PenTest/privilege-escalation-awesome-scripts-suite
1
0
Fork 0
mirror of https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite.git synced 2025-12-09 18:31:28 +00:00
Code Issues Projects Releases Wiki Activity

Fix InterfaceFlags syntax

Browse Source
This commit is contained in:
CravateRouge
2025-10-07 11:14:45 +08:00
committed by GitHub
parent 7042a182df
commit b8b4a0fc14
1 changed files with 10 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
winPEAS/winPEASexe/winPEAS/Checks/ActiveDirectoryInfo.cs
View File

@@ -178,27 +178,27 @@ namespace winPEAS.Checks
switch (strongBinding) switch (strongBinding)
{ {
case 0: case 0:
Beaprint.BadPrint(" StrongCertificateBindingEnforcement: 0 <EFBFBD> Weak mapping allowed, vulnerable to ESC9."); Beaprint.BadPrint(" StrongCertificateBindingEnforcement: 0 Weak mapping allowed, vulnerable to ESC9.");
break; break;
case 2: case 2:
Beaprint.GoodPrint(" StrongCertificateBindingEnforcement: 2 <EFBFBD> Prevents weak UPN/DNS mappings even if SID extension missing, not vulnerable to ESC9."); Beaprint.GoodPrint(" StrongCertificateBindingEnforcement: 2 Prevents weak UPN/DNS mappings even if SID extension missing, not vulnerable to ESC9.");
break; break;
// 1 is default behavior now I think? // 1 is default behavior now I think?
case 1: case 1:
default: default:
Beaprint.NoColorPrint($" StrongCertificateBindingEnforcement: {strongBinding} <EFBFBD> Allow weak mapping if SID extension missing, may be vulnerable to ESC9."); Beaprint.NoColorPrint($" StrongCertificateBindingEnforcement: {strongBinding} Allow weak mapping if SID extension missing, may be vulnerable to ESC9.");
break; break;
} }
uint? certMapping = RegistryHelper.GetDwordValue("HKLM", @"SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL", "CertificateMappingMethods"); uint? certMapping = RegistryHelper.GetDwordValue("HKLM", @"SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL", "CertificateMappingMethods");
if (certMapping.HasValue && (certMapping & 0x4) != 0) if (certMapping.HasValue && (certMapping & 0x4) != 0)
Beaprint.BadPrint($" CertificateMappingMethods: {certMapping} <EFBFBD> Allow UPN-based mapping, vulnerable to ESC10."); Beaprint.BadPrint($" CertificateMappingMethods: {certMapping} Allow UPN-based mapping, vulnerable to ESC10.");
else if(certMapping.HasValue && ((certMapping & 0x1) != 0 || (certMapping & 0x2) != 0)) else if(certMapping.HasValue && ((certMapping & 0x1) != 0 || (certMapping & 0x2) != 0))
Beaprint.NoColorPrint($" CertificateMappingMethods: {certMapping} <EFBFBD> Allow weak Subject/Issuer certificate mapping."); Beaprint.NoColorPrint($" CertificateMappingMethods: {certMapping} Allow weak Subject/Issuer certificate mapping.");
// 0x18 (strong mapping) is default behavior if not the flags above I think? // 0x18 (strong mapping) is default behavior if not the flags above I think?
else else
Beaprint.GoodPrint($" CertificateMappingMethods: {certMapping} <EFBFBD> Strong Certificate mapping enabled."); Beaprint.GoodPrint($" CertificateMappingMethods: {certMapping} Strong Certificate mapping enabled.");
// We take the Active CA, can they be several? // We take the Active CA, can they be several?
string caName = RegistryHelper.GetRegValue("HKLM", $@"SYSTEM\CurrentControlSet\Services\CertSvc\Configuration", "Active"); string caName = RegistryHelper.GetRegValue("HKLM", $@"SYSTEM\CurrentControlSet\Services\CertSvc\Configuration", "Active");
@@ -208,9 +208,9 @@ namespace winPEAS.Checks
// https://www.sysadmins.lv/apidocs/pki/html/T_PKI_CertificateServices_Flags_InterfaceFlagEnum.htm // https://www.sysadmins.lv/apidocs/pki/html/T_PKI_CertificateServices_Flags_InterfaceFlagEnum.htm
uint? interfaceFlags = RegistryHelper.GetDwordValue("HKLM", $@"SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\{caName}", "InterfaceFlags"); uint? interfaceFlags = RegistryHelper.GetDwordValue("HKLM", $@"SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\{caName}", "InterfaceFlags");
if (!interfaceFlags.HasValue || (interfaceFlags & 512) == 0) if (!interfaceFlags.HasValue || (interfaceFlags & 512) == 0)
Beaprint.BadPrint(" IF_ENFORCEENCRYPTICERTREQUEST not set in InterfaceFlags <EFBFBD> vulnerable to ESC11."); Beaprint.BadPrint(" IF_ENFORCEENCRYPTICERTREQUEST not set in InterfaceFlags vulnerable to ESC11.");
else else
Beaprint.GoodPrint(" IF_ENFORCEENCRYPTICERTREQUEST set in InterfaceFlafs <EFBFBD> not vulnerable to ESC11."); Beaprint.GoodPrint(" IF_ENFORCEENCRYPTICERTREQUEST set in InterfaceFlags not vulnerable to ESC11.");
string policyModule = RegistryHelper.GetRegValue("HKLM", $@"SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\{caName}\PolicyModules", "Active"); string policyModule = RegistryHelper.GetRegValue("HKLM", $@"SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\{caName}\PolicyModules", "Active");
if (!string.IsNullOrWhiteSpace(policyModule)) if (!string.IsNullOrWhiteSpace(policyModule))
@@ -218,9 +218,9 @@ namespace winPEAS.Checks
string disableExtensionList = RegistryHelper.GetRegValue("HKLM", $@"SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\{caName}\PolicyModules\{policyModule}", "DisableExtensionList"); string disableExtensionList = RegistryHelper.GetRegValue("HKLM", $@"SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\{caName}\PolicyModules\{policyModule}", "DisableExtensionList");
// zOID_NTDS_CA_SECURITY_EXT (OID 1.3.6.1.4.1.311.25.2) // zOID_NTDS_CA_SECURITY_EXT (OID 1.3.6.1.4.1.311.25.2)
if (disableExtensionList?.Contains("1.3.6.1.4.1.311.25.2") == true) if (disableExtensionList?.Contains("1.3.6.1.4.1.311.25.2") == true)
Beaprint.BadPrint(" szOID_NTDS_CA_SECURITY_EXT disabled for the entire CA <EFBFBD> vulnerable to ESC16."); Beaprint.BadPrint(" szOID_NTDS_CA_SECURITY_EXT disabled for the entire CA vulnerable to ESC16.");
else else
Beaprint.GoodPrint(" szOID_NTDS_CA_SECURITY_EXT not disabled for the CA <EFBFBD> not vulnerable to ESC16."); Beaprint.GoodPrint(" szOID_NTDS_CA_SECURITY_EXT not disabled for the CA not vulnerable to ESC16.");
} }
else else
{ {