AD CS workflow improvement with new PKCS12 features
Given the increasing popularity of AD CS misconfiguration exploitation in recent years, Metasploit has been consistently improving its capabilities in this area. This week’s release introduces a new certs command to the msfconsole, enabling users to manage PKCS12 certificates stored in the database, similar to the klist command. The certs command provides functionalities such as listing, searching, activating, deactivating, exporting, and deleting certificates.
Available options:
msf6 auxiliary(scanner/smb/smb_login) > certs --help
List Pkcs12 certificate bundles in the database
Usage: certs [options] [username[@domain_upn_format]]
OPTIONS:
-a, --activate Activates *all* matching pkcs12 entries
-A, --deactivate Deactivates *all* matching pkcs12 entries
-d, --delete Delete *all* matching pkcs12 entries
-e, --export The file path where to export the matching pkcs12 entry
-h, --help Help banner
-i, --index Pkcs12 entry ID(s) to search for, e.g. `-i 1` or `-i 1,2,3` or `-i 1 -i 2 -i 3`
-v, --verbose Verbose output
Example output
msf6 auxiliary(admin/dcerpc/icpr_cert) > certs
Pkcs12
======
id username realm subject issuer ADCS CA ADCS Template status
-- -------- ----- ------- ------ ------- ------------- ------
1 administrator mydomi.local /CN=muser /DC=local/DC=pro/DC=ad/CN=mssrv-dc-mydomi.local-CA mssrv-dc-mydomi.local-CA ESC1 active
Additionally, it automates PKCS12 authentication via the pkinit protocol when the kerberos option is set for authentication and no Kerberos tickets are found in the cache. This automation allows the framework to transparently utilize stored certificates to acquire Kerberos tickets, streamlining the authentication process for modules supporting Kerberos and Schannel protocols. Any modules that support these authentication protocols can benefit from this, as long as a suitable certificate is present in the database.
Here is ..
Support the originator by clicking the read the rest link below.
