Merge pull request rapid7#20658 from jheysel-r7/feat/mod/cert_details_update

Add Updates to LDAP ESC Vulnerable Cert Finder

Author: dledda-r7

docs/metasploit-framework.wiki/ad-certificates/Attacking-AD-CS-ESC-Vulnerabilities.md

@@ -1580,7 +1580,7 @@ msf6 auxiliary(admin/kerberos/get_ticket) > get_hash rhost=172.16.199.200 cert_f
 [*] Auxiliary module execution completed
 ```
 
-#### ESC16 Scenario 2
+## ESC16 Scenario 2
 If domain controllers are in Full Enforcement mode (`StrongCertificateBindingEnforcement` == 2), ESC16 alone would normally
 prevent authentication using certificates that lack the required SID extension. However, if the CA is also vulnerable
 to ESC6, which is defined as: `EDITF_ATTRIBUTESUBJECTALTNAME2` flag is set under it's `EditFlags` registry key, located here:

lib/msf/core/exploit/remote/ms_icpr.rb

@@ -420,14 +420,39 @@ def build_on_behalf_of(csr:, on_behalf_of:, cert:, key:, algorithm: 'SHA256')
   # @param [OpenSSL::X509::Certificate] cert
   # @return [Array<Rex::Proto::CryptoAsn1::ObjectId>] The policy OIDs if any were found.
   def get_cert_policy_oids(cert)
-    ext = cert.extensions.find { |e| e.oid == 'ms-app-policies' }
-    return [] unless ext
+    all_oids = []
 
-    cert_policies = Rex::Proto::CryptoAsn1::X509::CertificatePolicies.parse(ext.value_der)
-    cert_policies.value.map do |policy_info|
-      oid_string = policy_info[:policyIdentifier].value
-      Rex::Proto::CryptoAsn1::OIDs.value(oid_string) || Rex::Proto::CryptoAsn1::ObjectId.new(oid_string)
+    # ms-app-policies (CertificatePolicies) - existing handling
+    if (ext = cert.extensions.find { |e| e.oid == 'ms-app-policies' })
+      begin
+        cert_policies = Rex::Proto::CryptoAsn1::X509::CertificatePolicies.parse(ext.value_der)
+        cert_policies.value.each do |policy_info|
+          oid_string = policy_info[:policyIdentifier].value
+          all_oids << (Rex::Proto::CryptoAsn1::OIDs.value(oid_string) || Rex::Proto::CryptoAsn1::ObjectId.new(oid_string))
+        end
+      rescue StandardError => e
+        vprint_error("Failed to parse ms-app-policies from certificate with subject:\"#{cert.subject.to_s}\" and issuer:\"#{cert.issuer.to_s}\". #{e.class}: #{e.message}")
+      end
     end
+
+    # extendedKeyUsage - SEQUENCE OF OBJECT IDENTIFIER
+    if (eku_ext = cert.extensions.find { |e| e.oid == 'extendedKeyUsage' })
+      begin
+        asn1 = OpenSSL::ASN1.decode(eku_ext.value_der)
+        # asn1 should be a Sequence whose children are OBJECT IDENTIFIER nodes
+        if asn1.is_a?(OpenSSL::ASN1::Sequence)
+          asn1.value.each do |node|
+            next unless node.is_a?(OpenSSL::ASN1::ObjectId)
+            oid_string = node.value
+            all_oids << (Rex::Proto::CryptoAsn1::OIDs.value(oid_string) || Rex::Proto::CryptoAsn1::ObjectId.new(oid_string))
+          end
+        end
+      rescue StandardError => e
+        vprint_error("Failed to parse extendedKeyUsage from certificate with subject:\"#{cert.subject.to_s}\" and issuer:\"#{cert.issuer.to_s}\". #{e.class}: #{e.message}")
+      end
+    end
+
+    all_oids
   end
 
 

modules/auxiliary/admin/dcerpc/esc_update_ldap_object.rb

@@ -67,7 +67,8 @@ def initialize(info = {})
       OptEnum.new('UPDATE_LDAP_OBJECT', [ true, 'Either userPrincipalName or dNSHostName, Updates the necessary object of a specific user before requesting the cert.', 'userPrincipalName', %w[userPrincipalName dNSHostName] ]),
       OptString.new('UPDATE_LDAP_OBJECT_VALUE', [ true, 'The account name you wish to impersonate', 'Administrator']),
       OptString.new('TARGET_USERNAME', [true, 'The username of the target LDAP object (the victim account).'], aliases: ['SMBUser']),
-      OptString.new('TARGET_PASSWORD', [false, 'The password of the target LDAP object (the victim account). If left blank, Shadow Credentials will be used to authenticate as the TARGET_USERNAME'], aliases: ['SMBPass'])
+      OptString.new('TARGET_PASSWORD', [false, 'The password of the target LDAP object (the victim account). If left blank, Shadow Credentials will be used to authenticate as the TARGET_USERNAME'], aliases: ['SMBPass']),
+      OptString.new('CertificateAuthorityRhost', [false, 'The IP Address of the CA. The module will attempt to resolve this via DNS if this is not set'])
     ])
 
     register_advanced_options(
@@ -216,7 +217,7 @@ def action_request_cert
       @device_id, cert_path = call_shadow_credentials_module('add')
       smbpass = automate_get_hash(cert_path, datastore['TARGET_USERNAME'], datastore['LDAPDomain'], datastore['RHOSTS'])
     end
-    ca_ip = resolve_ca_ip
+    ca_ip = datastore['CertificateAuthorityRhost'].present? ? datastore['CertificateAuthorityRhost'] : resolve_ca_ip
     with_ipc_tree do |opts|
       datastore['SMBUser'] = datastore['TARGET_USERNAME']
       datastore['SMBPass'] = smbpass