LDAP ESC Finder Module Fails with Normal User

[gwillcox-r7]

Steps to reproduce

msf6 > use auxiliary/gather/ldap_esc_vulnerable_cert_finder
msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) > show options

Module options (auxiliary/gather/ldap_esc_vulnerable_cert_finder):

   Name                  Current Setting  Required  Description
   ----                  ---------------  --------  -----------
   BASE_DN                                no        LDAP base DN if you already have it
   BIND_DN                                no        The username to authenticate to LDAP server
   BIND_PW                                no        Password for the BIND_DN
   REPORT_NONENROLLABLE  false            yes       Report nonenrollable certificate templates
   RHOSTS                                 yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metas
                                                    ploit
   RPORT                 389              yes       The target port
   SSL                   false            no        Enable SSL on the LDAP connection


View the full module info with the info, or info -d command.

msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) > set RHOSTS 172.19.103.226
RHOSTS => 172.19.103.226
msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) > set BIND_PW DAFOREST\\normal
BIND_PW => DAFOREST\normal
msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) > set BIND_DN DAFOREST\\normal
BIND_DN => DAFOREST\normal
msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) > set BIND_PW thenormaluser123
BIND_PW => thenormaluser123
msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) > run
[*] Running module against 172.19.103.226

[*] Discovering base DN automatically
[+] 172.19.103.226:389 Discovered base DN: DC=daforest,DC=com
[-] Auxiliary failed: NoMethodError undefined method `read' for nil:NilClass
[-] Call stack:
[-]   /home/gwillcox/.rbenv/versions/3.0.2/lib/ruby/gems/3.0.0/gems/bindata-2.4.14/lib/bindata/io.rb:162:in `read_raw'
[-]   /home/gwillcox/.rbenv/versions/3.0.2/lib/ruby/gems/3.0.0/gems/bindata-2.4.14/lib/bindata/io.rb:314:in `read'
[-]   /home/gwillcox/.rbenv/versions/3.0.2/lib/ruby/gems/3.0.0/gems/bindata-2.4.14/lib/bindata/io.rb:278:in `readbytes'
[-]   (eval):23:in `read_and_return_value'
[-]   /home/gwillcox/.rbenv/versions/3.0.2/lib/ruby/gems/3.0.0/gems/bindata-2.4.14/lib/bindata/base_primitive.rb:129:in `do_read'
[-]   /home/gwillcox/.rbenv/versions/3.0.2/lib/ruby/gems/3.0.0/gems/bindata-2.4.14/lib/bindata/struct.rb:140:in `block in do_read'
[-]   /home/gwillcox/.rbenv/versions/3.0.2/lib/ruby/gems/3.0.0/gems/bindata-2.4.14/lib/bindata/struct.rb:140:in `each'
[-]   /home/gwillcox/.rbenv/versions/3.0.2/lib/ruby/gems/3.0.0/gems/bindata-2.4.14/lib/bindata/struct.rb:140:in `do_read'
[-]   /home/gwillcox/git/metasploit-framework/lib/rex/proto/ms_dtyp.rb:283:in `do_read'
[-]   /home/gwillcox/.rbenv/versions/3.0.2/lib/ruby/gems/3.0.0/gems/bindata-2.4.14/lib/bindata/base.rb:147:in `block in read'
[-]   /home/gwillcox/.rbenv/versions/3.0.2/lib/ruby/gems/3.0.0/gems/bindata-2.4.14/lib/bindata/base.rb:253:in `start_read'
[-]   /home/gwillcox/.rbenv/versions/3.0.2/lib/ruby/gems/3.0.0/gems/bindata-2.4.14/lib/bindata/base.rb:145:in `read'
[-]   /home/gwillcox/.rbenv/versions/3.0.2/lib/ruby/gems/3.0.0/gems/bindata-2.4.14/lib/bindata/base.rb:21:in `read'
[-]   /home/gwillcox/git/metasploit-framework/modules/auxiliary/gather/ldap_esc_vulnerable_cert_finder.rb:157:in `block in query_ldap_server_certificates'
[-]   /home/gwillcox/git/metasploit-framework/modules/auxiliary/gather/ldap_esc_vulnerable_cert_finder.rb:153:in `each'
[-]   /home/gwillcox/git/metasploit-framework/modules/auxiliary/gather/ldap_esc_vulnerable_cert_finder.rb:153:in `query_ldap_server_certificates'
[-]   /home/gwillcox/git/metasploit-framework/modules/auxiliary/gather/ldap_esc_vulnerable_cert_finder.rb:219:in `find_esc1_vuln_cert_templates'
[-]   /home/gwillcox/git/metasploit-framework/modules/auxiliary/gather/ldap_esc_vulnerable_cert_finder.rb:352:in `run'
[*] Auxiliary module execution completed
msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) > set BIND_PW fakewrongpassword
BIND_PW => fakewrongpassword
msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) > run
[*] Running module against 172.19.103.226

[-] Auxiliary aborted due to failure: no-access: Invalid credentials provided!
[*] Auxiliary module execution completed
msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) > 

Now we if we try this with a domain administrator user and valid password the module works correctly:

msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) > set BIND_DN DAFOREST\\Administrator
BIND_DN => DAFOREST\Administrator
msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) > set BIND_PW theAdmin123
BIND_PW => theAdmin123
msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) > show options

Module options (auxiliary/gather/ldap_esc_vulnerable_cert_finder):

   Name                  Current Setting         Required  Description
   ----                  ---------------         --------  -----------
   BASE_DN                                       no        LDAP base DN if you already have it
   BIND_DN               DAFOREST\Administrator  no        The username to authenticate to LDAP server
   BIND_PW               theAdmin123             no        Password for the BIND_DN
   REPORT_NONENROLLABLE  false                   yes       Report nonenrollable certificate templates
   RHOSTS                172.19.103.226          yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Usin
                                                           g-Metasploit
   RPORT                 389                     yes       The target port
   SSL                   false                   no        Enable SSL on the LDAP connection


View the full module info with the info, or info -d command.

msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) > run
[*] Running module against 172.19.103.226

[*] Discovering base DN automatically
[+] 172.19.103.226:389 Discovered base DN: DC=daforest,DC=com
[*] Template: SubCA
[*]    Distinguished Name: CN=SubCA,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
[*]    Vulnerable to: ESC1, ESC2, ESC3_TEMPLATE_2
[*]    Certificate Template Enrollment SIDs:
[*]       * S-1-5-21-3290009963-1772292745-3260174523-512 (Domain Admins)
[*]       * S-1-5-21-3290009963-1772292745-3260174523-519 (Enterprise Admins)
[*]    Issuing CAs:
[*]       * daforest-WIN-BR0CCBA815B-CA
[*]          Server: WIN-BR0CCBA815B.daforest.com
[*]          Enrollment SIDs:
[*]             * S-1-5-11 (Authenticated Users)
[*] Template: ESC1-Template
[*]    Distinguished Name: CN=ESC1-Template,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
[*]    Vulnerable to: ESC1
[*]    Certificate Template Enrollment SIDs:
[*]       * S-1-5-21-3290009963-1772292745-3260174523-512 (Domain Admins)
[*]       * S-1-5-21-3290009963-1772292745-3260174523-513 (Domain Users)
[*]       * S-1-5-21-3290009963-1772292745-3260174523-519 (Enterprise Admins)
[*]    Issuing CAs:
[*]       * daforest-WIN-BR0CCBA815B-CA
[*]          Server: WIN-BR0CCBA815B.daforest.com
[*]          Enrollment SIDs:
[*]             * S-1-5-11 (Authenticated Users)
[*] Template: ESC2-Template
[*]    Distinguished Name: CN=ESC2-Template,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
[*]    Vulnerable to: ESC2
[*]    Certificate Template Enrollment SIDs:
[*]       * S-1-5-21-3290009963-1772292745-3260174523-512 (Domain Admins)
[*]       * S-1-5-21-3290009963-1772292745-3260174523-513 (Domain Users)
[*]       * S-1-5-21-3290009963-1772292745-3260174523-519 (Enterprise Admins)
[*]    Issuing CAs:
[*]       * daforest-WIN-BR0CCBA815B-CA
[*]          Server: WIN-BR0CCBA815B.daforest.com
[*]          Enrollment SIDs:
[*]             * S-1-5-11 (Authenticated Users)
[*] Template: ESC3-Template1
[*]    Distinguished Name: CN=ESC3-Template1,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
[*]    Vulnerable to: ESC3_TEMPLATE_1
[*]    Certificate Template Enrollment SIDs:
[*]       * S-1-5-21-3290009963-1772292745-3260174523-512 (Domain Admins)
[*]       * S-1-5-21-3290009963-1772292745-3260174523-513 (Domain Users)
[*]       * S-1-5-21-3290009963-1772292745-3260174523-519 (Enterprise Admins)
[*]    Issuing CAs:
[*]       * daforest-WIN-BR0CCBA815B-CA
[*]          Server: WIN-BR0CCBA815B.daforest.com
[*]          Enrollment SIDs:
[*]             * S-1-5-11 (Authenticated Users)
[*] Template: User
[*]    Distinguished Name: CN=User,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
[*]    Vulnerable to: ESC3_TEMPLATE_2
[*]    Certificate Template Enrollment SIDs:
[*]       * S-1-5-21-3290009963-1772292745-3260174523-512 (Domain Admins)
[*]       * S-1-5-21-3290009963-1772292745-3260174523-513 (Domain Users)
[*]       * S-1-5-21-3290009963-1772292745-3260174523-519 (Enterprise Admins)
[*]    Issuing CAs:
[*]       * daforest-WIN-BR0CCBA815B-CA
[*]          Server: WIN-BR0CCBA815B.daforest.com
[*]          Enrollment SIDs:
[*]             * S-1-5-11 (Authenticated Users)
[*] Template: Administrator
[*]    Distinguished Name: CN=Administrator,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
[*]    Vulnerable to: ESC3_TEMPLATE_2
[*]    Certificate Template Enrollment SIDs:
[*]       * S-1-5-21-3290009963-1772292745-3260174523-512 (Domain Admins)
[*]       * S-1-5-21-3290009963-1772292745-3260174523-519 (Enterprise Admins)
[*]    Issuing CAs:
[*]       * daforest-WIN-BR0CCBA815B-CA
[*]          Server: WIN-BR0CCBA815B.daforest.com
[*]          Enrollment SIDs:
[*]             * S-1-5-11 (Authenticated Users)
[*] Template: Machine
[*]    Distinguished Name: CN=Machine,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
[*]    Vulnerable to: ESC3_TEMPLATE_2
[*]    Certificate Template Enrollment SIDs:
[*]       * S-1-5-21-3290009963-1772292745-3260174523-512 (Domain Admins)
[*]       * S-1-5-21-3290009963-1772292745-3260174523-515 (Domain Computers)
[*]       * S-1-5-21-3290009963-1772292745-3260174523-519 (Enterprise Admins)
[*]    Issuing CAs:
[*]       * daforest-WIN-BR0CCBA815B-CA
[*]          Server: WIN-BR0CCBA815B.daforest.com
[*]          Enrollment SIDs:
[*]             * S-1-5-11 (Authenticated Users)
[*] Template: DomainController
[*]    Distinguished Name: CN=DomainController,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
[*]    Vulnerable to: ESC3_TEMPLATE_2
[*]    Certificate Template Enrollment SIDs:
[*]       * S-1-5-21-3290009963-1772292745-3260174523-498 (Enterprise Read-only Domain Controllers)
[*]       * S-1-5-21-3290009963-1772292745-3260174523-512 (Domain Admins)
[*]       * S-1-5-21-3290009963-1772292745-3260174523-516 (Domain Controllers)
[*]       * S-1-5-21-3290009963-1772292745-3260174523-519 (Enterprise Admins)
[*]       * S-1-5-9 (Enterprise Domain Controllers)
[*]    Issuing CAs:
[*]       * daforest-WIN-BR0CCBA815B-CA
[*]          Server: WIN-BR0CCBA815B.daforest.com
[*]          Enrollment SIDs:
[*]             * S-1-5-11 (Authenticated Users)
[*] Template: ESC3-Template2
[*]    Distinguished Name: CN=ESC3-Template2,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
[*]    Vulnerable to: ESC3_TEMPLATE_2
[*]    Certificate Template Enrollment SIDs:
[*]       * S-1-5-21-3290009963-1772292745-3260174523-512 (Domain Admins)
[*]       * S-1-5-21-3290009963-1772292745-3260174523-513 (Domain Users)
[*]       * S-1-5-21-3290009963-1772292745-3260174523-519 (Enterprise Admins)
[*]    Issuing CAs:
[*]       * daforest-WIN-BR0CCBA815B-CA
[*]          Server: WIN-BR0CCBA815B.daforest.com
[*]          Enrollment SIDs:
[*]             * S-1-5-11 (Authenticated Users)
[*] Auxiliary module execution completed
msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) > 

Were you following a specific guide/tutorial or reading documentation?

Found whilst writing documentation to explain the workflow of attacking ADCS using this module, ipcr certificate module, and the Kerberos PKINIT authentication.

Expected behavior

We should be able to use a normal domain user to gather information about vulnerable ESC certificates on a domain controller.

Current behavior

We get a weird error and crash from the module. I'm unaware of if this is related to a logon issue, but it seems at the very least that we should be handling such cases better cause atm the crash doesn't inform the user as to what is going wrong.

Metasploit version

msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) > version
Framework: 6.2.29-dev-07a91df7a1
Console  : 6.2.29-dev-07a91df7a1
msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) > 

Additional Information

I know the user in this case had some issues when I tried to log in via Hyper-V. This may be related to additional protections on a domain controller but I think I was able to get the login to work in the past. Not sure if Server 2022 has some additional protections preventing this from working but will have to see.

[gwillcox-r7]

Traced this down to a nil error. In my own code. And yet I complain about nil errors all the time. The irony is thick today 😄

Anyway it seems its occuring cause of this code:

begin
   security_descriptor = Rex::Proto::MsDtyp::MsDtypSecurityDescriptor.read(entry[:ntsecuritydescriptor][0])
rescue IOError => e
   fail_with(Failure::UnexpectedReply, "Unable to read security descriptor! Error was: #{e.message}")
end

Unfortunately we grab entry[:ntsecuritydescriptor] here without checking if that is empty. Then we grab element 0 of that which will be nil since there are no elements in the empty array. So we end up trying to read from a nil object. The fact that this isn't caught earlier in the library validation is surprising but at least we know what this is caused by now 👍

[gwillcox-r7]

In line 426 of lib/ruby/gems/3.0.0/gems/net-ldap-0.17.1/lib/net/ldap/connection.rb changed to controls = args.fetch(:controls, []) for testing purposes.

Also updated the ldap_esc_vulnerable_cert_finder.rb module to use this code update. Feel free to drop the scope update but was trying to align it to the PCAP.

      control_value = [7].map(&:to_ber).to_ber_sequence.to_s.to_ber

      controls = ['1.2.840.113556.1.4.801'.to_ber, true.to_ber, control_value].to_ber_sequence
      returned_entries = ldap.search(base: full_base_dn, filter: filter, attributes: attributes, controls: controls, scope: Net::LDAP::SearchScope_BaseObject)
      query_result = ldap.as_json['result']['ldap_result']

For comparisons sake I'm using the PR from https://bugzilla.samba.org/show_bug.cgi?id=6401#c1 aka https://bugzilla.samba.org/attachment.cgi?id=4198 which seems to show how the 1.2.840.113556.1.4.801 aka LDAP_SERVER_SD_FLAGS_OID control should be set on a searchRequest message.

Unfortunately whilst this works in their capture in Wireshark I'm seeing this message for my host: 00000057: LdapErr: DSID-0C0C0DBC, comment: The server was unable to decode the controls on a previous request, data 0, v4f7c

I've tried comparing the two packet captures and whilst I can see some minor differences such as with the scope and sizeLimit fields, I'm unaware of why this would make a difference.

There is also some size differences but that is best explained by https://docs.oracle.com/cd/E19476-01/821-0510/def-basic-encoding-rules.html which notes that you can specify the size of a string or object if it less than 127 bytes in one byte, or if you need more you append 0x80 ANDed with however many bytes you need to represent the string, followed by the bytes to represent the size. So \x81\xC9 would be a one byte size representation containing the value 0xC9. And \x82\x01\xF9 would be something indicating the following object is of size 0x1F9.

[gwillcox-r7]

Wooops forgot to mention for testing I also updated this code:

  def query_ldap_server_certificates(esc_raw_filter, esc_name)
    attributes = ['nTSecurityDescriptor']
    base_prefix = 'CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration'
    esc_entries = query_ldap_server("(objectClass=*)", attributes, base_prefix: base_prefix)

[gwillcox-r7]

CC: @smcintyre-r7 as per our earlier discussion on Slack r.e looking into this further.

[gwillcox-r7]

Following is also dump of some personal notes I made on this for reference in case they help later on and to provide some context on what I've looked into so far:

The Ruby implementation in Net::LDAP appears to be doing a similar operation. Logically speaking the code looks similar but I'm going off of https://twitter.com/tifkin_/status/1372628611677753344/photo/1, https://git.openldap.org/openldap/openldap/-/blob/master/clients/tools/ldapsearch.c#L159, https://git.openldap.org/openldap/openldap/-/blob/master/include/ldap.h#L252, and the code at https://github.com/ruby-ldap/ruby-net-ldap/blob/08a89627409e9612c93a7280274b552ddd981abb/lib/net/ldap/connection.rb#L296-L311 and https://github.com/ruby-ldap/ruby-net-ldap/blob/08a89627409e9612c93a7280274b552ddd981abb/lib/net/ldap.rb#L444-L449.

Looking into this deeper we see https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/3888c2b7-35b9-45b7-afeb-b772aa932dd0 and https://ldapwiki.com/wiki/LDAP_SERVER_SD_FLAGS_OID specifies that LDAP_SERVER_SD_FLAGS_OID aka 1.2.840.113556.1.4.801 is a SupportedControl for Microsoft Active Directory that is used with an LDAP SearchRequest to control which portion of the Windows Security descriptor to retrieve.

We also see that when sending this control to the DC the controlValue field must be set to the BER encoding of the ASN.1 structure below:

SDFlagsRequestValue ::= SEQUENCE {
     Flags    INTEGER
}

We can also see from the RFC 2251 that we have the following structure for a control, which is a way to specify extension information.

Controls ::= SEQUENCE OF Control

        Control ::= SEQUENCE {
                controlType             LDAPOID,
                criticality             BOOLEAN DEFAULT FALSE,
                controlValue            OCTET STRING OPTIONAL }

Got PCAP of proper request off of https://bugzilla.samba.org/show_bug.cgi?id=6401#c1 at https://bugzilla.samba.org/attachment.cgi?id=4198 which shows the proper control settings. Noticeably we are setting the control correctly now but for some reason our attributes are not being sent.

[gwillcox-r7]

Fix for this now found. For the adjustment, we need to do the following edit to net-ldap's lib/net/ldap/connection.rb. This affects the code at https://github.com/ruby-ldap/ruby-net-ldap/blob/08a89627409e9612c93a7280274b552ddd981abb/lib/net/ldap/connection.rb#LL424-L437C78

We will change it to this:

        # rfc2696_cookie sometimes contains binary data from Microsoft Active Directory
        # this breaks when calling to_ber. (Can't force binary data to UTF-8)
        # we have to disable paging (even though server supports it) to get around this...

        controls_temp = args.fetch(:controls, [])
        controls = []
        controls <<
          [
            Net::LDAP::LDAPControls::PAGED_RESULTS.to_ber,
            # Criticality MUST be false to interoperate with normal LDAPs.
            false.to_ber,
            rfc2696_cookie.map(&:to_ber).to_ber_sequence.to_s.to_ber,
          ].to_ber_sequence if paged
        controls << ber_sort if ber_sort
        if controls.empty?
          controls = nil
        else
          controls << controls_temp unless controls_temp.blank?
          controls = controls.to_ber_contextspecific(0)
        end

I'll put a PR up to change the module code in a sec and link it here.