cdelafuente-r7
commented
1 year ago Thanks @zeroSteiner ! Everything looks good now. I'll go ahead and land it.
Closed zeroSteiner closed 1 year ago
cdelafuente-r7
commented
1 year ago Thanks @zeroSteiner ! Everything looks good now. I'll go ahead and land it.
This adds the initial implementation for MS-ICPR which deals with certificates from Active Directory. There's only one function implemented at this time and that's
cert_server_requestwhich allows the caller to request, retrieve and renew certificates. It's up to the caller to properly generate the Certificate Signing Request (CSR).That's all relatively basic stuff that follows existing DCERPC API patterns. The bulk of the changes in this PR are actually what's necessary to make DCERPC calls over named pipes using
RPC_C_AUTHN_LEVEL_PKT_PRIVACY. Until now, this feature was only available to the raw DCERPC client. While makingcert_server_requestcalls, it became apparent that the feature was also needed when invoked over a named pipe, regardless of SMB 3 encryption.The code was largely moved from the
Dcerpc::Clientclass and into theDcerpcmodule whichDcerpc::Clientalready included. After that, it was necessary to tweak theSMB#::Pipeclasses to properly encapsulate and handle dcerpc requests whenRPC_C_AUTHN_LEVEL_PKT_PRIVACYis in use.The
auxiliary/gather/windows_secrets_dumpmodule is the best way to test this since it uses both named pipes and the DCERPC client. Running that module should show that the changes don't break compatibility at all. To show that the new functionality is working, it'll be required by a module that will be PRed to Metasploit pretty soon.Testing
auxiliary/gather/windows_secrets_dumpagainst a DC, see that it works correctly without any errors demonstrating that everything is still working