esc4_scanner.py

# Standard library imports
import argparse
import getpass
import socket
import struct
import time

# Third-party imports
from colored import fore
from ldap3 import ALL, Connection, NTLM, Server
from ldap3.protocol.microsoft import security_descriptor_control


# Constants and Dicts
TAB = "  "


ALL_SID = dict()


COLORS = {
    "white": fore("white"),
    "blue": fore("blue"),
    "cyan": fore("cyan"),
    "green": fore("green_4"),
    "orange": fore("orange_3"),
    "red": fore("red")
}


CA_PERMISSIONS_ACCESS_MASKS = {
    0x00000001: [
        "Administrator",
        "Has full control of the CA (configuration, user accounts management, "
        "system maintenance)",
    ],
    0x00000002: [
        "Officer",
        "Authorized to approve or deny certificate requests and manage revocations",
    ],
    0x00000004: [
        "Auditor",
        "Authorized to view and maintain audit logs",
    ],
    0x00000008: [
        "Operator",
        "Authorized to perform system backup and recovery operations for the CA",
    ],
    0x00000100: [
        "Read",
        "Authorized to view basic CA properties (configuration and available templates)",
    ],
    0x00000200: [
        "Enroll",
        "Authorized to request certificates from the CA",
    ],
}


AD_OBJECTS_ACCESS_MASKS = {
    0x00000001: [
        "CC",
        "CREATE_CHILD",
        "The right to create child objects of the object. ObjectType may "
        "identify a specific child class; if absent, applies to all allowed "
        "child classes.",
    ],
    0x00000002: [
        "DC",
        "DELETE_CHILD",
        "The right to delete child objects of the object. ObjectType may "
        "identify a specific child class; if absent, applies to all child "
        "classes.",
    ],
    0x00000004: [
        "LC",
        "LIST_CONTENTS",
        "The right to list child objects of this object",
    ],
    # 0x00000008: ["SW", "SELF_WRITE", ""],
    0x00000008: [
        "VW",
        "WRITE_PROPERTY_EXTENDED",
        "The right to perform an operation controlled by a validated write "
        "access right. ObjectType may identify a specific validated write; if "
        "absent, applies to all validated writes.",
    ],
    0x00000010: [
        "RP",
        "READ_PROPERTY",
        "The right to read properties of the object. ObjectType may identify "
        "a property set or attribute; if absent, applies to all attributes.",
    ],
    0x00000020: [
        "WP",
        "WRITE_PROPERTY",
        "The right to write properties of the object. ObjectType may identify "
        "a property set or attribute; if absent, applies to all attributes.",
    ],
    0x00000040: [
        "DT",
        "DELETE_TREE",
        "The right to perform a Delete-Tree operation on this object",
    ],
    0x00000080: [
        "LO",
        "LIST_OBJECT",
        "The right to list a particular object",
    ],
    # 0x00000100: ["CR", "EXTENDED_RIGHT", ""],
    0x00000100: [
        "CR",
        "CONTROL_ACCESS",
        "The right to perform an operation controlled by a control access "
        "right. ObjectType may identify a specific control access right; if "
        "absent, applies to all such operations.",
    ],
    0x00010000: ["DE", "DELETE", "The right to delete the object"],
    0x00020000: [
        "RC",
        "READ_CONTROL",
        "The right to read data from the security descriptor of the object, "
        "not including the data in the SACL",
    ],
    0x00040000: [
        "WD",
        "WRITE_DAC",
        "The right to modify the DACL in the object security descriptor",
    ],
    0x00080000: [
        "WO",
        "WRITE_OWNER",
        "The right to modify the owner of the object in its security "
        "descriptor (users can take ownership).",
    ],
    # Generic rights (not stored in AD; shown here for reference):
    # 0x10000000: ["GA", "GENERIC_ALL", "Maps to (DE|RC|WD|WO|CC|DC|DT|RP|WP|LC|LO|CR|VW)"],
    # 0x20000000: ["GX", "GENERIC_EXECUTE", "Maps to (RC|LC)"],
    # 0x40000000: ["GW", "GENERIC_WRITE", "Maps to (RC|WP|VW)"],
    # 0x80000000: ["GR", "GENERIC_READ", "Maps to (RC|LC|RP|LO)"],
}


ACL_REVISIONS = {
    2: ["Default", "Supports basic ACE types"],
    3: ["Compound", "Supports basic and coumpound ACE types"],
    4: ["Object", "Supports basic, compound and object ACE types"]
}


ACE_TYPES = {
    0x00: ["DACL", 2, "ACCESS_ALLOWED_ACE", "Grants access to a resource"],
    0x01: ["DACL", 2, "ACCESS_DENIED_ACE", "Denies access to a resource"],
    0x02: ["SACL", 2, "SYSTEM_AUDIT_ACE", "Audits access to a resource"],
    0x03: [
        "SACL",
        2,
        "SYSTEM_ALARM_ACE",
        "Alarms upon acess to a resource; unused",
    ],
    0x04: [
        "DACL",
        3,
        "ACCESS_ALLOWED_COMPOUND_ACE",
        "Grants access to a resource during impersonation",
    ],
    0x05: [
        "DACL",
        4,
        "ACCESS_ALLOWED_OBJECT_ACE",
        "Grants access to a resource with an object type",
    ],
    0x06: [
        "DACL",
        4,
        "ACCESS_DENIED_OBJECT_ACE",
        "Denies access to a resource with an object type",
    ],
    0x07: [
        "SACL",
        4,
        "SYSTEM_AUDIT_OBJECT_ACE",
        "Audits access to a resource with an object type",
    ],
    0x08: [
        "SACL",
        4,
        "SYSTEM_ALARM_OBJECT_ACE",
        "Alarms upon access to a resource with an object type; unused",
    ],
    0x09: [
        "DACL",
        2,
        "ACCESS_ALLOWED_CALLBACK_ACE",
        "Grants access to a resource with a callback",
    ],
    0x0A: [
        "DACL",
        2,
        "ACCESS_DENIED_CALLBACK_ACE",
        "Denies access to a resource with a callback",
    ],
    0x0B: [
        "DACL",
        4,
        "ACCESS_ALLOWED_CALLBACK_OBJECT_ACE",
        "Grants access to a resource with a callback and an object type",
    ],
    0x0C: [
        "DACL",
        4,
        "ACCESS_DENIED_CALLBACK_OBJECT_ACE",
        "Denies access to a resource with a callback and an object type",
    ],
    0x0D: [
        "SACL",
        2,
        "SYSTEM_AUDIT_CALLBACK_ACE",
        "Audits access to a resource with a callbackk",
    ],
    0x0E: [
        "SACL",
        2,
        "SYSTEM_ALARM_CALLBACK_ACE",
        "Alarms upon access to a resource with a callback; unused",
    ],
    0x0F: [
        "SACL",
        4,
        "SYSTEM_AUDIT_CALLBACK_OBJECT_ACE",
        "Audits access to a resource with a callback and an object type",
    ],
    0x10: [
        "SACL",
        4,
        "SYSTEM_ALARM_CALLBACK_OBJECT_ACE",
        "Alarms upon access to a resource with a callback and an object type; unused",
    ],
    0x11: ["SACL", 2, "SYSTEM_MANDATORY_LABEL_ACE", "Specifies a mandatory label"],
    0x12: [
        "SACL",
        2,
        "SYSTEM_RESOURCE_ATTRIBUTE_ACE",
        "Specifies attributes for the resource",
    ],
    0x13: [
        "SACL",
        2,
        "SYSTEM_SCOPED_POLICY_ID_ACE",
        "Specifie a central access policy ID for the resource",
    ],
    0x14: [
        "SACL",
        2,
        "SYSTEM_PROCESS_TRUST_LABEL_ACE",
        "Specifies a process trust label to limite resource access",
    ],
    0x15: [
        "SACL",
        2,
        "SYSTEM_ACCESS_FILTER_ACE",
        "Specifies an access filter for the resource",
    ],
}


ACE_FLAGS = {
    0x01: ["ObjectInherit", "The ACE can be inherited by an object"],
    0x02: ["ContainerInherit", "The ACE can be inherited by a container"],
    0x04: ["NoPropagateInherit", "The ACE's inheritance flags are not propagated to children"],
    0x08: ["InheritOnly", "The ACE is used only for inheritance and not for access checks"],
    0x10: ["Inherited", "The ACE was inherited from a parent container"],
    0x20: ["Critical", "The ACE is critical and can't be removed (applies only to Allowed ACEs)"],
    0x40: ["SuccessfulAccess", "An audit event should be generated for a successful access"],
    # 0x40: ["TrustProtected", "When used with an AccessFilter ACE, this flag prevents modification"]
    0x80: ["FailedAccess", "An audit event should be generated for a failed access"]
}


# Auxiliar functions
def convert_domain_str_to_dn(domain_str):
    """
    Convert domain string to distinguished name format.

    Args:
        domain_str (str): Domain name in format 'example.com'

    Returns:
        str: Distinguished name format 'DC=example,DC=com'
    """
    components = domain_str.split(".")
    domain_dn = ",".join([f"DC={component}" for component in components])
    return domain_dn


def convert_sid_bytes_to_str(sid_bytes):
    """
    Convert SID bytes to readable string format.

    Args:
        sid_bytes (bytes): Raw SID bytes from Active Directory

    Returns:
        str: SID string in format 'S-1-5-...'
    """
    revision, sub_authority_count = struct.unpack('<BB', sid_bytes[:2])
    authority = struct.unpack('>Q', b'\x00\x00' + sid_bytes[2:8])[0]
    sub_authorities = []

    for i in range(sub_authority_count):
        sub_authority = struct.unpack('<L', sid_bytes[8 + i * 4:12 + i * 4])[0]
        sub_authorities.append(sub_authority)

    sid_string = f'S-{revision}-{authority}'
    for sub_authority in sub_authorities:
        sid_string += f'-{sub_authority}'

    return sid_string


def convert_guid_bytes_to_str(guid_bytes):
    """
    Convert GUID bytes to readable string format.

    Args:
        guid_bytes (bytes): Raw GUID bytes from Active Directory

    Returns:
        str: GUID string in format 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx'
    """
    data = struct.unpack('<IHH8B', guid_bytes)
    return '{:08x}-{:04x}-{:04x}-{:02x}{:02x}-{:02x}{:02x}{:02x}{:02x}{:02x}{:02x}'.format(*data)


def get_sam_account_name_from_sid(connection, domain, sid_str):
    """
    Retrieve the SAM account name for a given SID from Active Directory.
    
    Args:
        connection: LDAP connection object
        domain (str): Domain name
        sid_str (str): SID string in format S-1-5-...
        
    Returns:
        str: SAM account name for the given SID, or an empty string if not found
    """
    try:
        sam_account_name = ""
        search_base = f"{convert_domain_str_to_dn(domain)}"
        search_filter = f"(objectSid={sid_str})"
        attributes = ["sAMAccountName"]
        search_scope = "SUBTREE"

        if connection.search(
            search_base, search_filter, attributes=attributes, search_scope=search_scope
        ) and len(connection.entries) > 0:  # This LDAP search should only return one result
            entry = connection.entries[0]
            sam_account_name = str(entry["sAMAccountName"])

        return sam_account_name

    except Exception as e:
        print(f"{COLORS['red']}[-] {COLORS['white']}{e}")
        return ""


def get_sid_from_sam_account_name(connection, domain, sam_str):
    """
    Retrieve the SID for a given SAM account name from Active Directory.
    
    Args:
        connection: LDAP connection object
        domain (str): Domain name
        sam_str (str): SAM account name
        
    Returns:
        str: SID string in format S-1-5-... for the given SAM account name,
            or an empty string if not found
    """
    try:
        sid = ""
        search_base = f"{convert_domain_str_to_dn(domain)}"
        search_filter = f"(sAMAccountName={sam_str})"
        attributes = ["objectSid"]
        search_scope = "SUBTREE"

        if connection.search(
            search_base, search_filter, attributes=attributes, search_scope=search_scope
        ) and len(connection.entries) > 0:  # This LDAP search should only return one result
            entry = connection.entries[0]
            sid = str(entry["objectSid"])

        return sid

    except Exception as e:
        print(f"{COLORS['red']}[-] {COLORS['white']}{e}")
        return ""


def establish_ldap_connection(domain, user, password="", dc_ip="", pth=False):
    """
    Establish LDAP connection to the domain controller.

    Args:
        domain (str): Domain name
        user (str): Username for authentication
        password (str, optional): Password for authentication. Defaults to "".
        dc_ip (str, optional): Domain controller IP address. Defaults to "".
        pth (bool, optional): Whether to use pass-the-hash authentication. Defaults to False.

    Returns:
        Connection | None: LDAP connection object if successful, otherwise None
    """
    try:
        if dc_ip == "":
            print(f"\n{COLORS['blue']}[*] {COLORS['white']}Resolving {domain}...")
            dc_ip = socket.gethostbyname(domain)
            print(f"{COLORS['green']}[+] {COLORS['white']}Resolved {domain} to {dc_ip}")

        print(f"\n{COLORS['blue']}[*] {COLORS['white']}Establishing LDAP connection as {user}...")

        server = Server(f"ldap://{dc_ip}", get_info=ALL)

        if not pth:
            connection = Connection(
                server,
                user=f"{domain}\\{user}",
                password=password,
                authentication=NTLM,
                auto_bind=True,
            )
        else:
            connection = Connection(
                server,
                user=f"{domain}\\{user}",
                password=f"aad3b435b51404eeaad3b435b51404ee:{password}",
                authentication=NTLM,
                auto_bind=True,
            )

        if connection.bind():
            print(f"{COLORS['green']}[+] {COLORS['white']}Successfully established LDAP connection")
            return connection

    except Exception as e:
        print(f"{COLORS['red']}[-] {COLORS['white']}{e}")
    return None


# Enumeration functions
def enumerate(user, password, ca="", template="", dc_ip="", enabled=False, print_only_vulnerable=False, pth=False):
    """
    Orchestrate ESC4 enumeration across LDAP, CAs, and templates.

    This function performs the full scan workflow for ESC4: it connects to LDAP,
    gathers low-privileged/administrative/user SIDs, enumerates CAs (offerings only),
    enumerates certificate templates (security descriptor only), evaluates ESC4
    conditions, and prints the results.

    Args:
        user (str): Username in format 'user@domain.com'.
        password (str): Password or NTLM hash when using Pass-the-Hash.
        ca (str): Specific CA to enumerate (optional).
        template (str): Specific template to enumerate (optional).
        dc_ip (str): Domain controller IP address (optional).
        enabled (bool): If True, enumerate only templates enabled on some CA.
        print_only_vulnerable (bool): If True, print only templates flagged as ESC4.
        pth (bool): If True, use Pass-the-Hash authentication.

    Returns:
        None: Prints ESC4 enumeration output to the console.
    """
    domain = user.split("@")[1]
    user = user.split("@")[0]

    ldap_connection = establish_ldap_connection(domain, user, password, dc_ip, pth)

    low_priv_sids = enum_low_priv_sids(ldap_connection, domain)

    admin_sids = enum_admin_sids(ldap_connection, domain)
    privileged_sids = enum_privileged_member_sids(ldap_connection, domain, admin_sids)

    user_sids = enum_user_sids(ldap_connection, domain, user, low_priv_sids)

    certification_authorities = enumerate_certification_authorities(ldap_connection, domain, ca)

    certificate_templates = enumerate_certificate_templates(ldap_connection, domain, certification_authorities, user_sids, privileged_sids, enabled, template)

    print_enumeration_output(certification_authorities, certificate_templates, domain, ldap_connection, print_only_vulnerable)


def enum_low_priv_sids(connection, domain):
    """
    Enumerate low-privileged SIDs from Active Directory.
    This function retrieves common low-privileged security identifiers including
    Everyone, Authenticated Users, Users, Domain Users, and Domain Computers.
    
    Args:
        connection: LDAP connection object
        domain (str): Domain name
        
    Returns:
        dict: Dictionary mapping SIDs to their display names for low-privileged accounts
    """
    try:
        low_priv_sids = {
            "S-1-1-0": "Everyone",
            "S-1-5-11": "Authenticated Users",
            "S-1-5-32-545": "Users"
        }

        low_priv_sam_account_names = ["Domain Users", "Domain Computers"]
        for sam in low_priv_sam_account_names:
            sid = get_sid_from_sam_account_name(connection, domain, sam)
            if sid:  # Only add if SID is not empty
                low_priv_sids[sid] = sam

        ALL_SID.update(low_priv_sids)

        return low_priv_sids

    except Exception as e:
        print(f"{COLORS['red']}[-] {COLORS['white']}{e}")
        return {}


def enum_admin_sids(connection, domain):
    """
    Enumerate administrative SIDs from Active Directory.
    
    This function retrieves administrative security identifiers including
    Enterprise Domain Controllers, Administrators, Domain Admins, and other
    administrative groups.
    
    Args:
        connection: LDAP connection object
        domain (str): Domain name
        
    Returns:
        dict: Dictionary mapping SIDs to their display names for administrative accounts
    """
    try:
        admin_sids = {
            "S-1-5-9": "Enterprise Domain Controllers",
            "S-1-5-32-544": "Administrators"
        }

        admin_sam_account_names = [
            "Enterprise Read-only Domain Controllers",
            "Administrator",
            "Krbtgt",
            "Domain Admins",
            "Domain Controllers",
            "Schema Admins",
            "Enterprise Admins",
            "Read-only Domain Controllers",
        ]
        for sam in admin_sam_account_names:
            sid = get_sid_from_sam_account_name(connection, domain, sam)
            if sid:  # Only add if SID is not empty
                admin_sids[sid] = sam

        ALL_SID.update(admin_sids)

        return admin_sids

    except Exception as e:
        print(f"{COLORS['red']}[-] {COLORS['white']}{e}")
        return {}


def enum_privileged_member_sids(connection, domain, admin_sids):
    """
    Expand privileged SIDs to include all direct and nested members of admin groups.

    Args:
        connection: LDAP connection object
        domain (str): Domain name
        admin_sids (dict): Mapping of privileged group/account SIDs to display names

    Returns:
        set[str]: Set of SIDs considered privileged (groups, users, computers)
    """
    try:
        privileged_set = set()

        # Always include seeds (groups and admin accounts we know by SID)
        for sid in admin_sids.keys():
            privileged_set.add(sid)

        domain_dn = convert_domain_str_to_dn(domain)

        # Helper: get DN and objectClass for SID
        def _get_dn_and_classes_for_sid(target_sid):
            if connection.search(
                domain_dn,
                f"(objectSid={target_sid})",
                attributes=["distinguishedName", "objectClass"],
                search_scope="SUBTREE",
            ) and len(connection.entries) > 0:
                entry = connection.entries[0]
                dn = str(entry["distinguishedName"]) if "distinguishedName" in entry else ""
                obj_classes = [str(v) for v in entry["objectClass"]] if "objectClass" in entry else []
                return dn, obj_classes
            return "", []

        # Initialize a queue with admin groups' DNs to expand members
        group_dn_queue = []
        for sid in list(admin_sids.keys()):
            dn, obj_classes = _get_dn_and_classes_for_sid(sid)
            if dn and any(cls.lower() == "group" for cls in obj_classes):
                group_dn_queue.append(dn)

        processed_group_dns = set()
        while group_dn_queue:
            group_dn = group_dn_queue.pop(0)
            if group_dn in processed_group_dns:
                continue
            processed_group_dns.add(group_dn)

            # Fetch group members (DNs)
            if connection.search(
                domain_dn,
                f"(distinguishedName={group_dn})",
                attributes=["member"],
                search_scope="SUBTREE",
            ) and len(connection.entries) > 0:
                group_entry = connection.entries[0]
                members = list(group_entry["member"]) if "member" in group_entry else []
                for member_dn in members:
                    # Resolve member to SID and class
                    if connection.search(
                        domain_dn,
                        f"(distinguishedName={member_dn})",
                        attributes=["objectSid", "objectClass"],
                        search_scope="SUBTREE",
                    ) and len(connection.entries) > 0:
                        member_entry = connection.entries[0]
                        member_sid = str(member_entry["objectSid"]) if "objectSid" in member_entry else ""
                        if member_sid:
                            privileged_set.add(member_sid)
                        member_classes = [str(v) for v in member_entry["objectClass"]] if "objectClass" in member_entry else []
                        if any(cls.lower() == "group" for cls in member_classes):
                            # Nested admin group: expand further
                            group_dn_queue.append(member_dn)

        return privileged_set

    except Exception as e:
        print(f"{COLORS['red']}[-] {COLORS['white']}{e}")
        return set()


def enum_user_sids(connection, domain, user, low_priv_sids):
    """
    Enumerate all SIDs associated with a user account.
    
    This function retrieves the user's direct SID, primary group SID, and all
    group memberships (including nested groups) from Active Directory.
    
    Args:
        connection: LDAP connection object
        domain (str): Domain name
        user (str): Username
        low_priv_sids (dict): Dictionary of low-privileged SIDs to include
        
    Returns:
        dict: Dictionary mapping SIDs to their display names for the user and their groups
    """
    try:
        print(f"\n{COLORS['blue']}[*] {COLORS['white']}Getting user SIDs...")
        user_sids = {}

        search_base = f"{convert_domain_str_to_dn(domain)}"
        search_filter = f"(sAMAccountName={user})"
        attributes = ["objectSid", "memberOf", "primaryGroupId"]
        search_scope = "SUBTREE"

        if connection.search(
            search_base, search_filter, attributes=attributes, search_scope=search_scope
        ) and len(connection.entries) > 0:  # This LDAP search should only return one result
            current_user = connection.entries[0]

            current_user_sid = str(current_user["objectSid"])
            user_sids[current_user_sid] = user

            primary_group_sid = f"{'-'.join(current_user_sid.split('-')[:-1])}-{str(current_user['primaryGroupId'])}"
            search_filter = f"(objectSid={primary_group_sid})"
            attributes = ["sAMAccountName"]
            if connection.search(search_base, search_filter, attributes=attributes, search_scope=search_scope) and len(connection.entries) > 0:
                primary_group_name = str(connection.entries[0]["sAMAccountName"])
                user_sids[primary_group_sid] = primary_group_name
            else:
                user_sids[primary_group_sid] = ""

            processed_groups = set()
            groups = list(current_user["memberOf"])
            while groups:
                group_dn = groups.pop(0)
                if group_dn in processed_groups:
                    continue

                search_filter = f"(distinguishedName={group_dn})"
                attributes = ["objectSid", "memberOf", "sAMAccountName"]

                if connection.search(search_base, search_filter, attributes=attributes, search_scope=search_scope) and len(connection.entries) > 0:
                    group = connection.entries[0]

                    group_sid = str(group["objectSid"])
                    group_name = str(group["sAMAccountName"])
                    user_sids[group_sid] = group_name

                    indirect_membership = group["memberOf"]
                    if indirect_membership:
                        for indirect_group_dn in indirect_membership:
                            if indirect_group_dn not in processed_groups:
                                groups.append(indirect_group_dn)

        for sid, name in low_priv_sids.items():
            if sid not in user_sids:
                user_sids[sid] = name

        print(f"{COLORS['green']}[+] {COLORS['white']}User SIDs:")
        for sid, name in user_sids.items():
            print(f"{TAB * 3}{domain}\\{name} -> {sid}")

        ALL_SID.update(user_sids)

        return user_sids

    except Exception as e:
        print(f"{COLORS['red']}[-] {COLORS['white']}{e}")
        return {}


def enumerate_certification_authorities(connection, domain, ca=""):
    """
    Enumerate Certification Authorities from Active Directory.

    This function retrieves CA metadata including DNS hostname, distinguished
    name, and the list of certificate templates offered by each CA. CA security
    permissions are not enumerated in ESC4 mode.

    Args:
        connection: LDAP connection object.
        domain (str): Domain name.
        ca (str): Specific CA name to search for (optional).

    Returns:
        dict: Mapping of CA name to metadata (DNS, DN, offered templates).
    """
    try:
        certification_authorities = {}

        if ca != "":
            print(f"\n{COLORS['blue']}[*] {COLORS['white']}Searching certification authority...")
            search_base = (
                f"CN={ca},CN=Enrollment Services,CN=Public Key Services,"
                f"CN=Services,CN=Configuration,{convert_domain_str_to_dn(domain)}"
            )
        else:
            print(f"\n{COLORS['blue']}[*] {COLORS['white']}Searching certification authorities...")
            search_base = (
                f"CN=Enrollment Services,CN=Public Key Services,CN=Services,"
                f"CN=Configuration,{convert_domain_str_to_dn(domain)}"
            )

        search_filter = "(objectClass=pKIEnrollmentService)"
        attributes = ["name", "dNSHostName", "cACertificateDN", "certificateTemplates"]
        search_scope = "SUBTREE"

        if connection.search(search_base, search_filter, attributes=attributes, search_scope=search_scope):
            if len(connection.entries) == 0:
                print(f"{COLORS['red']} No certification authority found")

            elif len(connection.entries) == 1:
                print(f"{COLORS['green']}[+] {COLORS['white']}Found 1 certification authority:")

                ca = connection.entries[0]

                ca_name = str(ca["name"]) if "name" in ca else ""
                ca_dns_hostname = str(ca["dNSHostName"]) if "dNSHostName" in ca else ""
                ca_certificate_dn = str(ca["cACertificateDN"]) if "cACertificateDN" in ca else ""
                ca_certificate_templates = list(ca["certificateTemplates"]) if "certificateTemplates" in ca else ""

                certification_authorities[ca_name] = {
                    "ca_dns_hostname": ca_dns_hostname,
                    "ca_certificate_dn": ca_certificate_dn,
                    "ca_certificate_templates": ca_certificate_templates,
                }

            else:
                print(f"{COLORS['green']}[+] {COLORS['white']}Found {len(connection.entries)} certification authorities:")

                for ca in connection.entries:
                    ca_name = str(ca["name"]) if "name" in ca else ""
                    ca_dns_hostname = str(ca["dNSHostName"]) if "dNSHostName" in ca else ""
                    ca_certificate_dn = str(ca["cACertificateDN"]) if "cACertificateDN" in ca else ""
                    ca_certificate_templates = list(ca["certificateTemplates"]) if "certificateTemplates" in ca else ""

                    certification_authorities[ca_name] = {
                        "ca_dns_hostname": ca_dns_hostname,
                        "ca_certificate_dn": ca_certificate_dn,
                        "ca_certificate_templates": ca_certificate_templates,
                    }

        if len(certification_authorities) > 0:
            for ca_name, _ in certification_authorities.items():
                print(f"{TAB * 3}{ca_name}")

        return certification_authorities

    except Exception as e:
        print(f"{COLORS['red']}[-] {COLORS['white']}{e}")
        return {}


def enumerate_certificate_templates(connection, domain, ca_dict, user_sids, privileged_sids, enum_only_enabled, template_to_enum=""):
    """
    Enumerate certificate templates from Active Directory.

    This function retrieves security descriptors for templates (owner, group,
    DACL) and correlates them with CA offerings to determine where each
    template is enabled. ESC4 analysis is performed separately.

    Args:
        connection: LDAP connection object.
        domain (str): Domain name.
        ca_dict (dict): CA information used to compute enabled templates.
        user_sids (dict): Dictionary of user SIDs.
        privileged_sids (dict): Dictionary of privileged SIDs.
        enum_only_enabled (bool): Whether to enumerate only enabled templates.
        template_to_enum (str): Specific template name to search for (optional).

    Returns:
        dict: Mapping of template name to metadata (enabled_in, security_descriptor,
            owner, group, parsed DACL).
    """
    try:
        enabled_certificates = {}
        for ca_name, ca_info in ca_dict.items():
            for template_name in ca_info["ca_certificate_templates"]:
                if template_name not in enabled_certificates:
                    enabled_certificates[template_name] = set()
                enabled_certificates[template_name].add(ca_name)

        certificate_templates = {}

        if template_to_enum != "":
            print(f"\n{COLORS['blue']}[*] {COLORS['white']}Searching certificate template...")
            search_base = (
                f"CN={template_to_enum},CN=Certificate Templates,CN=Public Key Services,"
                f"CN=Services,CN=Configuration,{convert_domain_str_to_dn(domain)}"
            )
        else:
            if enum_only_enabled:
                print(f"\n{COLORS['blue']}[*] {COLORS['white']}Searching enabled certificate templates...")
            else:
                print(f"\n{COLORS['blue']}[*] {COLORS['white']}Searching certificate templates...")
            search_base = (
                f"CN=Certificate Templates,CN=Public Key Services,CN=Services,"
                f"CN=Configuration,{convert_domain_str_to_dn(domain)}"
            )

        search_filter = "(objectClass=pKICertificateTemplate)"
        attributes = ["cn", "ntSecurityDescriptor"]
        search_scope = "SUBTREE"
        control = security_descriptor_control(sdflags=0x07)

        if connection.search(search_base, search_filter, attributes=attributes, search_scope=search_scope, controls=control):
            if len(connection.entries) == 0:
                print(f"{COLORS['red']} No certificate template found")

            else:
                for template in connection.entries:
                    template_name = str(template["cn"]) if "cn" in template else ""

                    if enum_only_enabled and template_name not in enabled_certificates:
                        continue

                    template_enabled_in = enabled_certificates[template_name] if template_name in enabled_certificates else set()
                    template_security_descriptor = (
                        template["ntSecurityDescriptor"].raw_values[0]
                        if "ntSecurityDescriptor" in template
                        else ""
                    )

                    template_owner, template_group, template_dacl = parse_security_descriptor(template_security_descriptor)

                    # Resolve owner and group SIDs to usernames and add to ALL_SID
                    if template_owner and template_owner not in ALL_SID:
                        ALL_SID[template_owner] = get_sam_account_name_from_sid(connection, domain, template_owner)
                    if template_group and template_group not in ALL_SID:
                        ALL_SID[template_group] = get_sam_account_name_from_sid(connection, domain, template_group)

                    certificate_templates[template_name] = {
                        "enabled_in": template_enabled_in,
                        "security_descriptor": template_security_descriptor,
                        "owner": template_owner,
                        "group": template_group,
                        "dacl": template_dacl,
                    }

                template_count = len(certificate_templates)
                if template_count == 1 and not enum_only_enabled:
                    print(f"{COLORS['green']}[+] {COLORS['white']}Found 1 certificate template:")
                elif template_count == 1 and enum_only_enabled:
                    print(f"{COLORS['green']}[+] {COLORS['white']}Found 1 enabled certificate template:")
                elif template_count > 1 and not enum_only_enabled:
                    print(f"{COLORS['green']}[+] {COLORS['white']}Found {template_count} certificate templates:")
                else:
                    enabled_count = len([t for t in certificate_templates.values() if t["enabled_in"]])
                    print(f"{COLORS['green']}[+] {COLORS['white']}Found {enabled_count} enabled certificate templates:")

        if len(certificate_templates) > 0:
            for template_name, template_info in certificate_templates.items():
                if enum_only_enabled and not template_info["enabled_in"]:
                    continue
                print(f"{TAB * 3}{template_name}")

        check_if_vulnerable(user_sids, privileged_sids, certificate_templates)

        return certificate_templates

    except Exception as e:
        print(f"{COLORS['red']}[-] {COLORS['white']}{e}")
        return {}


def parse_security_descriptor(security_descriptor_bytes):
    """
    Parse Windows security descriptor from binary data.
    
    This function extracts the owner SID, group SID, and DACL from a
    binary security descriptor. It parses the header structure and
    delegates DACL parsing to a separate function.
    
    Args:
        security_descriptor_bytes (bytes): Binary security descriptor data
        
    Returns:
        tuple[str, str, list]: (owner_sid, group_sid, dacl) where dacl is [revision, ace_list]
    """
    # Offsets (ignoring SACL)
    owner_offset, group_offset, _, dacl_offset = struct.unpack("<LLLL", security_descriptor_bytes[4:20])

    # Get owner and group SIDs
    owner_sid = convert_sid_bytes_to_str(security_descriptor_bytes[owner_offset:])
    group_sid = convert_sid_bytes_to_str(security_descriptor_bytes[group_offset:])

    # If there is a DACL, extract info from it
    if dacl_offset != 0:
        dacl_bytes = security_descriptor_bytes[dacl_offset:]
        acl_revision, ace_list = parse_dacl(dacl_bytes)
        dacl = [acl_revision, ace_list]

    return owner_sid, group_sid, dacl


def parse_dacl(dacl_bytes):
    """
    Parse DACL (Discretionary Access Control List) from binary data.
    
    This function parses the DACL structure to extract ACE (Access Control Entry)
    information including ACE type, flags, access mask, and SID. It handles
    both standard ACEs and object ACEs with GUIDs.
    
    Args:
        dacl_bytes (bytes): Binary DACL data
        
    Returns:
        tuple[int, list[dict]]: (acl_revision, ace_list) where ace_list contains parsed ACE dictionaries
    """
    # Read first 4 bytes of the DACL to get ACL information (ignoring sbz1, ACL size, and sbz2)
    acl_revision, _, _, ace_count, _ = struct.unpack("<BBHHH", dacl_bytes[:8])

    # Define initial offset (first 4 bytes already read)
    current_offset = 8

    # Iterate over ACEs
    ace_list = list()
    for _ in range(ace_count):
        ace = dict()

        # Read ACE header
        ace_type, ace_flags, ace_size = struct.unpack("<BBH", dacl_bytes[current_offset:current_offset + 4])
        ace["type"] = ACE_TYPES[ace_type]
        ace["flags"] = ace_flags


        # Read ACE
        ace_bytes = dacl_bytes[current_offset:current_offset + ace_size]

        # Read next 4 bytes to get the access mask
        aux_offset = 4
        access_mask = struct.unpack("<L", ace_bytes[aux_offset:aux_offset + 4])[0]
        ace["access_mask"] = access_mask

        # Derive enabled ACE flags and rights for printing/analysis
        enabled_flags = []
        for flag_value in ACE_FLAGS.keys():
            if ace_flags & flag_value:
                enabled_flags.append(flag_value)
        ace["enabled_ace_flags"] = enabled_flags

        enabled_rights = []
        for right_mask in AD_OBJECTS_ACCESS_MASKS.keys():
            if access_mask & right_mask:
                enabled_rights.append(right_mask)
        ace["enabled_rights"] = enabled_rights

        # Check if object ACE and define SID offset
        object_type = inherited_object_type = None
        if ace["type"][1] == 4:
            aux_offset += 4
            object_flags = struct.unpack("<L", ace_bytes[aux_offset:aux_offset + 4])[0]

            aux_offset += 4

            if object_flags & 0x1:
                object_type = True
                object_type_guid = ace_bytes[aux_offset:aux_offset + 16]
                guid = convert_guid_bytes_to_str(object_type_guid)
                ace["object_guid"] = guid
                aux_offset += 16

            if object_flags & 0x2:
                inherited_object_type = True
                inherited_object_type_guid = ace_bytes[aux_offset:aux_offset + 16]
                guid = convert_guid_bytes_to_str(inherited_object_type_guid)
                ace["inherited_object"] = guid
                aux_offset += 16

            sid_offset = aux_offset

        # Read SID
        else:
            sid_offset = aux_offset + 4

        _, sub_authority_count = struct.unpack("<BB", ace_bytes[sid_offset:][:2])
        sid_size = 8 + (sub_authority_count * 4)     # 8 bytes (header) + 4 bytes per sub authority
        sid_bytes = ace_bytes[sid_offset:sid_offset + sid_size]
        sid = convert_sid_bytes_to_str(sid_bytes)

        ace["sid"] = sid

        ace_list.append(ace)

        current_offset += ace_size

    return acl_revision, ace_list


def check_if_vulnerable(user_sids, privileged_sids, certificate_templates):
    """
    Check ESC4 conditions and annotate template results.

    Flags templates where a low-privileged principal can modify template
    security: low-priv owner or ACEs granting GENERIC_ALL, WRITE_OWNER,
    WRITE_DAC, or WRITE_PROPERTY to low-priv SIDs.

    Args:
        user_sids (dict): SIDs relevant to the current user context.
        privileged_sids (dict): SIDs considered privileged (excluded from low-priv).
        certificate_templates (dict): Parsed template metadata including DACL.

    Returns:
        None: Mutates `certificate_templates` entries by adding
            `potentially_vulnerable_to_esc4` and `esc4_triggers`.
    """
    for certificate_template_name, info in certificate_templates.items():
        # Owner low-priv triggers ESC4
        owner_sid = info.get("owner", "")
        if owner_sid and owner_sid in user_sids and owner_sid not in privileged_sids:
            info["potentially_vulnerable_to_esc4"] = True
            info["esc4_owner_low_priv"] = True

        # Rights-based triggers on ACEs
        dacl = info.get("dacl", [None, []])[1]
        for ace in dacl:
            # Consider only ACCESS_ALLOWED* ACEs for ESC4 triggers
            ace_type_name = ace.get("type", [None, None, ""])[2]
            if not ace_type_name.startswith("ACCESS_ALLOWED"):
                continue
            sid = ace.get("sid", "")
            if not sid or sid in privileged_sids:
                continue

            mask = ace.get("access_mask", 0)
            triggers = []
            # GenericAll-equivalent bitset per MS-ADTS mapping:
            # GA = (DE | RC | WD | WO | CC | DC | DT | RP | WP | LC | LO | CR | VW)
            generic_all_equiv = (
                0x00010000 |  # DE
                0x00020000 |  # RC
                0x00040000 |  # WD
                0x00080000 |  # WO
                0x00000001 |  # CC
                0x00000002 |  # DC
                0x00000040 |  # DT
                0x00000010 |  # RP
                0x00000020 |  # WP
                0x00000004 |  # LC
                0x00000080 |  # LO
                0x00000100 |  # CR
                0x00000008    # VW
            )
            if (mask & generic_all_equiv) == generic_all_equiv:
                triggers.append("GENERIC_ALL")
            if mask & 0x00080000:  # WRITE_OWNER
                triggers.append("WRITE_OWNER")
            if mask & 0x00040000:  # WRITE_DAC
                triggers.append("WRITE_DAC")
            if mask & 0x00000020:  # WRITE_PROPERTY
                triggers.append("WRITE_PROPERTY")

            if triggers:
                info["potentially_vulnerable_to_esc4"] = True
                ace["esc4_triggers"] = triggers


def print_enumeration_output(certification_authorities_dict, certificate_templates_dict, domain, connection, print_only_vulnerable):
    """
    Print comprehensive enumeration results in a formatted output.
    
    This function displays the results of the ESC1 vulnerability scan,
    including CA information, template details, and vulnerability analysis.
    It highlights potentially vulnerable templates and provides detailed
    information about security descriptors and permissions.
    
    Args:
        certification_authorities_dict (dict): Dictionary containing CA information
        certificate_templates_dict (dict): Dictionary containing template information
        domain (str): Domain name
        connection: LDAP connection object
        print_only_vulnerable (bool): Whether to print only vulnerable templates
        verbose (bool): Whether to print detailed ACE information
        
    Returns:
        None: Prints formatted output to console
    """
    print(f"\n{COLORS['green']}[+] {COLORS['white']}Enumeration output:\n")

    print(f"\n{COLORS['cyan']}Certification Authorities:")
    count = 1
    for ca_name, ca_info in certification_authorities_dict.items():
        print(f"{TAB}{COLORS['cyan']}{count}")
        print(f"{TAB * 2}{COLORS['cyan']}CA Name -> {COLORS['white']}{ca_name}")
        print(f"{TAB * 2}{COLORS['cyan']}CA DNS -> {COLORS['white']}{ca_info['ca_dns_hostname']}")
        print(f"{TAB * 2}{COLORS['cyan']}CA Distinguished Name -> {COLORS['white']}{ca_info['ca_certificate_dn']}")
        count += 1

    print(f"\n{COLORS['cyan']}Certificate Templates:")
    count = 1
    for template_name, template_info in certificate_templates_dict.items():
        if print_only_vulnerable and "potentially_vulnerable_to_esc4" not in template_info:
            continue

        print(f"{TAB}{COLORS['cyan']}{count}")

        print(f"{TAB * 2}{COLORS['cyan']}Template Name -> {COLORS['white']}{template_name}")
        if "potentially_vulnerable_to_esc4" in template_info:
            print(f"{TAB * 3}{COLORS['red']}Vulnerable to ESC4 (low-privileged SID principal can edit template)")

        ca_list = sorted(list(template_info["enabled_in"])) if template_info["enabled_in"] else []
        ca_str = ", ".join(ca_list)
        print(f"{TAB * 2}{COLORS['cyan']}CAs -> {COLORS['white']}{ca_str}")

        # ESC4 scan excludes enrollment/name flags, RA signatures, and EKUs

        print(f"{TAB * 2}{COLORS['cyan']}Security Descriptor Audit:")
        owner_name = ALL_SID.get(template_info['owner'], 'Unknown')
        group_name = ALL_SID.get(template_info['group'], 'Unknown')
        print(f"{TAB * 3}{COLORS['cyan']}Owner -> {COLORS['white']}{domain}\\{owner_name} ({template_info['owner']})")
        if template_info.get("esc4_owner_low_priv"):
            print(f"{TAB * 4}{COLORS['orange']}Owner is a low-privileged principal (ESC4 trigger)")
        print(f"{TAB * 3}{COLORS['cyan']}Group -> {COLORS['white']}{domain}\\{group_name} ({template_info['group']})")

        dacl = template_info["dacl"]
        print(f"{TAB * 2}{COLORS['cyan']}DACL audit:")
        print(f"{TAB * 3}{COLORS['cyan']}ACL Revision -> {COLORS['white']}{dacl[0]} ({ACL_REVISIONS[dacl[0]][1]})")
        print(f"{TAB * 3}{COLORS['cyan']}ACE Count -> {COLORS['white']}{len(dacl[1])}")
        for ace_count in range(len(dacl[1])):
            ace = dacl[1][ace_count]
            print(f"{TAB * 4}{COLORS['cyan']}ACE {ace_count + 1}:")

            if ace["sid"] not in ALL_SID:
                ALL_SID.update({ace["sid"]: get_sam_account_name_from_sid(connection, domain, ace["sid"])})
            print(f"{TAB * 5}{COLORS['cyan']}SID -> {COLORS['white']}{domain}\\{ALL_SID[ace['sid']]} ({ace['sid']})")

            print(f"{TAB * 5}{COLORS['cyan']}Type -> {COLORS['white']}{ace['type'][2]} ({ace['type'][3]})")
            if ace["flags"] == 0:
                print(f"{TAB * 5}{COLORS['cyan']}Flags -> {COLORS['white']}No ACE flags are set")
            else:
                print(f"{TAB * 5}{COLORS['cyan']}Flags -> {COLORS['white']}{ace['flags']:#010x}")
                for flag in ace["enabled_ace_flags"]:
                    print(f"{TAB * 6}{COLORS['white']}{ACE_FLAGS[flag][0]}: {ACE_FLAGS[flag][1]}")

            print(f"{TAB * 5}{COLORS['cyan']}Access Mask -> {COLORS['white']}{ace['access_mask']:#010x}")
            for right in ace["enabled_rights"]:
                print(
                    f"{TAB * 6}{COLORS['white']}{AD_OBJECTS_ACCESS_MASKS[right][0]} "
                    f"{AD_OBJECTS_ACCESS_MASKS[right][1]}: "
                    f"{AD_OBJECTS_ACCESS_MASKS[right][2]}"
                )

            if ace["type"][2] == "ACCESS_ALLOWED_OBJECT_ACE":
                print(f"{TAB * 5}{COLORS['cyan']}Object GUID -> {COLORS['white']}{ace['object_guid']}")
            if ace.get("esc4_triggers"):
                for trig in ace["esc4_triggers"]:
                    print(f"{TAB * 5}{COLORS['orange']}ACE grants {trig} to low privileged principal (ESC4 trigger)")

        count += 1


# Main function
def main():
    """
    Main entry point for the ESC1 scanner.

    This function handles command-line argument parsing and initiates
    the ESC1 vulnerability scanning process based on user-provided parameters.
    """
    parser = argparse.ArgumentParser(description="ESC1 audit tool for certificate templates\nWritten by Matheus Vilacha (https://linkedin.com/in/vilacham)")

    parser.add_argument("-u", "--user", required=True, help="User (e.g., username@domain.com)")
    parser.add_argument("-p", "--password", help="Password")
    parser.add_argument("-P", action="store_true", help="Prompt for password interactively")
    parser.add_argument("-n", "--ntlm", help="NTLM hash")
    parser.add_argument("-c", "--ca", default="", help="Certification Authority name")
    parser.add_argument("-t", "--template", default="", help="Certificate template name")
    parser.add_argument("--dc_ip", default="", help="IP address of the domain controller")
    parser.add_argument("--enabled", action="store_true", help="Print only enabled templates")
    parser.add_argument("--vulnerable", action="store_true", help="Print only vulnerable templates")

    args = parser.parse_args()

    pth = False
    if args.password:
        password = args.password
    elif args.P:
        password = getpass.getpass(prompt=f"Type {args.user}'s password: ")
    elif args.ntlm:
        password = args.ntlm
        pth = True
    else:
        print(f"{COLORS['red']}[-] {COLORS['white']}You must provide a password with -p or use -P to prompt for the password interactively, or provide a NTLM hash with -n")
        return

    if not pth:
        enumerate(
            args.user,
            password,
            args.ca,
            args.template,
            args.dc_ip,
            args.enabled,
            args.vulnerable,
            False,  # pth
        )
    else:
        enumerate(
            args.user,
            password,
            args.ca,
            args.template,
            args.dc_ip,
            args.enabled,
            args.vulnerable,
            pth,
        )

if __name__ == "__main__":
    main()