adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions 9 Packages Projects Releases Wiki Activity

Add two more report filters

Browse Source
This commit is contained in:
Spencer McIntyre
2025-08-15 15:34:13 -04:00
parent 1c41c734f0
commit 170fbcb2bd
2 changed files with 12 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
documentation/modules/auxiliary/gather/ldap_esc_vulnerable_cert_finder.md
+2
View File
@@ -244,6 +244,8 @@ if ($editFlags -band $EDITF_ATTRIBUTESUBJECTALTNAME2) {
What templates to report (applies filtering to results).
* **all** - Report all certificate templates.
* **published** - Report certificate templates that are published by at least one CA server.
* **enrollable** - Same as above, but omits templates that the user does not have permissions to enroll in.
* **vulnerable** - Report certificate templates where at least one misconfiguration is appears to be present.
* **vulnerable-and-published** - Same as above, but omits templates that are not published by at least one CA server.
* **vulnerable-and-enrollable** - Same as above, but omits templates that the user does not have permissions to enroll in.
modules/auxiliary/gather/ldap_esc_vulnerable_cert_finder.rb
+10 -2
View File
@@ -95,7 +95,7 @@ class MetasploitModule < Msf::Auxiliary
register_options([
OptString.new('BASE_DN', [false, 'LDAP base DN if you already have it']),
OptEnum.new('REPORT', [true, 'What templates to report (applies filtering to results)', 'vulnerable-and-published', %w[all vulnerable vulnerable-and-published vulnerable-and-enrollable]]),
OptEnum.new('REPORT', [true, 'What templates to report (applies filtering to results)', 'vulnerable-and-published', %w[all published enrollable vulnerable vulnerable-and-published vulnerable-and-enrollable]]),
OptBool.new('RUN_REGISTRY_CHECKS', [true, 'Authenticate to WinRM to query the registry values to enhance reporting for ESC9, ESC10 and ESC16. Must be a privileged user in order to query successfully', false]),
])
end
@@ -727,18 +727,26 @@ class MetasploitModule < Msf::Auxiliary
if datastore['REPORT'] == 'vulnerable-and-enrollable'
vulnerable.keep_if do |technique|
enroll_by_proxy.include?(technique) || (template[:permissions].include?('FULL CONTROL') || template[:permissions].include?('ENROLL')) && template[:ca_servers].values.any? { _1[:permissions].include?('REQUEST CERTIFICATES') }
enroll_by_proxy.include?(technique) || can_enroll?(template)
end
end
[vulnerable, potentially_vulnerable]
end
def can_enroll?(template)
(template[:permissions].include?('FULL CONTROL') || template[:permissions].include?('ENROLL')) && template[:ca_servers].values.any? { _1[:permissions].include?('REQUEST CERTIFICATES') }
end
def print_vulnerable_cert_info
filtered_certificate_details = @certificate_details.sort.to_h.select do |_key, template|
case datastore['REPORT']
when 'all'
true
when 'published'
template[:ca_servers].present?
when 'enrollable'
can_enroll?(template)
when 'vulnerable'
template[:techniques].present?
when 'vulnerable-and-published'