4.1.311.21.8.12682474.6065318.6963902.6406785.3291287.83.1172775.12545198`).
98
+
1. Leave the CPS location field blank.
99
+
1. Click `Apply`.
100
+
1. Open Active Directory Users and Computers, expand the domain on the left hand side.
101
+
1. Right click `Users` and navigate to New -> Group.
102
+
1. Enter `ESC13-Group` for the Group Name.
103
+
1. Select `Universal` for Group scope and `Security` for Group type.
104
+
1. Click `Apply`.
105
+
1. Open ADSI Edit.
106
+
1. In the left hand side right click `ADSI Edit` and select `Connect to...`.
107
+
1. Under `Select a well known naming context` select `Default naming context`.
108
+
1. Select the newly established connection, select the domain, select `CN=User`.
109
+
1. On the right hand side find the recently created security group `CN=ESC13-Group`, right click select properties.
110
+
1. Copy the value of the `distinguishedName` attribute, save this as we'll need it later.
111
+
1. Back on the left hand side establish another connection, right click `ADSI Edit` and select `Connect to...`.
112
+
1. This time under `Select a well known naming context` select `Configuration`.
113
+
1. Select the newly established connection, select the domain, select `CN=Services` -> `CN=Public Key Services` -> `CN=OID`.
114
+
1. In the right hand side find the object that corresponds to the Object Identifier saved earlier.
115
+
1. The OID saved earlier ended in `12545198`, the object on the right will start with `CN=12545198.` followed by 34 hex characters. ex: `CN=12545198.7BCA239924D9515E63EA6B6F00748837`).
116
+
1. Once located right click -> properties, select `msDS-OIDToGroupLink`.
117
+
1. Paste the `distingushedName` of the security group saved above (ex: `CN=ESC13-Group,CN=Users,DC=demo,DC=lab`).
118
+
1. Click `Apply`.
119
+
1. Go back to the `certsrv` screen and right click on the `Certificate Templates` folder.
120
+
1. Click `New` followed by `Certificate Template to Issue`.
121
+
1. Scroll down and select the `ESC13-Template` certificate, and select `OK`.
122
+
1. The certificate should now be available to be issued by the CA server.
123
+
124
+
### Setting up a ESC15 Vulnerable Certificate Template
125
+
1. ESC15 depends on the schema version of the template being version 1 - which can no longer be created so we will edit an existing template that is schema version 1.
126
+
1. Right click the `WebServer` template, select properties.
127
+
1. Go to the Security Tab.
128
+
1. Under `Groups or usernames` select `Authenticated Users`.
129
+
1. Under `Permissions for Authenticated Users` select `Enroll` -> `Allow`.
130
+
1. Click Apply.
131
+
1. Go back to the `certsrv` screen and right click on the `Certificate Templates` folder and ensure `WebServer` is listed, if it's not, add it.
132
+
1. The certificate should now be available to be issued by the CA server.
0 commit comments