Skip to content

Commit

Permalink
Merge pull request #112 from franc-pentest/fixes
Browse files Browse the repository at this point in the history 
Fix ADCS parsing
  • Loading branch information
@tiyeuse
tiyeuse authored Oct 14, 2024
2 parents 975b985 + 289f824 commit 98b717b
Show file tree
Hide file tree
Showing 2 changed files with 47 additions and 40 deletions.
2 changes: 1 addition & 1 deletion VERSION
View file
Original file line number Diff line number Diff line change
@@ -1 +1 @@
1.0.70
1.0.71
85 changes: 46 additions & 39 deletions ldeep/__main__.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -640,8 +640,16 @@ def list_trusts(self, kwargs):
Results will contain full information
"""
verbose = kwargs.get("verbose", False)

if verbose:
attributes = self.engine.all_attributes()

results = self.engine.query(self.engine.TRUSTS_INFO_FILTER())

if verbose:
self.display(results, verbose)
return

ATTRIBUTE_TRANSLATION = {
"trustDirection": {
0x00000003: "bidirectional",
Expand All @@ -663,10 +671,6 @@ def list_trusts(self, kwargs):
result[key] = ATTRIBUTE_TRANSLATION[key][int(result[key])]
trusts.append(result)

if verbose:
self.display(results, verbose)
return

FIELDS_TO_PRINT = [
"dn",
"cn",
Expand Down Expand Up @@ -735,8 +739,10 @@ def list_pkis(self, kwargs):
attributes,
base=",".join(
[
"CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=CONFIGURATION",
self.engine.base_dn,
"CN=Enrollment Services,CN=Public Key Services,CN=Services",
self.engine.ldap.server.info.other[
"configurationNamingContext"
][0],
]
),
),
Expand Down Expand Up @@ -770,13 +776,13 @@ def list_templates(self, kwargs):
"nTSecurityDescriptor",
]

results = self.engine.query(
templates = self.engine.query(
self.engine.TEMPLATE_FILTER(),
attributes,
base=",".join(
[
"CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration",
self.engine.base_dn,
"CN=Certificate Templates,CN=Public Key Services,CN=Services",
self.engine.ldap.server.info.other["configurationNamingContext"][0],
]
),
)
Expand All @@ -787,51 +793,59 @@ def list_templates(self, kwargs):
attributes,
base=",".join(
[
"CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=CONFIGURATION",
self.engine.base_dn,
"CN=Enrollment Services,CN=Public Key Services,CN=Services",
self.engine.ldap.server.info.other["configurationNamingContext"][0],
]
),
)
self.engine.set_controls()

enabled_templates = {}
adcs_infos = {}
for pki in pkis_infos:
enabled_templates[pki.get("cn")] = pki.get("certificateTemplates")
adcs_infos[pki.get("cn")] = pki.get("certificateTemplates")

if verbose:
self.display(results, verbose)
return
else:
all_enabled_templates = list(set().union(*adcs_infos.values()))
template_number = 1
for result in results:
if (
enabled
and result.get("name") not in enabled_templates[pki.get("cn")]
):
for template in templates:
if enabled and template.get("name") not in all_enabled_templates:
continue

print(template_number)
print(f"{'Template Name':<30}: {result.get('name')}")
print(f"{'Display Name':<30}: {result.get('displayName')}")
for ca in enabled_templates:
if result.get("name") in enabled_templates[ca]:
print(f"{'Enabled':<30}: True")
print(f"{'Certificate Authority':<30}: {ca}")
print(f"{'Template Name':<30}: {template.get('name')}")
print(f"{'Display Name':<30}: {template.get('displayName')}")

for ca in adcs_infos:
if template.get("name") in adcs_infos[ca]:
is_enabled = True
cert_auth = ca
break
else:
print(f"{'Enabled':<30}: False")
is_enabled = False

if is_enabled:
print(f"{'Enabled':<30}: True")
print(f"{'Certificate Authority':<30}: {ca}")
else:
print(f"{'Enabled':<30}: False")

ekus = []
client_auth = False
for eku in result.get("pKIExtendedKeyUsage"):
for eku in template.get("pKIExtendedKeyUsage"):
if eku in AUTHENTICATING_EKUS.keys():
client_auth = True
try:
ekus.append(OID_TO_STR_MAP[eku])
except KeyError:
ekus.append(eku)
if result.get("pKIExtendedKeyUsage") == []:
if template.get("pKIExtendedKeyUsage") == []:
client_auth = True
print(f"{'Client Authentication':<30}: {client_auth}")

flag_mask = result.get("msPKI-Certificate-Name-Flag") & 0xFFFFFFFF
flag_mask = template.get("msPKI-Certificate-Name-Flag") & 0xFFFFFFFF
flags = []
for flag_name, flag_value in MS_PKI_CERTIFICATE_NAME_FLAG.items():
if flag_mask & flag_value:
Expand All @@ -840,13 +854,13 @@ def list_templates(self, kwargs):
f"{'Enrollee Supplies Subject':<30}: {'ENROLLEE_SUPPLIES_SUBJECT' in flags}"
)
manager_approval = (
result.get("msPKI-Enrollment-Flag")
template.get("msPKI-Enrollment-Flag")
& MS_PKI_ENROLLMENT_FLAG["PEND_ALL_REQUESTS"]
)
print(f"{'Requires Manager Approval':<30}: {manager_approval>0}")

print(
f"{'Template Schema Version':<30}: {result['msPKI-Template-Schema-Version']}"
f"{'Template Schema Version':<30}: {template.get('msPKI-Template-Schema-Version','')}"
)

if ekus:
Expand All @@ -863,7 +877,7 @@ def list_templates(self, kwargs):
write_dacl_principals = []
write_property_principals = []
for principal in (
result.get("nTSecurityDescriptor").get("DACL").get("ACEs")
template.get("nTSecurityDescriptor").get("DACL").get("ACEs")
):
right = ""
sid = principal.get("SID")
Expand Down Expand Up @@ -926,13 +940,6 @@ def list_templates(self, kwargs):
write_property_principals.append(f"{name} on {right}")
else:
write_property_principals.append(name)
"""
add property for the following ?
msPKI-Certificate-Name-Flag (add CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT)
msPKI-Enrollment-Flag (remove approval)
pKIExtendedKeyUsage (never saw)
msPKI-Certificate-Application-Policy (add Client Auth EKU)
"""

print("Permissions")
if enroll_principals:
Expand All @@ -943,7 +950,7 @@ def list_templates(self, kwargs):

# Object Control Permissions
print(" Object Control Permissions")
owner_sid = result.get("nTSecurityDescriptor").get("Owner SID")
owner_sid = template.get("nTSecurityDescriptor").get("Owner SID")
try:
res = next(self.engine.resolve_sid(owner_sid))
if "group" in res["objectClass"]:
Expand Down

0 comments on commit 98b717b

Please sign in to comment.