This adds the initial implementation for MS-ICPR which deals with certificates from Active Directory. There's only one function implemented at this time and that's cert_server_request which allows the caller to request, retrieve and renew certificates. It's up to the caller to properly generate the Certificate Signing Request (CSR).
That's all relatively basic stuff that follows existing DCERPC API patterns. The bulk of the changes in this PR are actually what's necessary to make DCERPC calls over named pipes using RPC_C_AUTHN_LEVEL_PKT_PRIVACY. Until now, this feature was only available to the raw DCERPC client. While making cert_server_request calls, it became apparent that the feature was also needed when invoked over a named pipe, regardless of SMB 3 encryption.
The code was largely moved from the Dcerpc::Client class and into the Dcerpc module which Dcerpc::Client already included. After that, it was necessary to tweak the SMB#::Pipe classes to properly encapsulate and handle dcerpc requests when RPC_C_AUTHN_LEVEL_PKT_PRIVACY is in use.
The auxiliary/gather/windows_secrets_dump module is the best way to test this since it uses both named pipes and the DCERPC client. Running that module should show that the changes don't break compatibility at all. To show that the new functionality is working, it'll be required by a module that will be PRed to Metasploit pretty soon.
Testing
[ ] Run auxiliary/gather/windows_secrets_dump against a DC, see that it works correctly without any errors demonstrating that everything is still working
[ ] See the unit tests all pass
[ ] Test the new functionality with the to-be-released module (will update this then)
This adds the initial implementation for MS-ICPR which deals with certificates from Active Directory. There's only one function implemented at this time and that's
cert_server_request
which allows the caller to request, retrieve and renew certificates. It's up to the caller to properly generate the Certificate Signing Request (CSR).That's all relatively basic stuff that follows existing DCERPC API patterns. The bulk of the changes in this PR are actually what's necessary to make DCERPC calls over named pipes using
RPC_C_AUTHN_LEVEL_PKT_PRIVACY
. Until now, this feature was only available to the raw DCERPC client. While makingcert_server_request
calls, it became apparent that the feature was also needed when invoked over a named pipe, regardless of SMB 3 encryption.The code was largely moved from the
Dcerpc::Client
class and into theDcerpc
module whichDcerpc::Client
already included. After that, it was necessary to tweak theSMB#::Pipe
classes to properly encapsulate and handle dcerpc requests whenRPC_C_AUTHN_LEVEL_PKT_PRIVACY
is in use.The
auxiliary/gather/windows_secrets_dump
module is the best way to test this since it uses both named pipes and the DCERPC client. Running that module should show that the changes don't break compatibility at all. To show that the new functionality is working, it'll be required by a module that will be PRed to Metasploit pretty soon.Testing
auxiliary/gather/windows_secrets_dump
against a DC, see that it works correctly without any errors demonstrating that everything is still working