module
Exploits AD CS Template misconfigurations which involve updating an LDAP object: ESC9, ESC10, and ESC16
| Disclosed |
|---|
| N/A |
Disclosed
N/A
Description
This module exploits Active Directory Certificate Services (AD CS) template misconfigurations, specifically
ESC9, ESC10, and ESC16, by updating an LDAP object and requesting a certificate on behalf of a target user.
The module leverages the auxiliary/admin/ldap/ldap_object_attribute module to update the LDAP object and the
admin/ldap/shadow_credentials module to add shadow credentials for the target user if the target password is
not provided. It then uses the admin/kerberos/get_ticket module to retrieve the NTLM hash of the target user
and requests a certificate via MS-ICPR. The resulting certificate can be used for various operations, such as
authentication.
The module ensures that any changes made by the ldap_object_attribute or shadow_credentials module are
reverted after execution to maintain system integrity.
ESC9, ESC10, and ESC16, by updating an LDAP object and requesting a certificate on behalf of a target user.
The module leverages the auxiliary/admin/ldap/ldap_object_attribute module to update the LDAP object and the
admin/ldap/shadow_credentials module to add shadow credentials for the target user if the target password is
not provided. It then uses the admin/kerberos/get_ticket module to retrieve the NTLM hash of the target user
and requests a certificate via MS-ICPR. The resulting certificate can be used for various operations, such as
authentication.
The module ensures that any changes made by the ldap_object_attribute or shadow_credentials module are
reverted after execution to maintain system integrity.
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.