Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Improve check_web_enrollment function to identify ESC8 on HTTP/HTTPS #203

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

dhn
Copy link

@dhn dhn commented Mar 20, 2024

The current check_web_enrollment function checks the CA against ESC8 exclusively on TCP port 80. If the web enrollment endpoint operates on TCP port 443 instead, the find command could overlook this potentially vulnerable endpoint.

[...]
[*] Finding certificate templates
[*] Found 33 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 11 enabled certificate templates
[+] Trying to resolve 'FOOBAR-CA01.local' at '10.13.37.50'
[*] Trying to get CA configuration for 'FOOBAR-CA' via CSRA
[...]
[+] Resolved 'FOOBAR-CA01.local'' from cache: 10.13.37.50
[+] Connecting to 10.13.37.50:80
[+] Resolved 'FOOBAR-CA01.local'' from cache: 10.13.37.50
[+] Connecting to 10.13.37.50:443
[...]

The patch employs the Python requests module over socket. As requests is already included in the dependencies, there is no additional overhead. Moreover, using this module streamlines the code, particularly with respect to handling TLS.

@dhn dhn changed the title Improve check_web_enrollment function to identify ESC08 on HTTP/HTTPS Improve check_web_enrollment function to identify ESC8 on HTTP/HTTPS Mar 20, 2024
@enj5oy
Copy link

enj5oy commented Apr 22, 2024

@dhn If Web Enrollment is present on port 443, it indicates that HTTPS is being used. Therefore, attempting to relay from HTTPS to LDAP would be unsuccessful, correct?

@JacobEbben
Copy link

JacobEbben commented May 18, 2024

@enj5oy HTTPS alone does not prevent a relay to web enrollment. It is Extended Protection for Authentication (EPA) that prevents NTLM relaying by binding the NTLM authentication to a TLS channel. EPA requires the use of HTTPS. I am not aware of current tooling that supports an NTLM relay to a HTTPS web enrollment instance though.

@emanuelduss
Copy link

emanuelduss commented Dec 4, 2024

JFYI, you can use the following PingCastle rules to test:

  • Vulnerable HTTP endpoint: A-CertEnrollHttp
  • Vulnreable HTTPS endpoint: A-CertEnrollChannelBinding

certify does check for the HTTP endpoint and if the HTTPS endpoint is present (but not if it's vulnerable or not, so producing false-positives).

You can relay to your attacker IP address using certipy and then relay HTTP to HTTPS using socat:

sud socat TCP-LISTEN:80,fork,reuseaddr ssl:adcs.example.com:443,verify=0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants