Open dhn opened 6 months ago
@dhn If Web Enrollment is present on port 443, it indicates that HTTPS is being used. Therefore, attempting to relay from HTTPS to LDAP would be unsuccessful, correct?
@enj5oy HTTPS alone does not prevent a relay to web enrollment. It is Extended Protection for Authentication (EPA) that prevents NTLM relaying by binding the NTLM authentication to a TLS channel. EPA requires the use of HTTPS. I am not aware of current tooling that supports an NTLM relay to a HTTPS web enrollment instance though.
The current
check_web_enrollment
function checks the CA against ESC8 exclusively on TCP port 80. If the web enrollment endpoint operates on TCP port 443 instead, thefind
command could overlook this potentially vulnerable endpoint.The patch employs the Python
requests
module oversocket
. Asrequests
is already included in the dependencies, there is no additional overhead. Moreover, using this module streamlines the code, particularly with respect to handling TLS.