AS2Go

2026.5.6.502

Private/Get-VulnerableCertificateTemplate.ps1

                                function Get-VulnerableCertificateTemplate {

    ################################################################################

    #####                                                                      ##### 

    #####           Finding an Vulnerable Certificate Templates                #####

    #####                                                                      #####

    ################################################################################

    $CurrentFunction = Get-FunctionName

    Write-Log -Message "### Start Function $CurrentFunction ###"

    #region ####################### main code #########################

    $CAtemplate = Get-KeyValue -key "BadCA"

    Invoke-Output -T CodeSnippet -M "A simple LDAP query is sufficient:"

    #$code = "`$SearchFilter =  (&(objectClass=pKICertificateTemplate)(cn=`$PublishedTemplate)(msPKI-Certificate-Name-Flag=1)(msPKI-Certificate-Application-Policy=1.3.6.1.5.5.7.3.2))"

    # Write-Syntax2  -code $code

    Write-Highlight -Text ('     $SearchFilter ', '= ', ' "(&(objectClass=pKICertificateTemplate)(cn=', '$PublishedTemplate', ')(msPKI-Certificate-Name-Flag=1)(msPKI-Certificate-Application-Policy=1.3.6.1.5.5.7.3.2))"')`

        -Color $fgcR, $fgcF, $fgcV, $fgcR, $fgcV, $fgcF

    Write-Highlight -Text ('     $Template     ', '= ', ' Get-ADObject ', '-SearchBase ', '"CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,', '$forest" ', '-LDAPFilter ', '$SearchFilter ', '-SearchScope ', 'OneLevel')`

        -Color $fgcR, $fgcF, $fgcC, $fgcS, $fgcV, $fgcR, $fgcS, $fgcR, $fgcS, $fgcF

    Write-Host ""

    Write-log -Message "     Only a simple LDAP Query is needed."

    $question = "Would you like to run this step - Y or N? Default "

    $answer = Get-Answer -question $question -defaultValue $yes

    If ($answer -eq $yes) {

        #find vulnerable CA templates

        Foreach ($result in $PublishedRiskyTemplates) {

            Write-host "`n`nFound vulnerable template " -NoNewline

            Write-host "$($result.Name)" -ForegroundColor Yellow -NoNewline

            Write-host " on " -NoNewline

            Write-Host $result.EnrollmentCA -ForegroundColor Yellow -NoNewline

            Write-Host ", which can be enrolled by:`n"

            $DSobject = [adsi]("LDAP://$($result.DN)")

            $secd = $DSobject.psbase.get_objectSecurity().getAccessRules($true, $chkInheritedPerm.checked, [System.Security.Principal.NTAccount])

            $results = $secd | Where-Object { $_.AccessControlType -eq "Allow" -and $_.ObjectType -eq "0e10c968-78fb-11d2-90d4-00c04f79dc55" -and $_.ActiveDirectoryRights -like "*ExtendedRight*" } | Select-Object IdentityReference

            foreach ($result2 in $results.IdentityReference) {

                [string]$t = $result2

                If ($t.Contains("Domain Users") -or $t.Contains("Everyone") -or $t.Contains("Authenticated Users")) {

                    write-host ("   - $t").PadRight(45, [Char]32) -ForegroundColor Yellow -NoNewline

                    Write-Host "<< Bingo!" -ForegroundColor Green

                    $CAtemplate = $result.Name

                    $CAEnrollment = $result.EnrollmentCA

                }

                elseif ($t.Contains("Domain Computers") ) {

                    write-host ("   - $t").PadRight(45, [Char]32) -ForegroundColor Yellow -NoNewline

                    Write-Host "<< Bingo!" -ForegroundColor Green

                    [string]$temp = ($temp + ' - ' + $($result.Name).ToUpper())

                }

                else {

                    write-host "   - $t"

                }

            }

        }

    }

    Do {

        $question = "Do you want to use CA template '$CAtemplate' - Y or N? Default "

        $prompt = Get-Answer -question $question -defaultValue $yes

        if ($prompt -ne $yes) {

            write-host ""

            [int]$i = 0

            Foreach ($ca in $PublishedRiskyTemplates) {

                Write-host "   [" -NoNewline

                Write-Host $i -ForegroundColor Yellow -NoNewline

                Write-host "] - $($ca.name)"

                $i++

            }

            write-host ""

            $max = $i - 1

            $i = Get-Random -Minimum 0 -Maximum $max

            [int]$selectedIndex = 0

            do { 

                $n = Read-Host "Type in the NUMBER for your preferred CA Template, e.g. $i"

                if ([int]::TryParse($n, [ref]$selectedIndex) -and $selectedIndex -ge 0 -and $selectedIndex -le $max) {

                    $repeat = $no

                }

                else {

                    $repeat = $yes

                    Write-Host $n -NoNewline -ForegroundColor Yellow

                    Write-Host " is out of scope!"

                }

            } Until ($repeat -eq $no)

            $CAtemplate = $PublishedRiskyTemplates.name[$selectedIndex]

            $CAEnrollment = $PublishedRiskyTemplates.EnrollmentCA[$selectedIndex]

            Set-KeyValue -key "BadCA" -NewValue $CAtemplate

            write-host ""

        }

    } Until ($prompt -eq $yes)

    #check if this Template can be enrolled by Domain Computers

    If ($temp.Contains("- $CAtemplate".ToUpper())) {

        [bool]$UseDomainComputers = $true

    }

    else {

        [bool]$UseDomainComputers = $false

    }

    Write-Log -Message "    >> using $CAtemplate, can be enrolled by Domain Computer - $UseDomainComputers"

    ######################## main code ############################

    $runtime = Get-RunTime -StartRunTime $StartRunTime

    Write-Log -Message "    Run Time: $runtime [h] ###"

    Write-Log -Message "### End Function $CurrentFunction ###"

    return $CAtemplate, $UseDomainComputers, $CAEnrollment  

}