Merge pull request #2 from bradyjmcl/main

Added support for ESC5, ESC7, ESC9, ESC11, and ESC15; added ACL to ESC13

README.md

@@ -3,10 +3,15 @@
 An Ansible Role that installs [ADCS](https://learn.microsoft.com/en-us/windows-server/identity/ad-cs/active-directory-certificate-services-overview) on Windows Server and optionally configures [Certified Preowned](https://specterops.io/wp-content/uploads/sites/3/2022/06/Certified_Pre-Owned.pdf) templates.
 
 - Turns the VM assigned the "badsectorlabs.adcs" role into a Certificate Authority
-- Optionally, creates certificate templates for ESC1,2,3, and 13
+- Optionally, creates certificate templates for ESC1,2,3,7,9, and 13
+- Optionally, creates a user (`esc5user`) with rights over the CA's AD Object for ESC5
 - Optionally, configures ATTRIBUTESUBJECTALTNAME2 on CA for ESC6
+- Optionally, creates users (`esc7_camgr_user` and `esc7_certmgr_user`) to exploit ESC7
 - Optionally, enables web enrollment for ESC8
+- Optionally, creates a user (`esc9user`) with inbound GenericAll rights for ESC9
+- Optionally, configures IF_ENFORCEENCRYPTICERTREQUEST on CA for ESC11
 - Optionally, for ESC13, creates a user (`esc13user`), group (`esc13group`), template (`ESC13`), and Issuance policy (`IssuancePolicyForESC13`)
+- Optionally, makes the `WebServer` template vulnerable to ESC15
 
 > [!WARNING]
 > This role is not idempotent! Setting a `ludus_adcs_escX` value to `true`, applying the role, then setting it to `false` and applying the role will *NOT* remove the template that is now set to `false`.
@@ -33,11 +38,27 @@ Available variables are listed below, along with default values (see `defaults/m
     ludus_adcs_esc3: true
     ludus_adcs_esc3_cra: true
     ludus_adcs_esc4: true
+    ludus_adcs_esc5: true
     ludus_adcs_esc6: true
+    ludus_adcs_esc7: true
     ludus_adcs_esc8: true
+    ludus_adcs_esc9: true
+    ludus_adcs_esc11: true
     ludus_adcs_esc13: true
+    ludus_adcs_esc15: true
 
     # Vars for specific ESCs
+    ludus_adcs_esc5_user: esc5user
+    ludus_adcs_esc5_password: ESC5password
+
+    ludus_adcs_esc7_ca_manager_user: esc7_camgr_user
+    ludus_adcs_esc7_ca_manager_password: ESC7password
+    ludus_adcs_esc7_cert_manager_user: esc7_certmgr_user
+    ludus_adcs_esc7_cert_manager_password: ESC7password
+
+    ludus_adcs_esc9_user: esc9user
+    ludus_adcs_esc9_password: ESC9password
+
     ludus_adcs_esc13_user: esc13user
     ludus_adcs_esc13_password: ESC13password
     ludus_adcs_esc13_group: esc13group
@@ -65,9 +86,14 @@ None.
     ludus_adcs_esc3: true
     ludus_adcs_esc3_cra: true
     ludus_adcs_esc4: true
+    ludus_adcs_esc5: true
     ludus_adcs_esc6: true
+    ludus_adcs_esc7: true
     ludus_adcs_esc8: true
+    ludus_adcs_esc9: true
+    ludus_adcs_esc11: true
     ludus_adcs_esc13: true
+    ludus_adcs_esc15: true
 ```
 
 ## Example Ludus Range Config
@@ -89,7 +115,7 @@ ludus:
     roles:
       - badsectorlabs.ludus_adcs
     role_vars:
-      ludus_adcs_esc6: false # By default ESC1,2,3,4,6,8, and 13 are enabled
+      ludus_adcs_esc6: false # By default ESC1,2,3,4,5,6,7,8,9,11,13, and 15 are enabled
 ```
 
 ## License
@@ -100,6 +126,10 @@ Some code was based on tasks from [GOAD](https://github.com/Orange-Cyberdefense/
 
 The included [ADCSTemplate](https://github.com/GoateePFE/ADCSTemplate) project is licensed under the MIT license and written by Ashley McGlone.
 
+The inlcuded [PSPKI](https://github.com/PKISolutions/PSPKI/) project is licensed under the Microsoft Public License (Ms-PL) and written by Vadims Podans.
+
 ## Author Information
 
 This role was created in 2024 by [Bad Sector Labs](https://badsectorlabs.com/), for [Ludus](https://ludus.cloud/).
+
+Support for ESC5, ESC7, ESC9, ESC11, and ESC15 was added in November 2024 by [Brady McLaughlin](https://github.com/bradyjmcl).

defaults/main.yml

@@ -13,12 +13,28 @@ ludus_adcs_esc2: true
 ludus_adcs_esc3: true
 ludus_adcs_esc3_cra: true
 ludus_adcs_esc4: true
+ludus_adcs_esc5: true
 ludus_adcs_esc6: true
+ludus_adcs_esc7: true
 ludus_adcs_esc8: true
+ludus_adcs_esc9: true
+ludus_adcs_esc11: true
 ludus_adcs_esc13: true
+ludus_adcs_esc15: true
 
 # Vars for specific ESCs
+ludus_adcs_esc5_user: esc5user
+ludus_adcs_esc5_password: ESC5password
+
+ludus_adcs_esc7_ca_manager_user: esc7_camgr_user
+ludus_adcs_esc7_ca_manager_password: ESC7password
+ludus_adcs_esc7_cert_manager_user: esc7_certmgr_user
+ludus_adcs_esc7_cert_manager_password: ESC7password
+
+ludus_adcs_esc9_user: esc9user
+ludus_adcs_esc9_password: ESC9password
+
 ludus_adcs_esc13_user: esc13user
 ludus_adcs_esc13_password: ESC13password
 ludus_adcs_esc13_group: esc13group
-ludus_adcs_esc13_template: ESC13
+ludus_adcs_esc13_template: ESC13

files/ESC7_CertMgr.json

@@ -0,0 +1,56 @@
+{
+    "name":  "ESC7_CertMgr",
+    "displayName":  "ESC7_CertMgr",
+    "objectClass":  "pKICertificateTemplate",
+    "flags":  131616,
+    "revision":  100,
+    "msPKI-Cert-Template-OID":  "1.3.6.1.4.1.311.21.8.14070996.2758087.2704268.1778953.12622553.205.15048741.4048660",
+    "msPKI-Certificate-Application-Policy":  [
+                                                 "1.3.6.1.5.5.7.3.2"
+                                             ],
+    "msPKI-Certificate-Name-Flag":  1,
+    "msPKI-Enrollment-Flag":  2,
+    "msPKI-Minimal-Key-Size":  2048,
+    "msPKI-Private-Key-Flag":  16842752,
+    "msPKI-RA-Signature":  0,
+    "msPKI-Template-Minor-Revision":  12,
+    "msPKI-Template-Schema-Version":  2,
+    "pKICriticalExtensions":  [
+                                  "2.5.29.7",
+                                  "2.5.29.15"
+                              ],
+    "pKIDefaultCSPs":  [
+                           "3,Microsoft Base DSS Cryptographic Provider",
+                           "2,Microsoft Base Cryptographic Provider v1.0",
+                           "1,Microsoft Enhanced Cryptographic Provider v1.0"
+                       ],
+    "pKIDefaultKeySpec":  2,
+    "pKIExpirationPeriod":  [
+                                0,
+                                64,
+                                57,
+                                135,
+                                46,
+                                225,
+                                254,
+                                255
+                            ],
+    "pKIExtendedKeyUsage":  [
+                                "1.3.6.1.5.5.7.3.2"
+                            ],
+    "pKIKeyUsage":  [
+                        128,
+                        0
+                    ],
+    "pKIMaxIssuingDepth":  0,
+    "pKIOverlapPeriod":  [
+                             0,
+                             128,
+                             166,
+                             10,
+                             255,
+                             222,
+                             255,
+                             255
+                         ]
+}

files/ESC9.json

@@ -0,0 +1,58 @@
+{
+    "name":  "ESC9",
+    "displayName":  "ESC9",
+    "objectClass":  "pKICertificateTemplate",
+    "flags":  131642,
+    "revision":  100,
+    "msPKI-Cert-Template-OID":  "1.3.6.1.4.1.311.21.8.15259740.2305984.9191596.2842136.3011317.52.13375922.9841897",
+    "msPKI-Certificate-Application-Policy":  [
+                                                 "1.3.6.1.4.1.311.10.3.4",
+                                                 "1.3.6.1.5.5.7.3.4",
+                                                 "1.3.6.1.5.5.7.3.2"
+                                             ],
+    "msPKI-Certificate-Name-Flag":  -1509949440,
+    "msPKI-Enrollment-Flag":  524329,
+    "msPKI-Minimal-Key-Size":  2048,
+    "msPKI-Private-Key-Flag":  16842768,
+    "msPKI-RA-Signature":  0,
+    "msPKI-Template-Minor-Revision":  3,
+    "msPKI-Template-Schema-Version":  2,
+    "pKICriticalExtensions":  [
+                                  "2.5.29.15"
+                              ],
+    "pKIDefaultCSPs":  [
+                           "2,Microsoft Base Cryptographic Provider v1.0",
+                           "1,Microsoft Enhanced Cryptographic Provider v1.0"
+                       ],
+    "pKIDefaultKeySpec":  1,
+    "pKIExpirationPeriod":  [
+                                0,
+                                64,
+                                57,
+                                135,
+                                46,
+                                225,
+                                254,
+                                255
+                            ],
+    "pKIExtendedKeyUsage":  [
+                                "1.3.6.1.4.1.311.10.3.4",
+                                "1.3.6.1.5.5.7.3.4",
+                                "1.3.6.1.5.5.7.3.2"
+                            ],
+    "pKIKeyUsage":  [
+                        160,
+                        0
+                    ],
+    "pKIMaxIssuingDepth":  0,
+    "pKIOverlapPeriod":  [
+                             0,
+                             128,
+                             166,
+                             10,
+                             255,
+                             222,
+                             255,
+                             255
+                         ]
+}

files/PSPKI/CODE_OF_CONDUCT.md

@@ -0,0 +1,46 @@
+# Contributor Covenant Code of Conduct
+
+## Our Pledge
+
+In the interest of fostering an open and welcoming environment, we as contributors and maintainers pledge to making participation in our project and our community a harassment-free experience for everyone, regardless of age, body size, disability, ethnicity, gender identity and expression, level of experience, nationality, personal appearance, race, religion, or sexual identity and orientation.
+
+## Our Standards
+
+Examples of behavior that contributes to creating a positive environment include:
+
+* Using welcoming and inclusive language
+* Being respectful of differing viewpoints and experiences
+* Gracefully accepting constructive criticism
+* Focusing on what is best for the community
+* Showing empathy towards other community members
+
+Examples of unacceptable behavior by participants include:
+
+* The use of sexualized language or imagery and unwelcome sexual attention or advances
+* Trolling, insulting/derogatory comments, and personal or political attacks
+* Public or private harassment
+* Publishing others' private information, such as a physical or electronic address, without explicit permission
+* Other conduct which could reasonably be considered inappropriate in a professional setting
+
+## Our Responsibilities
+
+Project maintainers are responsible for clarifying the standards of acceptable behavior and are expected to take appropriate and fair corrective action in response to any instances of unacceptable behavior.
+
+Project maintainers have the right and responsibility to remove, edit, or reject comments, commits, code, wiki edits, issues, and other contributions that are not aligned to this Code of Conduct, or to ban temporarily or permanently any contributor for other behaviors that they deem inappropriate, threatening, offensive, or harmful.
+
+## Scope
+
+This Code of Conduct applies both within project spaces and in public spaces when an individual is representing the project or its community. Examples of representing a project or community include using an official project e-mail address, posting via an official social media account, or acting as an appointed representative at an online or offline event. Representation of a project may be further defined and clarified by project maintainers.
+
+## Enforcement
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by contacting the project team at [Sysadmins LV](https://www.sysadmins.lv/contact.aspx). The project team will review and investigate all complaints, and will respond in a way that it deems appropriate to the circumstances. The project team is obligated to maintain confidentiality with regard to the reporter of an incident. Further details of specific enforcement policies may be posted separately.
+
+Project maintainers who do not follow or enforce the Code of Conduct in good faith may face temporary or permanent repercussions as determined by other members of the project's leadership.
+
+## Attribution
+
+This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4, available at [https://contributor-covenant.org/version/1/4][version]
+
+[homepage]: https://contributor-covenant.org
+[version]: https://contributor-covenant.org/version/1/4/

files/PSPKI/License.md

@@ -0,0 +1,31 @@
+# Microsoft Public License (Ms-PL)
+
+This license governs use of the accompanying software. If you use the software, you accept this license. If you do not accept the license, do not use the software.
+
+## 1. Definitions
+
+The terms "reproduce," "reproduction," "derivative works," and "distribution" have the same meaning here as under U.S. copyright law.
+
+A "contribution" is the original software, or any additions or changes to the software.
+
+A "contributor" is any person that distributes its contribution under this license.
+
+"Licensed patents" are a contributor's patent claims that read directly on its contribution.
+
+## 2. Grant of Rights
+
+(A) Copyright Grant- Subject to the terms of this license, including the license conditions and limitations in section 3, each contributor grants you a non-exclusive, worldwide, royalty-free copyright license to reproduce its contribution, prepare derivative works of its contribution, and distribute its contribution or any derivative works that you create.
+
+(B) Patent Grant- Subject to the terms of this license, including the license conditions and limitations in section 3, each contributor grants you a non-exclusive, worldwide, royalty-free license under its licensed patents to make, have made, use, sell, offer for sale, import, and/or otherwise dispose of its contribution in the software or derivative works of the contribution in the software.
+
+## 3. Conditions and Limitations
+
+(A) No Trademark License- This license does not grant you rights to use any contributors' name, logo, or trademarks.
+
+(B) If you bring a patent claim against any contributor over patents that you claim are infringed by the software, your patent license from such contributor to the software ends automatically.
+
+(C) If you distribute any portion of the software, you must retain all copyright, patent, trademark, and attribution notices that are present in the software.
+
+(D) If you distribute any portion of the software in source code form, you may do so only under this license by including a complete copy of this license with your distribution. If you distribute any portion of the software in compiled or object code form, you may only do so under a license that complies with this license.
+
+(E) The software is licensed "as-is." You bear the risk of using it. The contributors give no express warranties, guarantees or conditions. You may have additional consumer rights under your local laws which this license cannot change. To the extent permitted under your local laws, the contributors exclude the implied warranties of merchantability, fitness for a particular purpose and non-infringement.

files/PSPKI/PSPKI.sln

@@ -0,0 +1,22 @@
+
+Microsoft Visual Studio Solution File, Format Version 12.00
+# Visual Studio 14
+VisualStudioVersion = 14.0.23107.0
+MinimumVisualStudioVersion = 10.0.40219.1
+Project("{F5034706-568F-408A-B7B3-4D38C6DB8A32}") = "PSPKI", "PSPKI\PSPKI.pssproj", "{6CAFC0C6-A428-4D30-A9F9-700E829FEA51}"
+EndProject
+Global
+	GlobalSection(SolutionConfigurationPlatforms) = preSolution
+		Debug|Any CPU = Debug|Any CPU
+		Release|Any CPU = Release|Any CPU
+	EndGlobalSection
+	GlobalSection(ProjectConfigurationPlatforms) = postSolution
+		{6CAFC0C6-A428-4D30-A9F9-700E829FEA51}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{6CAFC0C6-A428-4D30-A9F9-700E829FEA51}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{6CAFC0C6-A428-4D30-A9F9-700E829FEA51}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{6CAFC0C6-A428-4D30-A9F9-700E829FEA51}.Release|Any CPU.Build.0 = Release|Any CPU
+	EndGlobalSection
+	GlobalSection(SolutionProperties) = preSolution
+		HideSolutionNode = FALSE
+	EndGlobalSection
+EndGlobal

files/PSPKI/PSPKI/Client/Add-AdCertificate.ps1

@@ -0,0 +1,30 @@
+function Add-AdCertificate {
+<#
+.ExternalHelp PSPKI.Help.xml
+#>
+[OutputType('[SysadminsLV.PKI.Management.ActiveDirectory.DsPkiContainer]')]
+[CmdletBinding()]
+    param(
+        [Parameter(Mandatory = $true, ValueFromPipeline = $true, ValueFromPipelineByPropertyName = $true)]
+        [SysadminsLV.PKI.Management.ActiveDirectory.DsPkiCertContainer]$AdContainer,
+        [Parameter(Mandatory = $true)]
+        [Security.Cryptography.X509Certificates.X509Certificate2[]]$Certificate,
+        [switch]$CrossCA,
+        [switch]$Dispose
+    )
+    if ($Certificate.Length -gt 0) {
+        $Certificate | ForEach-Object {
+            if ($Adcontainer -is [SysadminsLV.PKI.Management.ActiveDirectory.DsAiaContainer]) {
+                $type = if ($CrossCA) {"CrossCertificate"} else {"CACertificate"}
+                [void]$AdContainer.AddCertificate($_, $type)
+            } else {
+                [void]$AdContainer.AddCertificate($_)
+            }
+        }
+        $AdContainer.SaveChanges($false)
+    }
+    if ($Dispose) {
+        $AdContainer.Dispose()
+    }
+    $AdContainer
+}

files/PSPKI/PSPKI/Client/Add-AdCertificateRevocationList.ps1

@@ -0,0 +1,22 @@
+function Add-AdCertificateRevocationList {
+<#
+.ExternalHelp PSPKI.Help.xml
+#>
+[OutputType('[SysadminsLV.PKI.Management.ActiveDirectory.DsCDPContainer]')]
+[CmdletBinding()]
+    param(
+        [Parameter(Mandatory = $true, ValueFromPipeline = $true, ValueFromPipelineByPropertyName = $true)]
+        [SysadminsLV.PKI.Management.ActiveDirectory.DsCDPContainer]$CdpContainer,
+        [Parameter(Mandatory = $true)]
+        [Alias('CRL')]
+        [SysadminsLV.PKI.Cryptography.X509Certificates.X509CRL2]$CertificateRevocationList,
+        [string]$HostName,        
+        [switch]$Dispose
+    )
+    $CdpContainer.AddCrl($CertificateRevocationList, $HostName)
+    $CdpContainer.SaveChanges($false)
+    if ($Dispose) {
+        $CdpContainer.Dispose()
+    }
+    $CdpContainer
+}