Another year has come and gone, and the Metasploit team has taken some time to review the year’s notable additions. This year saw some great new features added, Metasploit 6.4 released and a slew of new modules. We’re grateful to the community members new and old that have submitted modules and issues this year. The real privilege escalation was the privilege of working with the contributors and friends we made along the way. And so, as is tradition, let us begin the 2024 annual recap. HTTP Relaying and ESC8 Metasploit continues to expand support for Active Directory Certificate Services AD CS attacks, also known as ESC attacks. These attacks have been popular since they were announced three years ago, and the complexity and ubiquity of enterprise AD CS setups has rendered them “gifts that keep on giving” for attackers and pen testers alike. This year, we added support for ESC8, a vulnerability in AD CS Web Enrollment service, in which authentication from a user’s SMB connection can be relayed to a Certificate Web Enrollment endpoint and used to generate a valid certificate for authentication. This means that if an attacker can coerce a user to attempt to access an SMB share, their authentication can be relayed to a certificate server for authentication. Once authenticated, the session will allow the attacker to mint certificates for any template they have permissions to access. Unlike many AD CS attacks, this is not necessarily due to a misconfiguration in a template, but…Read More
References
Back to Main