search

TrimarcJake / Locksmith

A small tool built to find and fix common misconfigurations in Active Directory Certificate Services.
https://github.com/TrimarcJake/Locksmith
Other
901 stars 89 forks source link

ESC8 vulnerability is not detected #153

Closed mashdk closed 1 month ago

mashdk commented 4 months ago

Running Locksmith against a PKI, that is vulnerable to ESC8 (Web Enrollment installed, Extended Protection not enabled, NTLM enabled), does not raise an ESC8 issue. Running PSPKIAudit against the same PKI, does raise an ESC8 issue

techspence commented 3 months ago

Because i'm a git noob and I'd end up screwing things up with a PR, I'll submit a POC here. Can you guys find a reason why this wouldn't be a valid way of detecting if the non-SSL version of these endpoints are up?

$CADNSName = '<cadnsname>'
$CAName = '<caname>'

$OriginalErrorAction = $ErrorActionPreference
$ErrorActionPreference = 'SilentlyContinue'

foreach ($directory in @("foobar","certsrv/", "$($CAName)_CES_Kerberos/service.svc", "$($CAName)_CES_Kerberos/service.svc/CES", "ADPolicyProvider_CEP_Kerberos/service.svc", "certsrv/mscep/")) {
    $URL = "http://$CADNSName/$directory"
    $Request = Invoke-WebRequest -URI $URL -UseBasicParsing -UseDefaultCredentials
    if( -not $? )
    {
        $msg = $Error[0].Exception.Message
        if ($msg -match "401"){
            Write-Host "401 NOT AUTHORIZED BUT AVAILABLE: $URL"
        } elseif ($msg -match "404"){
            Write-Host "404 NOT FOUND: $URL"
        }
    } elseif ($Request.StatusCode -eq '200'){
        Write-Host "200 AVAILABLE AND AUTHORIZED: $URL"
    }
}
$ErrorActionPreference = $OriginalErrorAction

Example output... image

TrimarcJake commented 3 months ago

Updated to:

$CADNSName = '<cadnsname>'
$CAName = '<caname>'

$OriginalErrorAction = $ErrorActionPreference
$ErrorActionPreference = 'SilentlyContinue'

foreach ($directory in @("foobar","certsrv/", "$($CAName)_CES_Kerberos/service.svc", "$($CAName)_CES_Kerberos/service.svc/CES", "ADPolicyProvider_CEP_Kerberos/service.svc", "certsrv/mscep/")) {
    $URL = "http://$CADNSName/$directory"
    $Request = Invoke-WebRequest -URI $URL -UseBasicParsing -UseDefaultCredentials
    if( -not $? )
    {
        $msg = $Error[0].Exception.Message
        if ($msg -match "401"){
            Write-Host "401 NOT AUTHORIZED BUT AVAILABLE: $URL"
        } elseif ($msg -match "404"){
            Write-Host "404 NOT FOUND: $URL"
        } elseif ($msg -match '403') {
            Write-Host "403.4 HTTPS REQUIRED: $URL"
        }
    } elseif ($Request.StatusCode -eq '200'){
        Write-Host "200 AVAILABLE AND AUTHORIZED: $URL"
    }
}
$ErrorActionPreference = $OriginalErrorAction

Example output:

image
TrimarcJake commented 3 months ago

New version iterate through all endpoints in HTTP, then HTTPS + NTLM, then HTTPS + Negotiate and outputs as such:

Technique            : ESC8
Name                 : BrainstormCA
DistinguishedName    : CN=BrainstormCA,CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,DC=BlueTuxedo,DC=DanglingSPNs,DC=lol
CAEnrollmentEndpoint : http://BTDC01.BlueTuxedo.DanglingSPNs.lol/certsrv/
AuthType             : NTLM
Issue                : An HTTP enrollment endpoint is available.
Fix                  : Disable HTTP access and enforce HTTPS.
                       Enable EPA.
                       Disable NTLM authentication (if possible.)

Technique            : ESC8
Name                 : BrainstormCA
DistinguishedName    : CN=BrainstormCA,CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,DC=BlueTuxedo,DC=DanglingSPNs,DC=lol
CAEnrollmentEndpoint : https://BTDC01.BlueTuxedo.DanglingSPNs.lol/BrainstormCA_CES_Kerberos/service.svc
AuthType             : Negotiate
Issue                : An HTTPS enrollment endpoint is available.
Fix                  : Ensure EPA is enabled.
                       Disable NTLM authentication (if possible.)

Technique            : ESC8
Name                 : BrainstormCA
DistinguishedName    : CN=BrainstormCA,CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,DC=BlueTuxedo,DC=DanglingSPNs,DC=lol
CAEnrollmentEndpoint : https://BTDC01.BlueTuxedo.DanglingSPNs.lol/ADPolicyProvider_CEP_Kerberos/service.svc
AuthType             : Negotiate
Issue                : An HTTPS enrollment endpoint is available.
Fix                  : Ensure EPA is enabled.
                       Disable NTLM authentication (if possible.)

Technique            : ESC8
Name                 : BrainstormCA
DistinguishedName    : CN=BrainstormCA,CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,DC=BlueTuxedo,DC=DanglingSPNs,DC=lol
CAEnrollmentEndpoint : http://BTDC01.BlueTuxedo.DanglingSPNs.lol/certsrv/mscep/
AuthType             : NTLM
Issue                : An HTTP enrollment endpoint is available.
Fix                  : Disable HTTP access and enforce HTTPS.
                       Enable EPA.
                       Disable NTLM authentication (if possible.)
TrimarcJake commented 3 months ago

https://github.com/TrimarcJake/Locksmith/tree/fix-esc8-false-negatives

TrimarcJake commented 2 months ago

Hey @mashdk ! I just added PS7 support to ESC8 detections. Can you test? https://github.com/TrimarcJake/Locksmith/tree/add-ps7-support-to-esc8-detections

TrimarcJake commented 1 month ago

Resolved in 2024.10.