diff --git a/Build/Build-Module.ps1 b/Build/Build-Module.ps1 index 42ebc8d..2f06c5f 100644 --- a/Build/Build-Module.ps1 +++ b/Build/Build-Module.ps1 @@ -129,10 +129,11 @@ Build-Module -ModuleName 'Locksmith' { $PostScriptMerge = { Invoke-Locksmith -Mode $Mode -Scans $Scans } - New-ConfigurationArtefact -Type Packed -Enable -Path "$PSScriptRoot\..\Artefacts\Packed" -ArtefactName '-v.zip' + New-ConfigurationArtefact -Type Packed -Enable -Path "$PSScriptRoot\..\Artefacts\Packed" -ArtefactName '.zip' New-ConfigurationArtefact -Type Script -Enable -Path "$PSScriptRoot\..\Artefacts\Script" -PreScriptMerge $PreScriptMerge -PostScriptMerge $PostScriptMerge -ScriptName "Invoke-.ps1" New-ConfigurationArtefact -Type ScriptPacked -Enable -Path "$PSScriptRoot\..\Artefacts\ScriptPacked" -ArtefactName "Invoke-.zip" -PreScriptMerge $PreScriptMerge -PostScriptMerge $PostScriptMerge -ScriptName "Invoke-.ps1" New-ConfigurationArtefact -Type Unpacked -Enable -Path "$PSScriptRoot\..\Artefacts\Unpacked" + # New-ConfigurationPublish -Type PowerShellGallery -FilePath 'C:\Users\jake.BLUETUXEDO\Documents\API Keys\PSGallery.txt' } Copy-Item "$PSScriptRoot\..\Artefacts\Script\Invoke-Locksmith.ps1" "$PSScriptRoot\..\" diff --git a/Invoke-Locksmith.ps1 b/Invoke-Locksmith.ps1 index 4a8a132..5d64de3 100644 --- a/Invoke-Locksmith.ps1 +++ b/Invoke-Locksmith.ps1 @@ -2160,7 +2160,7 @@ function Invoke-Scans { } ESC1 { Write-Host 'Identifying AD CS templates with dangerous ESC1 configurations...' - [array]$ESC1 = Find-ESC1 -ADCSObjects $ADCSObjects -SafeUsers $SafeUsers + [array]$ESC1 = Find-ESC1 -ADCSObjects $ADCSObjects -SafeUsers $SafeUsers -ClientAuthEKUs $ClientAuthEkus } ESC2 { Write-Host 'Identifying AD CS templates with dangerous ESC2 configurations...' @@ -2187,9 +2187,13 @@ function Invoke-Scans { Write-Host 'Identifying HTTP-based certificate enrollment interfaces (ESC8)...' [array]$ESC8 = Find-ESC8 -ADCSObjects $ADCSObjects } - ESC6 { + ESC11 { Write-Host 'Identifying Issuing CAs with IF_ENFORCEENCRYPTICERTREQUEST disabled (ESC11)...' - [array]$ESC6 = Find-ESC6 -ADCSObjects $ADCSObjects + [array]$ESC11 = Find-ESC11 -ADCSObjects $ADCSObjects + } + ESC13 { + Write-Host 'Identifying AD CS templates with dangerous ESC13 configurations...' + [array]$ESC11 = Find-ESC13 -ADCSObjects $ADCSObjects -SafeUsers $SafeUsers -ClientAuthEKUs $ClientAuthEKUs } All { Write-Host 'Identifying auditing issues...' @@ -2264,7 +2268,7 @@ descriptions, code used to find, code used to fix, and reference URLs. This is i function New-Dictionary { class VulnerableConfigurationItem { - static [string] $Version = '2023.10.01.000' + static [string] $Version = '2024.11.03.000' [string]$Name [ValidateSet('Escalation Path', 'Server Configuration', 'GPO Setting')][string]$Category [string]$Subcategory @@ -3226,7 +3230,6 @@ function Invoke-Locksmith { ) $Version = '2024.11.10' - $LogoPart1 = @" _ _____ _______ _ _ _______ _______ _____ _______ _ _ | | | | |____/ |______ | | | | | |_____| diff --git a/Private/Invoke-Scans.ps1 b/Private/Invoke-Scans.ps1 index 640dfd9..08c7a51 100644 --- a/Private/Invoke-Scans.ps1 +++ b/Private/Invoke-Scans.ps1 @@ -72,7 +72,7 @@ function Invoke-Scans { } ESC1 { Write-Host 'Identifying AD CS templates with dangerous ESC1 configurations...' - [array]$ESC1 = Find-ESC1 -ADCSObjects $ADCSObjects -SafeUsers $SafeUsers + [array]$ESC1 = Find-ESC1 -ADCSObjects $ADCSObjects -SafeUsers $SafeUsers -ClientAuthEKUs $ClientAuthEkus } ESC2 { Write-Host 'Identifying AD CS templates with dangerous ESC2 configurations...' @@ -103,6 +103,10 @@ function Invoke-Scans { Write-Host 'Identifying Issuing CAs with IF_ENFORCEENCRYPTICERTREQUEST disabled (ESC11)...' [array]$ESC11 = Find-ESC11 -ADCSObjects $ADCSObjects } + ESC13 { + Write-Host 'Identifying AD CS templates with dangerous ESC13 configurations...' + [array]$ESC11 = Find-ESC13 -ADCSObjects $ADCSObjects -SafeUsers $SafeUsers -ClientAuthEKUs $ClientAuthEKUs + } All { Write-Host 'Identifying auditing issues...' [array]$AuditingIssues = Find-AuditingIssue -ADCSObjects $ADCSObjects diff --git a/README.md b/README.md index 267b407..0666884 100644 --- a/README.md +++ b/README.md @@ -32,6 +32,10 @@ A ~~tiny~~ small tool built to find and fix common misconfigurations in Active D 6. [Scans](#Scans) # Installation +## Prerequisites +1. Locksmith (both script and module versions) must be run on a domain joined system. +2. Locksmith (module version only) needs the ActiveDirectory and ServerManager PowerShell modules installed. + ## Module ### Install module from the PowerShell Gallery (preferred): 1. Open a PowerShell prompt and run `Install-Module -Name Locksmith -Scope CurrentUser` @@ -39,12 +43,12 @@ A ~~tiny~~ small tool built to find and fix common misconfigurations in Active D ### Install module manually from GitHub: 1. Download the [latest module version](https://github.com/TrimarcJake/Locksmith/releases/latest) ( **Locksmith-v**\**.**\**.zip** ) 2. Extract the downloaded zip file -3. Open a PowerShell prompt to the location of the extracted file and run `Import-Module Locksmith.psd1` +3. Open a PowerShell prompt to the location of the extracted file and run `Import-Module .\Locksmith.psd1` ## Script ### Download the standalone script (classic) without module: 1. Download the latest script version: [https://github.com/TrimarcJake/Locksmith/releases/latest/download/Invoke-Locksmith.zip](https://github.com/TrimarcJake/Locksmith/releases/latest/download/Invoke-Locksmith.zip) -2. Extract the downloaded zip file +2. Open a PowerShell prompt to the location of the downloaded file and run `.\Invoke-Locksmith.ps1` # Run Locksmith