module

Misconfigured Certificate Template Finder

Try Surface Command
Back to search
Disclosed
2021-06-17
Created
2022-11-07

Description

This module allows users to query a LDAP server for vulnerable certificate
templates and will print these certificates out in a table along with which
attack they are vulnerable to and the SIDs that can be used to enroll in that
certificate template.

Additionally the module will also print out a list of known certificate servers
along with info about which vulnerable certificate templates the certificate server
allows enrollment in and which SIDs are authorized to use that certificate server to
perform this enrollment operation.

Currently the module is capable of checking for certificates that are vulnerable to ESC1, ESC2, ESC3, ESC4,
ESC13, and ESC15. The module is limited to checking for these techniques due to them being identifiable
remotely from a normal user account by analyzing the objects in LDAP.

Authors

Grant Willcox
Spencer McIntyre
jheysel-r7

References

Module Options

To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:


    msf > use auxiliary/gather/ldap_esc_vulnerable_cert_finder
    msf auxiliary(ldap_esc_vulnerable_cert_finder) > show actions
        ...actions...
    msf auxiliary(ldap_esc_vulnerable_cert_finder) > set ACTION < action-name >
    msf auxiliary(ldap_esc_vulnerable_cert_finder) > show options
        ...show and set options...
    msf auxiliary(ldap_esc_vulnerable_cert_finder) > run
Title
NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today