-
Notifications
You must be signed in to change notification settings - Fork 13.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SMB to NTLM HTTP Relay with ESC8 module #19404
base: master
Are you sure you want to change the base?
Conversation
Thanks for your pull request! Before this can be merged, we need the following documentation for your module: |
print_bad("#{datastore['CERT_TEMPLATE']} not found in available certificates") unless datastore['CERT_TEMPLATE'].nil? | ||
print_status('Attempting to generate certificates for all templates') | ||
cert_list.each do |cert_entry| | ||
retrieve_cert(client_socket, cert_entry, datastore['alt_user']) | ||
end | ||
end |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The certificates that are issued do show up in the logs. I'm thinking it could be better to tweak this behavior. I'm wondering if we should have like three different modes
- All - where all certificates that can be issued are issued
- Automatic - where either the User or Machine certificate is issued based on if the authenticate session is for a user or machine (account ends in
$
) - Specific - where the user specified cert is issued
Defaulting to automatic might make the most sense because it'd allow the Metasploit operator to make more authentication attempts in the future with the cert and has a high probability to succeed due to using default cert templates.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I changed this behavior as you were writing this comment. There are now two options that determine the actions:
QUERY_ONLY
that just queries the cert list, and does not try to issue a cert- defaults to false
QUERY_TEMPLATES
: When true, it queries the templates before requesting a cert and if the requested cert is not in the list, it will try to issue certs for every template.
CERT_TEMPLATE
- The template to use. If QUERY_TEMPLATES
is true and this is nil or does not match
Let me know if you want me to change it again. If this stays, I need to do some sanity checking so that you can't set QUERY_ONLY
true
and QUERYTEMPLATES
to false
. It might also be interesting to make QUERY_ONLY
into an action if that would make more sense.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I left a few comments it also looks like:
- The mode logic still needs to be added, at least the comment hasn't be responded to or resolved
- Shouldn't there be exception handling and logging logic added to rex/proto/smb/server.rb for the client thread?
- Test how it handles multiple RHOSTS being provided to it to ensure it acts sensibly
- Update the module to run passively in the background
- Update the module to not issues the same certificate template for the same user as it has already issued
- Add a target check to ensure the webserver is responding as expected early in the process
This is an implementation of the AD CS ESC8. It includes a library that uses a modified SMB capture server to repackage and forward authentication from the SMB capture server to an NTLM-authenticating HTTP server. The authenticated HTTP Client is then passed to the ESC8 module which then requests the creation of certificates and downloads them.
Verification
In one Window
msfconsole
use auxiliary/server/capture/esc8_relay
set RHOST <ADCS server>
set verbose true
run
In Another Window
use smb_login
run
set SMBUser <username>
set SMBPass <password>
set SMBDomain <domain>
Set RHOST 127.0.0.1
run
Verify
To Do
Certificate Request Granted
messageExample