Skip to content

Commit 88ea9af

Browse files
zeroSteinerzeroSteiner
committed
Add ESC2 and ESC3 templates too
1 parent b2c5a4f commit 88ea9af

File tree

3 files changed

+61
-1
lines changed

3 files changed

+61
-1
lines changed

data/auxiliary/admin/ldap/ad_cs_cert_template/esc1_template.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
---
2-
# Creates a template that will be vulnerable to ESC 1 (subject name supplied in
2+
# Creates a template that will be vulnerable to ESC1 (subject name supplied in
33
# the request). Fields are based on the SubCA template. For field descriptions,
44
# see: https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-crtd/b2df0c1c-8657-4684-bb5f-4f6b89c8d434
55
showInAdvancedViewOnly: 'TRUE'

data/auxiliary/admin/ldap/ad_cs_cert_template/esc2_template.yaml

Lines changed: 30 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,30 @@
1+
---
2+
# Creates a template that will be vulnerable to ESC2 (any purpose EKU).
3+
# Fields are based on the SubCA template. For field descriptions,
4+
# see: https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-crtd/b2df0c1c-8657-4684-bb5f-4f6b89c8d434
5+
showInAdvancedViewOnly: 'TRUE'
6+
# this security descriptor grants all permissions to all authenticated users
7+
nTSecurityDescriptor: D:PAI(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;AU)
8+
flags: 0
9+
pKIDefaultKeySpec: 2
10+
pKIKeyUsage: !binary |-
11+
hgA=
12+
pKIMaxIssuingDepth: 0
13+
pKICriticalExtensions:
14+
- 2.5.29.19
15+
- 2.5.29.15
16+
pKIExtendedKeyUsage:
17+
# Any Purpose OID
18+
- 2.5.29.37.0
19+
pKIExpirationPeriod: !binary |-
20+
AEAepOhl+v8=
21+
pKIOverlapPeriod: !binary |-
22+
AICmCv/e//8=
23+
pKIDefaultCSPs: 1,Microsoft Enhanced Cryptographic Provider v1.0
24+
msPKI-RA-Signature: 0
25+
msPKI-Enrollment-Flag: 0
26+
# CT_FLAG_EXPORTABLE_KEY
27+
msPKI-Private-Key-Flag: 0x10
28+
# CT_FLAG_SUBJECT_ALT_REQUIRE_UPN | CT_FLAG_SUBJECT_REQUIRE_DIRECTORY_PATH
29+
msPKI-Certificate-Name-Flag: 0x82000000
30+
msPKI-Minimal-Key-Size: 2048

data/auxiliary/admin/ldap/ad_cs_cert_template/esc3_template.yaml

Lines changed: 30 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,30 @@
1+
---
2+
# Creates a template that will be vulnerable to ESC3 (certificate request agent EKU).
3+
# Fields are based on the SubCA template. For field descriptions,
4+
# see: https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-crtd/b2df0c1c-8657-4684-bb5f-4f6b89c8d434
5+
showInAdvancedViewOnly: 'TRUE'
6+
# this security descriptor grants all permissions to all authenticated users
7+
nTSecurityDescriptor: D:PAI(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;AU)
8+
flags: 0
9+
pKIDefaultKeySpec: 2
10+
pKIKeyUsage: !binary |-
11+
hgA=
12+
pKIMaxIssuingDepth: 0
13+
pKICriticalExtensions:
14+
- 2.5.29.19
15+
- 2.5.29.15
16+
pKIExtendedKeyUsage:
17+
# Certificate Request Agent OID
18+
- 1.3.6.1.4.1.311.20.2.1
19+
pKIExpirationPeriod: !binary |-
20+
AEAepOhl+v8=
21+
pKIOverlapPeriod: !binary |-
22+
AICmCv/e//8=
23+
pKIDefaultCSPs: 1,Microsoft Enhanced Cryptographic Provider v1.0
24+
msPKI-RA-Signature: 0
25+
msPKI-Enrollment-Flag: 0
26+
# CT_FLAG_EXPORTABLE_KEY
27+
msPKI-Private-Key-Flag: 0x10
28+
# CT_FLAG_SUBJECT_ALT_REQUIRE_UPN | CT_FLAG_SUBJECT_REQUIRE_DIRECTORY_PATH
29+
msPKI-Certificate-Name-Flag: 0x82000000
30+
msPKI-Minimal-Key-Size: 2048

0 commit comments

Comments
 (0)