Add two more report filters

zeroSteiner · zeroSteiner · commit 170fbcb2bd1b · 2025-08-15T15:34:13.000-04:00
diff --git a/documentation/modules/auxiliary/gather/ldap_esc_vulnerable_cert_finder.md b/documentation/modules/auxiliary/gather/ldap_esc_vulnerable_cert_finder.md
@@ -244,6 +244,8 @@ if ($editFlags -band $EDITF_ATTRIBUTESUBJECTALTNAME2) {
 What templates to report (applies filtering to results).
 
 * **all** - Report all certificate templates.
+* **published** - Report certificate templates that are published by at least one CA server.
+* **enrollable** - Same as above, but omits templates that the user does not have permissions to enroll in.
 * **vulnerable** - Report certificate templates where at least one misconfiguration is appears to be present.
 * **vulnerable-and-published** - Same as above, but omits templates that are not published by at least one CA server.
 * **vulnerable-and-enrollable** - Same as above, but omits templates that the user does not have permissions to enroll in.
diff --git a/modules/auxiliary/gather/ldap_esc_vulnerable_cert_finder.rb b/modules/auxiliary/gather/ldap_esc_vulnerable_cert_finder.rb
@@ -95,7 +95,7 @@ def initialize(info = {})
 
     register_options([
       OptString.new('BASE_DN', [false, 'LDAP base DN if you already have it']),
-      OptEnum.new('REPORT', [true, 'What templates to report (applies filtering to results)', 'vulnerable-and-published', %w[all vulnerable vulnerable-and-published vulnerable-and-enrollable]]),
+      OptEnum.new('REPORT', [true, 'What templates to report (applies filtering to results)', 'vulnerable-and-published', %w[all published enrollable vulnerable vulnerable-and-published vulnerable-and-enrollable]]),
       OptBool.new('RUN_REGISTRY_CHECKS', [true, 'Authenticate to WinRM to query the registry values to enhance reporting for ESC9, ESC10 and ESC16. Must be a privileged user in order to query successfully', false]),
     ])
   end
@@ -727,18 +727,26 @@ def reporting_split_techniques(template)
 
     if datastore['REPORT'] == 'vulnerable-and-enrollable'
       vulnerable.keep_if do |technique|
-        enroll_by_proxy.include?(technique) || (template[:permissions].include?('FULL CONTROL') || template[:permissions].include?('ENROLL')) && template[:ca_servers].values.any? { _1[:permissions].include?('REQUEST CERTIFICATES') }
+        enroll_by_proxy.include?(technique) || can_enroll?(template)
       end
     end
 
     [vulnerable, potentially_vulnerable]
   end
 
+  def can_enroll?(template)
+    (template[:permissions].include?('FULL CONTROL') || template[:permissions].include?('ENROLL')) && template[:ca_servers].values.any? { _1[:permissions].include?('REQUEST CERTIFICATES') }
+  end
+
   def print_vulnerable_cert_info
     filtered_certificate_details = @certificate_details.sort.to_h.select do |_key, template|
       case datastore['REPORT']
       when 'all'
         true
+      when 'published'
+        template[:ca_servers].present?
+      when 'enrollable'
+        can_enroll?(template)
       when 'vulnerable'
         template[:techniques].present?
       when 'vulnerable-and-published'
