Misconfigured Certificate Template Finder
Description
This module allows users to query a LDAP server for vulnerable certificate templates and will print these certificates out in a table along with which attack they are vulnerable to and the SIDs that can be used to enroll in that certificate template. Additionally the module will also print out a list of known certificate servers along with info about which vulnerable certificate templates the certificate server allows enrollment in and which SIDs are authorized to use that certificate server to perform this enrollment operation. Currently the module is capable of checking for certificates that are vulnerable to ESC1, ESC2, ESC3, and ESC13. The module is limited to checking for these techniques due to them being identifiable remotely from a normal user account by analyzing the objects in LDAP.
Author(s)
- Grant Willcox
- Spencer McIntyre
Development
Module Options
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
msf > use auxiliary/gather/ldap_esc_vulnerable_cert_finder
msf auxiliary(ldap_esc_vulnerable_cert_finder) > show actions
...actions...
msf auxiliary(ldap_esc_vulnerable_cert_finder) > set ACTION < action-name >
msf auxiliary(ldap_esc_vulnerable_cert_finder) > show options
...show and set options...
msf auxiliary(ldap_esc_vulnerable_cert_finder) > run 
- Collect and share all the information you need to conduct a successful and efficient penetration test
- Simulate complex attacks against your systems and users
- Test your defenses to make sure they’re ready
- Automate Every Step of Your Penetration Test
Time is precious, so I don’t want to do something manually that I can automate. Leveraging the Metasploit Framework when automating any task keeps us from having to re-create the wheel as we can use the existing libraries and focus our efforts where it matters.
– Jim O’Gorman | President, Offensive Security