Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Report CA and ADCS Template along with Pkcs12 in the database #19736

Draft
wants to merge 3 commits into
base: master
Choose a base branch
from

Conversation

cdelafuente-r7
Copy link
Contributor

This adds support to the new Pkcs12 data format added in rapid7/metasploit-credential#183. Now, the CA and ADCS template can be added to the Pkcs12 as metadata in the database.

This PR needs the metasploit-credentials counterpart be landed first. I have updated the Gemfile to point to the feature branch to be able to test it. This will need to be reverted before landing.

Verification

Testing auxiliary/admin/dcerpc/icpr_cert

Follow the instructions here to set up an AD CS server for testing purposes.

  • Start msfconsole
  • use auxiliary/admin/dcerpc/icpr_cert
  • run verbose=true CA=<CA name> RHOSTS=<remote host> username=<username> password=<user password> CERT_TEMPLATE=User
  • Verify creds returns the generated Pkcs12
  • Check with irb in msfconsole the Pkcs12 model has the expected data format "msf_pkcs12:<base64 Pkcs12>:<CA>:<ADCS Template>"
msf6 auxiliary(admin/dcerpc/icpr_cert) > run verbose=true CA=myca-CA RHOSTS=10.100.54.12 username=muser password=vagrant CERT_TEMPLATE=User
[*] Running module against 10.100.54.12
[*] 10.100.54.12:445 - Connecting to ICertPassage (ICPR) Remote Protocol
[*] 10.100.54.12:445 - Binding to \cert...
[+] 10.100.54.12:445 - Bound to \cert
[*] 10.100.54.12:445 - Requesting a certificate for user muser - digest algorithm: SHA256 - template: User
[+] 10.100.54.12:445 - The requested certificate was issued.
[*] 10.100.54.12:445 - Certificate UPN: [email protected]
[*] 10.100.54.12:445 - Certificate stored at: /home/n00tmeg/.msf4/loot/20241216151952_default_10.100.54.12_windows.ad.cs_020208.pfx
[*] Auxiliary module execution completed
msf6 auxiliary(admin/dcerpc/icpr_cert) > creds
Credentials
===========

host          origin        service        public              private                                                                                   realm  private_type  JtR Format  cracked_password
----          ------        -------        ------              -------                                                                                   -----  ------------  ----------  ----------------
10.100.54.12  10.100.54.12  445/tcp (smb)  [email protected]  subject:/DC=local/DC=pro/DC=ad/OU=UK/OU=Support/CN=muser,issuer:/DC=local/DC (TRUNCATED)         Pkcs12 (pfx)

msf6 auxiliary(admin/dcerpc/icpr_cert) > irb
[*] Starting IRB shell...
[*] You are in auxiliary/admin/dcerpc/icpr_cert

>> Metasploit::Credential::Pkcs12.all
=>
[#<Metasploit::Credential::Pkcs12:0x00007ce3cd671910
  id: 1,
  type: "Metasploit::Credential::Pkcs12",
  data:
   "msf_pkcs12:MIINcAIBAzCCDSYGCSqGS...[REDACTED]...:myca-CA:User",
  created_at: 2024-12-16 14:19:52.477133 UTC,
  updated_at: 2024-12-16 14:19:52.477133 UTC,
  jtr_format: nil>]

Testing creds command

  • Start msfconsole
  • Add a certificate manually with creds add user:testuser pkcs12:<pkcs12 filepath> ca:myca adcs-template:OtherTemplate
  • Check with irb in msfconsole the Pkcs12 model has the expected data format "msf_pkcs12:<base64 Pkcs12>:<CA>:<ADCS Template>"

@cdelafuente-r7 cdelafuente-r7 added the blocked Blocked by one or more additional tasks label Dec 16, 2024
@@ -414,11 +420,13 @@ def creds_search(*args)
when 'password'
Metasploit::Credential::Password
when 'hash'
Metasploit::Credential::PasswordHash
Metasploit::Credential::NonreplayableHash
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Apparently hash corresponds to a Nonreplayable hash instead of a PasswordHash. This change were required otherwise the specs were failing.

# realm: nil,
# workspace: framework.db.workspace)
# end
let!(:ntlm_core) do
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These tests are now working properly. I've added them back even if it is not related to the changes in this PR.

Comment on lines +6 to +7
gem 'metasploit-credential', git: 'https://github.com/cdelafuente-r7/metasploit-credential', branch: 'enh/MS-9710/add_pkcs12_metadata'

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This will need to be reverted before landing.

Gemfile.lock Outdated
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This file will need to be updated to point to the new metasploit-credential gem is available instead of the this feature branch.

…base

- Update the `creds` command to add Pkcs12 private credentials with
  metadata.
- Update `ms_icpr` module to store metadata.
@cdelafuente-r7 cdelafuente-r7 force-pushed the enh/pkcs12/add_metadata branch from 4c5a365 to c44cad3 Compare January 10, 2025 09:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
blocked Blocked by one or more additional tasks enhancement
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant