module
Exploits AD CS Template misconfigurations which involve updating an LDAP object: ESC9, ESC10, and ESC16
| Disclosed | Created |
|---|---|
| N/A | Jul 31, 2025 |
Disclosed
N/A
Created
Jul 31, 2025
Description
This module exploits Active Directory Certificate Services (AD CS) template misconfigurations, specifically
ESC9, ESC10, and ESC16, by updating an LDAP object and requesting a certificate on behalf of a target user.
The module leverages the auxiliary/admin/ldap/ldap_object_attribute module to update the LDAP object and the
admin/ldap/shadow_credentials module to add shadow credentials for the target user if the target password is
not provided. It then uses the admin/kerberos/get_ticket module to retrieve the NTLM hash of the target user
and requests a certificate via MS-ICPR. The resulting certificate can be used for various operations, such as
authentication.
The module ensures that any changes made by the ldap_object_attribute or shadow_credentials module are
reverted after execution to maintain system integrity.
ESC9, ESC10, and ESC16, by updating an LDAP object and requesting a certificate on behalf of a target user.
The module leverages the auxiliary/admin/ldap/ldap_object_attribute module to update the LDAP object and the
admin/ldap/shadow_credentials module to add shadow credentials for the target user if the target password is
not provided. It then uses the admin/kerberos/get_ticket module to retrieve the NTLM hash of the target user
and requests a certificate via MS-ICPR. The resulting certificate can be used for various operations, such as
authentication.
The module ensures that any changes made by the ldap_object_attribute or shadow_credentials module are
reverted after execution to maintain system integrity.
Authors
Will Schroeder
Lee Christensen
Oliver Lyak
Spencer McIntyre
jheysel-r7
Lee Christensen
Oliver Lyak
Spencer McIntyre
jheysel-r7
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
Rapid7 Labs
2026 Global Threat Landscape Report
The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.